US 20060271707 A1
A host name query is received by a modem from a client computer. The host name query is simultaneously transmitted from the modem to a plurality of Domain Name System (DNS) servers. A response is returned to the client computer from the modem, where the response is based on the host name query and any responses received from the DNS servers. In a preferred embodiment at least one address associated with the host name query is acquired from the DNS servers. The client computer then sends a request for content to the address. If more than one address is returned, all but one of the addresses is eliminated. This can be done by rejecting all but the most recent address, or rejecting all addresses not provided by a service provider DSN server.
1. A computer implemented method for resolving host names on a network, comprising:
receiving at a modem a host name query from a client computer;
simultaneously transmitting said host name query from said modem to a plurality of Domain Name System (DNS) servers; and
returning a response to said client computer from said modem, where said response is based on said host name query and any responses received from said DNS servers.
6. The computer implemented method of
determining that a host has not been located by said DNS servers;
performing a search using said host name query as a search string; and
transmitting a results address of where results of said search are located, to said client computer.
7. The computer implemented method of
8. The computer implemented method of
9. The computer implemented method of
10. The computer implemented method of
searching a cache for an address associated with said host name query; and
returning a located address to said client, such that said client computer can send a request for content to said address.
11. The computer implemented method of
searching a cache based on said host name query;
returning cached content associated with said host name query to said client computer, such that said client can display said content.
12. The computer implemented method of
13. A computer program product for resolving host names on a Virtual Private Network (VPN), the computer program product comprising a computer readable storage and a computer program embedded therein, the computer program comprising:
instructions for receiving a host name query from a client computer;
instructions for simultaneously transmitting said host name query to a plurality of Domain Name System (DNS) servers; and
instructions for returning a response to said client computer; where said response is based on said host name query and any responses received from said DNS servers.
18. The computer program product of
instructions for determining that a host has not been located by said DNS servers;
instructions for performing a search using said host name query as a search string; and
instructions for transmitting an address of where results of said search can be viewed to said client computer.
19. The computer program product of
20. The computer program product of
21. The computer program product of
22. The computer program product of
instructions for searching a cache for an address associated with said host name query; and
instructions for returning a located address to said client, such that said client computer can send a request for content to said address.
23. The computer program product of
instructions for searching a cache based on said host name query;
instructions for returning cached content associated with said host name query to said client computer, such that said client can display said content.
24. The computer program product of
The present invention relates generally to communication networks, and particularly to a computer implemented method for resolving host names on a network, specifically networks having more than one DNS (Domain Name System) server, such as a Virtual Private Network (VPN).
Communication networks can generally be characterized as either private or public networks. In pure private networks, communications between multiple computers, located at different locations, occur via a permanent or switched network, such as a telephone network. The communicating computers typically connect directly to each other via a dial-up or leased line connection, thereby emulating their physical attachment to one another. This type of network is usually considered private because the communication signals travel directly from one computer to another.
Communication over packet networks, such as the Internet, is typically not private, as the network cannot guarantee packet delivery. Such networks allow packets to be injected into, or ejected out of, their circuits indiscriminately, and/or analyzed while in transit. For normal communication this poses no real threat. However, to keep sensitive data communicated on such circuits private, the packets flowing on the circuit must be encrypted so that injected packets can be recognized and discarded to keep unauthorized parties from reading and analyzing data. These private circuits are called “tunnels.”
A virtual private network (VPN) is a private data network that makes use of tunnels to maintain privacy when communicating over a public telecommunication infrastructure, such as the Internet. The purpose of VPNs is to give server operators, such as corporations, the same capabilities that they would have if they had a private permanent or switched network. VPNs also cost much less to operate than other private networks, as they use a shared public infrastructure rather than a private one.
Data communicated on a VPN is encrypted before being sent through the public network and decrypted at the receiving end. An additional level of security involves encrypting not only the data but also the originating and receiving network addresses. Server operators today are looking at using VPNs for both extranets and wide-area intranets.
Setting up a VPN, however, is a complex task. Corporations providing VPN connectivity to their employees, typically, must go through a number of inefficient steps before a VPN network can be established between the server operator's server and an employee's client computer. First, the server operator must set up the individual's account on the server-side. To accomplish this, a VPN system administrator at the server-side, manually enters the configuration data for the new client, determines the necessary security settings, inputs the security settings into an authentication server, and configures the server-side firewall so that it will accept incoming packets from the new client. Second, the VPN system administrator has to configure the client-side by manually entering the configuration data for the new server, determining the necessary security settings, inputting the security settings, and configuring the client-side firewall so that it will accept incoming packets from the new server. No known current means exists for automatically configuring the client and server for VPN communication.
Another drawback with current systems that establish VPN communication between a client and a server, is that they typically do not allow multiple clients coupled to the same client-side modem to establish multiple VPN communication tunnels over the same modem. For example, say husband (H) telecommutes with his office (OH) using VPN over his Digital Subscriber Line (DSL) modem in his home. Wife (W) would also like to telecommute with her office (OW) a corporation distinct from OH. The standard means for establishing two VPN tunnels is to provide separate modems and telephone lines to ensure that the communication between H and OH and W and OW, remains secure and private. This system is both inefficient and costly as two sets of client-side modems, two telephone lines, and two separate Internet connections are required. A need therefore exists for a means to allow multiple clients to establish multiple VPN tunnels over the same client-side modem.
Yet another drawback with existing VPN systems is that of host name resolution. Users using a file manager, such as WINDOWS EXPLORER™, or an Internet browser, such as MICROSOFT'S INTERNET EXPLORER™, in conjunction with more recent versions of MICROSOFT WINDOWS™, can enter a string of text into a text box on the Graphical User Interface (GUI) of these applications. Depending on the particular application used, this text box may be called, among other things, a destination field, location field, address field, or URL field. Typically, users enter Uniform Resource Locators (URLs) into the text box. However, a folder or directory name anywhere on the network that the client computer is connected to, may also be entered into the text box. In fact, any string of text may be entered into the text box. A URL is a compact string representation for a resource that is available on the Internet. In general, a URL is written as follows: [<scheme>:<scheme-specific-part>]. The <scheme> portion of the URL identifies which scheme is being utilized. Among the better known schemes are File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), the Gopher Protocol, Wide Area Information Servers (WAIS), USENET News Protocol (News), and the Prospero Directory Service (Prospero). Once the string of text has been entered into the address field and either the “enter” key depressed or the “Go” button clicked, the local client computer attempts to resolve what to display.
If the text entered is a URL, i.e., prefixed by ftp://, http://, www, etc., the client computer first searches its local cache to see if Web content, such as a Web page, associated with the URL is present on the local client computer. If it is, the associated Web content is displayed to the user. If it is not, the client computer sends out a DNS request to a DNS server dictated by the user's Internet settings, where the DNS (Domain Name System) resolves Internet domain names, such as www.company.com, into IP (Internet Protocol) addresses, such as 188.8.131.52. A DNS list of domain names and IP addresses are distributed throughout the Internet in a hierarchy of authority.
The DNS server then searches its DNS tables to locate an IP address associated with the URL. If an IP address is located, the IP address is returned to the local computer which then sends a request for the Web page (or other content, such as a file) to that IP address. If an associated IP address is not found on the DNS server, the DNS server returns a “page not found” response to the client computer.
If the text entered is a directory or folder name on the client computer, or within the network that the client computer forms a part of, and if such a directory or folder name is located, the contents of that folder or directory is displayed. If the text entered is not a directory or folder name on the client computer, or within the network that the client computer forms a part of, the text is sent to a designated search engine which conducts a search of the Internet using the text as the search term. A most likely Web page and/or a list of results located is subsequently displayed to the user. A description of this process can be found in U.S. Pat. No. 6,009,459, which is incorporated herein by reference. Selection of the search engine, most likely Web page, and the list of results is controlled by the manufacturer of the application and cannot be altered by the user.
The above mentioned text entry system works sufficiently well for a single client computer connected to the Internet. However, when using a VPN, multiple DNS servers and/or folders or directories with the same name, may coexist on the VPN. Therefore, the client computer, or its modem, has no way of intelligently determining which cache to search, which DNS server to send the request to, which search engine to use, and/or which directory or folder's contents to display. A need, therefore, exists to manage and prioritize requests entered into the text box of the above mentioned applications.
In light of the above, a less complex, inefficient, and costly method for configuring a VPN where the resources of a service provider can be redirected to areas other than manually configuring the system would be highly desirable. Furthermore, a VPN system that allows multiple clients coupled to the same client-side modem to establish multiple VPN communication tunnels over the same modem, would also be desirable. In addition, any advancement in host name resolution that addresses the abovementioned drawbacks would be welcomed.
According to the invention there is provided a computer implemented method for resolving host names on a network. First, a host name query is received by a modem from a client computer. The host name query is simultaneously transmitted from the modem to a plurality of Domain Name System (DNS) servers. A response is returned to the client computer from the modem, where the response is based on the host name query and any responses received from the DNS servers. In a preferred embodiment at least one address associated with the host name query is acquired from the DNS servers. The client computer then sends a request for content to the address. If more than one address is returned, all but one of the addresses is eliminated. This can be done by rejecting all but the most recent address, or rejecting all addresses not provided by a service provider DNS server. In addition, if no host is located by the DNS servers, a search is performed using the host name query as a search string, and an address of where the results of the search can be viewed is transmitted to the client computer. A computer program product for performing the above method is also provided.
Therefore, by using the above, resolving host names on a network having multiple DNS servers can be more accurately controlled.
Additional objects and features of the invention will be more readily apparent from the following detailed description and appended claims when taken in conjunction with the drawings, in which:
FIGS. 3A-D are flow charts of a method for automatically configuring a VPN according to an embodiment of the invention;
FIGS. 4A-C are flow charts of a method for establishing multiple VPN tunnels over a single modem according to an embodiment of the invention;
FIGS. 5A-C are flow charts of a method for automatically resolving host names in a VPN according to an embodiment of the invention; and
Like reference numerals refer to corresponding parts throughout the several views of the drawings.
The VPN disclosed herein makes use of a public telecommunication infrastructure and maintains secure communication through the use of encrypted tunneling protocol and security procedures. From the user's perspective, the connection appears to be a private network connecting the user's computer to a server operator's server-side system despite the fact that all communication is occurring over the public telecommunication infrastructure.
A preferred VPN meets the following general requirements for network security and access control. Information transferred over the VPN is encrypted with strong encryption algorithms, thereby ensuring confidentiality. An unauthorized party without the knowledge of the sending and receiving parties cannot secretly modify the transferred information, thus safeguarding the integrity of the communication. Furthermore, before information is transferred between parties, both sides need to authenticate themselves to each other by using Digital Certificates. Additionally, a home user will only be able to access the VPN and transfer or receive information from the server operator system after the user provides a username, password and optionally a tokencode and is authenticated by the server operator's authentication server.
Furthermore, the VPN system disclosed herein is relatively easy for telecommuting users to install and maintain, as the client VPN software resides on the user's modem instead of on the user's client computer. This alleviates drawbacks associated with software interoperability and maintenance issues on the user's client computer. Also, server operator VPN system administrators can securely connect to easy to use web interfaces to manage their entire VPN system.
The client-side system 108 is preferably operated by one or more users who desire to connect to the server-side system 130 via a VPN. The server-side system is preferably operated by a server operator, such that the user can connect or telecommute via a VPN with the server-side system 130 as if he or she was locally connected to it. A service provider preferably operates and controls the VPN and the service provider system 146. It should be understood that the service provider, user, and server operator may be distinct individuals, a group of individuals, a legal entity, or the like. Furthermore, although in practice, the service provider, the user, and/or the server operator are separate entities, this is not required.
The client-side system 108 preferably comprises one or more client computers 102(1)-(N) coupled together to form a local area network or LAN 104. Client computers 102 include any type of computing device, such as a personal computer, handheld computer, or the like. The LAN 104 is coupled to a modem 106 that in turn couples to a service provider managed network 114 and the Internet 116. In the preferred embodiment, the modem 106 is a DSL (Digital Subscriber Line) modem that couples to a Digital Subscriber Line Access Multiplexer (DSLAM) 112, which is a network device that is usually located at a telephone server operator's central office 110. The DSL modem 106 preferably couples to the DSLAM 112 over regular telephone lines [POTS (plain old telephone service) lines]. The DSLAM 112, in turn, couples to the service provider managed network 114 and the Internet 116 in a manner well understood in the art. The service provider managed network 114 is preferably an ATM (Asynchronous Transfer Mode) network. It should be understood that DSL technology is only one way of connecting to the Internet 116. DSL technology is used for its speed of communication and accessibility to users' homes over regular telephone lines. In alternative embodiments of the invention, cable modem technology, satellite technology, or the like may be utilized as long as the modem described is used.
The service provider managed network 114 also couples to the service provider system 146. The service provider system 146 preferably comprises a service provider's DNS server 120, a VPN Provider 118, and an HTTP (Web) server 160 containing administration HTTP (Web) pages 162, an example of which is shown in
The VPN Provider 118 is an important part of the VPN infrastructure. Based on commands and information entered into administration Web pages 162 by remote corporate VPN system administrators, the VPN Provider 118 dispatches instructions to configure and control the modem 106 and a VPN concentrator 136 (described below) and manage their security policies. The VPN concentrator 136 is a device that combines several communications channels into one and is often used to tie multiple terminals together into one line. The VPN Provider 118 also transmits certificate and private keys from a security generator, such as a Public Key Infrastructure (PKI) synchronizer 124, where keys are numeric codes that are combined in some manner with communicated data to encrypt it for security purposes. The corporate administration Web-pages 162 are preferably unique for each server operator and only allow administration of VPN concentrators 136 resident at the server-side system locations 130, and users that access such server-side systems 130.
The VPN Provider 118 is preferably coupled to an OSS (Operational Support System) 122, a Public Key Infrastructure (PKI) synchronizer 124, a VPN synchronizer 126, a Value Added Network Services (VANS) database 128, and a modem synchronizer or cache farm 148. In addition to its usual functions, the OSS 122, also, preferably controls online-ordering and billing of VPN services.
Although PKI is preferably used to secure the communications, any suitable alternative security mechanism may be used. PKI enables users of an unsecured public network, such as the Internet, to securely and privately exchange data through the use of public and private cryptographic key pairs that are obtained and shared through a trusted authority. PKI provides for Digital Certificates that can identify individuals or organizations. A Digital Certificate is an electronic “credit card” that establishes a sender's credentials. It is issued by a certification authority (CA) 150, and contains the senders name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. The PKI synchronizer 124 consists of: a certificate authority (CA) 150 that issues and verifies Digital Certificates, where each certificate includes the public key or information about the public key; a registration authority (RA) 152 that acts as the verifier for the CA before a Digital Certificate is issued to a user; and one or more directories 154 where the certificates (with their public keys) are held. Although not shown, a certificate management system may also be provided.
As the Root CA the PKI processes PEM (Privacy Enhanced Mail) encoded PKCS #10 (Public-Key Cryptography System) Digital Certificate requests and return Certificates in the PKCS #7 format, where the Root CA is the parent authority that all CAs trust. As an additional function the PKI generates private and public key pairs. The public key is used for certificate creation, while the private key, once it has been sent to and received by the modem, is deleted from the PKI. The PKI requires an API (Application Program Interface) that can be called by the VPN Provider to control the PKI functions such as process a certificate request, etc. The PKI also needs to support revoking certificates with a minimum of issuing CRL's (Certificate Revocation List).
The VPN Synchronizer 126 is used to serve security data via the VPN provider to the VPN Concentrator 136, while the modem synchronizer or cache farm 148 is used to serve security data via the VPN provider to the modem 106.
The VANS database 128, provides the features that allow management of the entire VPN. The VANS database contains the security policies and certificates for the modem 106 and the VPN Concentrators 136. For example, for each pair of client-server VPN tunnels set up, a security policy for each modem and each VPN Concentrator 136 is stored in the VANS database 128. The VANS database preferably contains server location information, network information, or the like. The network information preferably includes DNS server 144 addresses, authentication server 138 addresses, WINS (Windows Internet Naming Service) server IP addresses, default corporate network subnets, encryption and authentication algorithms, user's configuration information (locations, additional corporate subnets allowed to connect to), or the like.
The server-side system 130 preferably consists of a router 132 coupled to a firewall 134 and a VPN concentrator 136. The firewall 134 and VPN concentrator 136 are coupled to a local area network or LAN 156. The LAN 156 couples an authentication server 138, a file server 140, a proxy server 142, and the server operator's DNS server 144 to one another.
The router 132 is a device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination. The router 132 is coupled to at least two networks, namely the Internet 116 and the LAN 156, and decides which way to send information packets based on its current understanding of the state of the networks it is connected to.
The firewall 134 is a set of related programs located at the server-side system 130, that protects the resources of the LAN 156 from users connected to the Internet 116. The firewall 134 also works with the proxy server 142 to make network requests on behalf of corporate workstation users (not shown). The firewall is preferably installed on a computer separate from the rest of the LAN 156 so that no incoming request can access private network resources. Alternatively, the firewall 134 may form part of another computer, such as the router 132 or VPN Concentrator 136. There are a number of firewall screening methods that may be used in conjunction with the invention. One such method is to screen requests to make sure they come from acceptable (previously identified) IP addresses. In the present invention, the firewall 134 allows remote access to the private LAN 156 by the use of secure logon procedures and authentication certificates, explained below.
In use, a VPN tunnel is constructed between the modem 106 and the VPN concentrator 136, which acts as a server and responds to VPN session requests. In the preferred embodiment of the invention, the VPN concentrator 136 conforms to IETF IKE (Internet Engineering Task Force-Internet Key Encryption) and IPSec (Internet Protocol Security) standards and provides as a minimum DES (Data Encryption Standard) and/or 3DES (Triple Data Encryption Standard (168 Bit)) encryption and HMAC-MD5 (Hashed Message Authentication Code-Message Digest 5) and/or HMAC-SHA1 (Hashed Message Authentication Code-Secure Hash Algorithm 1) authentication algorithms. The VPN concentrator also preferably supports multiple concurrent IPSec tunnels and is fully compatible with authentication and encryption software, such as the HIFN IKE and IPSec Toolkits 238 that are shown and described in relation
The authentication server 138 is used to authenticate a VPN session request from the modem 106. In the preferred embodiment of this invention, the authentication server 138 is a RADIUS (Remote Authentication Dial-In User Service) server. RADIUS is client/server protocol and software that enables clients to remotely communicate with a central server that authenticates users and authorizes their access to the requested system or service. RADIUS allows a server operator to maintain user profiles in a central database, preferably on the authentication server 138, that all remote servers can share. RADIUS also provides enhanced security, allowing a server operator to set up a policy that can be applied at a single administered network point. Having a central service also means that it is easier to track usage for billing and for keeping network statistics. RADIUS client software is preferably also located on the modem 106, such that data packets sent by the modem 106 are RADIUS formatted. An example of suitable RADIUS software is “Funk Steel Belted RADIUS™” made by FUNK SOFTWARE™, Inc.
The file server 140 is used to serve files requested by a user to a client computer 102. The proxy server 142 is a server that acts as an intermediary between the LAN 156 and the Internet so that the server operator can ensure security, administrative control, and caching service. One function of the proxy server 142 is to accept securely formatted packets (preferably RADIUS formatted packets) from the modem's security software 226 (
In a preferred embodiment the proxy server uses open source software, such as CISTRON RADIUS SERVER VERSION 1.6.3™, and is modified to accept RADIUS packets from client computers 102 without client configuration. Optionally, OEM Radius software (Funk Steel Belted Radius™) which can operate in promiscuous mode, can be used that has the additional advantage of having the capability of authenticating against a MICROSOFT NT™ Domain or NOVELL NDS™. Promiscuous mode is the condition in which a node in a network recognizes and accepts all packets on the line regardless of protocol type or destination. Use of the server operator's DNS server 144 will be explained in detail below in relation to
It should be appreciated that the functions of the various devices shown in
Communication procedures 216 are used for communicating with the service provider system 146 (
The security procedures 226 enable the client computers 102 (
Network Address Translation (NAT) 228 is used to translate Internet Protocol addresses (IP addresses) used within one network, preferably the LAN 104 (
Therefore, the VPN effectively extends the server-side system 130 (
The DHCP server 230 lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses to the client computers 102 (
The DNS (Domain Name System) relay procedures 232 allows the user's client computer 102 (
The flash memory 234 is a type of constantly-powered nonvolatile memory that can be erased and reprogrammed in units of memory called blocks. In the preferred embodiment of the invention, the following is stored in the flash memory 234: The Root CA Certificate, Sub CA Certificate, EW Certificate (Use for connecting to all server-side systems), EW Private Key, EW Password, VPN Security Policy (One set for every server operator, each user may connect to several server operators in different locations which the modem will be allowed to connect to), Cached Log information, and Login/Status Web page.
The cache 236 is a temporary storage memory. The HIFN™ provided IKE/IPSec Toolkit 238 and HIFN™ provided X.509v3 Digital Certificate management 240 are software products provided by HI/FN, Inc.™, which are used to implement IPSEC (Internet Protocol Security) and IKE (Internet Key Encryption).
Turning now to the configuration of the VPN system between a server operator 130 and a remote user 108. The server operator firstly enters into an agreement for DSL service, including VPN, from a service provider 146. A VPN concentrator 136 (
Moreover, the modem is preferably configured to send and receive data traffic directly to and from the Internet, while only server operator side data traffic is sent and received through the VPN tunnel. If a modem does not have this feature, all data traffic must first be sent through the VPN tunnel to the server operator, and thereafter the data traffic destined for the Internet passed through the server operator network firewall.
FIGS. 3A-D are flow charts of a method 300 for automatically configuring a VPN according to an embodiment of the invention. A VPN system administrator, such as a corporate IT administrator, requests (step 302) an administration interface from the service provider. The service provider receives (step 304) the request for the administration interface and sends (step 308) the administration interface to the administrator. The administration interface is preferably the administration Web page 162 (
The VPN provider 118 (
The selected corporate servers, users, and security settings are then stored (step 324) in the VANS database 128 (
To synchronize (step 340) the security settings with the modem, the modem preferably downloads a set of VANS Product URLs, which are pointers to the real security settings. The VPN Product URLs include a download VPN configuration URL, a download modem firewall configuration URL, a renew and download modem PKI certificates URL, and a report VPN operational test result URL. The modem connects to the VPN URLs, authenticates using the cached one time password, and downloads the VPN configuration from the VANS database 128 (
The user is then instructed (step 346), preferably via a Web page, to reboot the client computer. The user then reboots (step 348) the client computer and the modem. The modem, for each VPN Security Policy, then preferably performs an operational test where a VPN tunnel is created (step 350) and the internal port of the VPN Concentrator 136 (
The above described method addresses the manual configuration drawbacks associated with current VPNs, as it is less complex, more efficient, and less costly than current VPN systems. In addition, the resources of service providers can be redirected to areas other than manually configuring the system. Using the above described method, VPN service providers can eliminate sending out technicians to server operators and users to configure their systems. This leads to tremendous cost savings for the service provider and the server operator. Further benefits can be brought about by allowing multiple users to establish distinct VPNs using the same modem. These further benefits are described below in relation to FIGS. 4A-C.
FIGS. 4A-C are flow charts of a method 400 for establishing multiple VPN tunnels over a single modem. The user or corporate employee, preferably using a Web browser on one of the client computers 102 (
In the preferred embodiment, configuration of the security settings occurs using standard IPSec implementation. The IPSec stack is configured with the server operator server's VPN Security Policy (VPN Concentrator IP address, authentication method, IKE and IPSec authentication and encryption algorithms, Diffie-Hellman Group, key lifetime). The security procedures 226 (
Subsequently, the security procedures 226 (
If access is rejected (step 426—Yes) then a Web page, from the stored Web pages 222 (
If access is accepted (step 430—Yes), then a VPN tunnel is established (step 432) between the client having the stored IP or MAC address and the server-side system. This is preferably accomplished by adding routes from the connecting client to the corporate subnets through a virtual interface. If split-tunneling is not allowed then the routes to the Internet are removed and the default route is set to the VPN Concentrator. Login details are stored in a log file, which is periodically pushed to the VANS database 128 (
After a successful authentication, firewall rules are added to the packet filtering firewall 218 (
If no traffic is detected for a length of time defined by the VPN system administrator, there is a system timeout (step 434), the tunnel is torn down and a disconnect message is displayed, where the user has the option to re-log on (step 438). The user may, also, at any point, choose to log out (step 436) of the VPN. Again the user is given the option to re-log on (step 438). If the user decides not to re-log on, he or she is logged out of the system (step 440). In this way security is protected by dropping the VPN should the user not be using the VPN for a predetermined length of time. Therefore, if a user forgets to disconnect from the VPN and leaves the client computer unsecured, the VPN will automatically be dropped after a length of time determined by the VPN system administrator.
Should other users, using any of the remainder of the client computers 102 (
Security mechanisms used in a preferred embodiment of the invention may be generally described as follows:
1. Upon receiving instructions from the corporate administrator Web interface the VPN service for a user can be suspended or deleted. If suspended then the VPN Provider 118 (
2. The VPN Concentrator will only allow an IKE/IPSec connection from a VPN client (modem) with a valid Digital Certificate that can be authenticated by the issuing Certificate Authority 150 (
3. The modem will not initiate an IPSec connection to the VPN concentrator until a user's username, password, and token-number has been proxied in an Access-request message via a Radius Proxy server to a corporate Radius server and an Access-accept response is received back. Then the modem can initiate an IPSec connection and add the routes to the server-side system to its routing table. Also, the modem firewall rules are added to allow only traffic from the user's client computer to the server-side system.
The above described method addresses the difficulties associated with establishing multiple VPNs over a single modem, leading to tremendous cost and efficiency benefits. Two separate modems connecting to the Internet using separate DSL connections is no longer required. Further cost and efficiency benefits can be attained by addressing the difficulties associated with resolving host names in a VPN. These further benefits are described below in relation to FIGS. 5A-C.
With VPNs, the problem arises as to which DNS server the client computer communicates with, to resolve host names. The DNS Relay procedures 232 (
To accomplish the above, the user's client computer DNS server settings, usually accessible from the Browser, are set to the internal IP address of the modem. Once a user requests a host, such as by typing “www.company.com” into the text or address box of his Internet browser, the client computer 102 (
If the modem locates the host in the cache (step 508—Yes), the located host address is returned (step 512) to the client computer, which receives (step 542) the host address. Alternatively, if a cached version of the requested page is located, the page itself will be returned to the client computer and displayed to the user. If a host address is returned (step 512) to the client computer, then the client computer formulates a new request for content, and sends (step 544) it to the host address. The request is preferably a HyperText Markup Language (HTML) request for content such as a Web page or file.
If the host is not located in the cache (step 508—No), the host query is transmitted to all DNS servers set up in the modem. In the preferred embodiment, the host query is transmitted (step 514) to the server operator's DNS Server 144 (
If the server operator's DNS server locates (step 526—Yes) the host's associated address, the address is returned (step 542) to the modem. If the server operator's DNS server does not locate (step 526—No) the host's associated address, the server operator's DNS server transmits (step 546) a “No Host Found” message to the modem.
Likewise, if the service provider's DNS server locates (step 528—Yes) the host's associated address, the address is returned (step 530) to the modem. If the service provider's DNS server does not locate (step 528—No) the host's associated address, the service provider's DNS server transmits (step 546) a “No Host Found” message to the modem.
Once the modem acquires (steps 532 and 534) the address from the service provider's DNS server and/or the server operator's DNS server, the modem determines (step 536) whether it has received more than one address, i.e., an address from both the service provider's DNS server and the server operator's DNS server. If only one address is received (step 536—No), then the address is returned (step 540) to the client computer. If more than one address is received (step 536—Yes), then the modem applies (step 538) a policy to the received addresses, so as to be left with only a single address. In the preferred embodiment the policy keeps only the most recent address. Alternatively, the policy may always return the address supplied by the service provider. Once the policy has been applied and only one address remains, that address is returned (step 540) to the client computer.
Once the client computer receives (step 542) the address, it formulates a request for content, such as an HTML request for a Web page, and sends (step 544) the request to the received address. Therefore, if for example a host request for “www.company.com” returns a request from both the service provider's and the server operator's DNS servers, the policy preferably returns either the latest IP address for “www.company.com” or returns the IP address from the service provider's DNS server, such as 184.108.40.206. The client computer then sends a request to 220.127.116.11, which returns the company's Web page. The above method, therefore, resolves host names in a VPN with multiple DNS servers.
The above method may also be used by the service provider to control the use of the search engine, most likely page, and results list returned when a user enters text into the text box that cannot be resolved. If neither of the DNS servers can resolve the host name, they transmit (step 546) a “No Host Found” message to the modem. The modem receives (step 548) the message and sends (step 550) the a search term to a search engine dictated by the service provider, or alternatively by the VPN system administrator, where the search term is based on the unlocated host name. The search engine receives (step 558) the search and conducts a search (step 560) based on the search term. The modem transmits (step 552) the address or IRL (Information Resource Locator) of where the search results can be found to the client computer. Once the client computer receives (step 554) the address, it requests, receives, and displays (step 556) the results as it would any Web-page. In this way, the service provider and/or VPN system administrator can control the search results displayed to the user. For example, the VPN system administrator can set up the system so that when text is entered into the text box by a user, and no host address can be resolved from the text, the results of a search of the server operator's web site, using the text as the search term, can be displayed to the user. Furthermore, the service provider can generate revenue from displaying advertiser's Web pages more prominently on a list of search results. In an alternative embodiment, if the DNS servers do not respond at all, or do not respond within a predetermined time, the modem automatically conducts the search.
Moreover, the above method may also be used to resolve host addresses for devices coupled to the VPN. Users using a file manager, such as WINDOWS EXPLORER™, or an Internet browser, such as MICROSOFT'S INTERNET EXPLORER™, in conjunction with more recent versions of MICROSOFT WINDOWS™, can resolve the host name of devices, or directories on these devices, coupled to the VPN. For example, if the host query entered into the text box of the GUIs of the above applications was for “ComputerName” the modem would attempt to locate a device, or directories on a device, that matched the entered name. The modem would send the host name to both DNS servers and if a device, or directories on a device, on the VPN matches “ComputerName,” return the address of that device.
The above described method addresses the drawbacks associated with current DNS systems, while allowing a service provider to specify which search engine is to be used if a name cannot be resolved.
For each user the administrator can enable 614, suspend 616, or delete 618 VPN service. Also, for each user the administrator can select organization configuration (may belong to multiple organizations) and for each organization enter IP address to use, list additional network subnets allowed to connect to, specify security level used (set of IKE and IPSec Authentication and Encryption algorithms, Diffie-Hellman key size, etc.), specify split tunneling (On/Off).
A status box 612 is provided where the administrator can view the connection status, who the VPN Concentrator is connected to, the last connection time, the total usage, the bytes transferred, the time on-line, the encryption/authentication algorithms used, certificate information, or the like
The administrator can also preferably add new server operator details by clicking on button 620. New details may include a VPN Concentrator IP address, a VPN Concentrator type, a secondary VPN Concentrator IP address, a secondary VPN Concentrator type, a Radius Server IP address, a secondary Radius Server IP address, the security level—encryption/authentication, a Radius Shared Secret, a list of network subnets allowed to connect to, or the like.
In the case where a user reports a lost or stolen modem, the VPN administrator can notify the service provider of the loss, preferably through the administrator Web-site. This causes NRMS (Network Resource Management System) on the OSS to revoke the modem's certificates, disable VPN service for this modem, and delete the modem's policy configuration on the VPN Concentrator. Because of the nature of a DSL connection, and because the modem interoperates with the NMS and with it's saved configuration, the modem can only be operated from the user's phone line, and, therefore, cannot be used to connect to the corporate network from another DSL phone line.
The above methods provide a VPN service which fulfills the requirements of network security and access control, while from the user and administrator's perspective is very easy to install, configure and manage.
While the foregoing description and drawings represent the preferred embodiment of the present invention, it will be understood that various additions, modifications and substitutions may be made therein without departing from the spirit and scope of the present invention as defined in the accompanying claims. In particular, it will be clear to those skilled in the art that the present invention may be embodied in other specific forms, structures, arrangements, proportions, and with other elements, materials, and components, without departing from the spirit or essential characteristics thereof. The presently disclosed embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims, and not limited to the foregoing description. Furthermore, it should be noted that the order in which the process is performed may vary without substantially altering the outcome of the process.