WO2002001832A1 - Device and methods for screening access to a computer network in a telecommunication system - Google Patents

Device and methods for screening access to a computer network in a telecommunication system Download PDF

Info

Publication number
WO2002001832A1
WO2002001832A1 PCT/IB2001/000601 IB0100601W WO0201832A1 WO 2002001832 A1 WO2002001832 A1 WO 2002001832A1 IB 0100601 W IB0100601 W IB 0100601W WO 0201832 A1 WO0201832 A1 WO 0201832A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
server
network
terminals
bearer
Prior art date
Application number
PCT/IB2001/000601
Other languages
French (fr)
Inventor
Pasi Pentikainen
Original Assignee
Nokia Corporation
Nokia Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation, Nokia Inc. filed Critical Nokia Corporation
Priority to AU2001250560A priority Critical patent/AU2001250560A1/en
Publication of WO2002001832A1 publication Critical patent/WO2002001832A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/04Protocols specially adapted for terminals or networks with limited capabilities; specially adapted for terminal portability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • This invention relates generally to methods and devices for providing access by network terminals in a telecommunication system to a computer network that manages the telecommunication system. More particularly, the invention relates to devices and methods for allowing or denying access to a computer network in a telecommunication system by network terminals in the telecommunication system before the messages are input to the computer network. Such devices are commonly referred to as a "firewall”.
  • a data communication protocol is implemented which seamlessly translates internet messages sent according to internet protocols, for example the hypertext transport protocol ("http"), to a protocol recognized and understood by the wireless system in use.
  • http hypertext transport protocol
  • WAP Wireless Access Protocol
  • the WAP protocol is described in several documents such as, for example, Wireless Application Protocol Architecture, Version 30 - April 30, 1998, published by the Wireless Application Protocol Forum, Ltd. , the teachings of which are incorporated herein by reference; and Wireless Application Protocol, Wireless Application Environment Specification Version 1.1 (May 24, 1999), the teachings of which are also incorporated herein by reference .
  • firewall Regardless of which messaging protocol is used to translate the http messages to messages understandable by the wireless system, it has become increasingly necessary to devise ways in which unwanted users or terminals in the system can be denied access to the wireless network. This is necessary since the proliferation of users of the internet has caused requests for access to many wireless systems to be overwhelming, thereby reducing the ability of the wireless systems to perform their functions and to operate efficiently.
  • Various solutions have been attempted in the past to restrict access to telecommunication networks. "Firewall” products, known • to those skilled in the art, have ' been employed to prevent unauthorized users or clients to create protocol traffic on the network. The problem with prior art firewalls is that they have been implemented as separate devices which raise the costs of the telecommunication system and which require separate maintenance and care.
  • firewall products have typically been "transport bearer specific," i.e., they are individually usable only with the particular message bearer protocol for which they are designed. Thus, for example, if Transport Control Protocol/Internet Protocol
  • TCP/IP Transmission Control Protocol/IP
  • UDP/IP User Datagram Protocol/Internet Protocol
  • systems and methods configure a computer network that includes a plurality of terminals to either accept or deny access to the network of particular network terminals.
  • the request for access is then screened before the request is input to a server in the network. If the request is from a terminal that is allowed access to the network, then that particular message is input to the network and the terminal from which that message was received is given access to the network. However, if the request is from a terminal that has been denied access to the network, the message output from the denied terminal is not allowed access to the network.
  • the inventive systems and methods greatly facilitate the efficient use of server processing time and compute cycles. Additionally, since the access requests are screened before the requests are input to the server, the access requests are analyzed at the protocol bearer level of the network, thereby allowing messages of any protocol to be efficiently screened. This also eliminates the need for separate firewalls for screening messages to be maintained in the network which greatly reduces the costs and complexities of the network.
  • Figure 1 is a block diagram of a server architecture which implements the systems and methods of the present invention for screening access to a wireless network
  • Figure 2 is a flow chart of a preferred method for screening unwanted messages from entering a wireless system in accordance with the present invention.
  • FIG. 1 is a block diagram of a gateway server hierarchy 10 which implements the inventive ' systems and methods.
  • server 10 may be embodied in software alone, or may also be implemented as a separate processor for performing the server functions to be described in more detail below.
  • server 10 may implement any particular protocol or protocols necessary for translating, implementing or otherwise enabling Internet or wireless communications .
  • server 10 implements the WAP protocol described briefly above and therefore server 10 will be referred to throughout as WAP server 10. While the preferred embodiment of the invention has been .
  • any other protocol which is usable in a hybrid internet/wireless network may implement the inventive systems and methods with equal efficacy.
  • the present invention is applicable to any such protocol but, for illustrative purposes, will be described throughout with respect only to the WAP protocol .
  • the WAP server 10 preferably comprises a wireless protocol stack (WPS) 20 which provides access control functionality for the server 10 after a security manager has defined which network terminals are to be given access to the WAP server 10 as will be described in more detail below.
  • WPS wireless protocol stack
  • bearer adapters 30 are placed below WPS 20 and access the several bearers through bearer drivers 40. The bearer adapters 30 provide all of the required functionality to interpret wireless messages which will be received by the WAP server 10.
  • bearer adapter 30 is any particular wireless protocol in which a message can be sent for processing by the WAP server 10.
  • bearer adapters 30 may be a short message signaling (SMS) phone bearer adapter CSD bearer adapter 70, a CIMD Nokia short message signaling center (SMSC) bearer adapter, an IS-95 bearer adapter and/or any other bearer adapter which is needed to support message receipt and processing by WAP server 10.
  • SMS short message signaling
  • CSD bearer adapter adapter 70 a CIMD Nokia short message signaling center (SMSC) bearer adapter
  • IS-95 bearer adapter IS-95 bearer adapter
  • the bearer adapter functions as an adaptation layer or tunnel that maps the WDP protocol functions directly onto a specific bearer.
  • the adaptation layer is different for each bearer and deals with the specific capabilities and characteristics of that particular bearer service. Moreover, at WAP server 10, the adaptation layer terminates and passes the WDP packets onto a WAP proxy server (not shown in Figure 1) via a tunneling protocol which is the interface between the WAP server 10 that supports the bearer service and the WAP Proxy server.
  • the bearer adapters 30 are thus components that connect WAP server 10 to a wireless network. To support a number of different bearers, WAP server 10 will thus need to have a number of different bearer adapters 30 as shown. All data from a WAP terminal comes to the WAP server 10 through bearer drivers 40 and respective bearer adapter 30. After traversing the bearer adapter 30, the data enters WAP stack 20 which includes the necessary protocol layers to recognize the data. In accordance with the invention, license control is provided by license control module 50. Thus, data entering the WAP server 10 is screened by license control module 50 before is enters the protocol stack 20. To accomplish this salutary result, a bearer gateway 60 which includes license control module 50 is provided between WPS 20 and the bearer adapters 30.
  • bearer gateway 60 performs license control, i.e., access to the WAP server 10 by terminals, and checks if every incoming data packet has access rights or not. If the packet has access rights, it is allowed to proceed to the WPS 20. If the packet does not have access rights, it is discarded.
  • the packets received by WAP server 10 are constructed in accordance with a service primitive provided by the WDP specification.
  • the service primitive comprises, among others, the following parameters :
  • the Source Address is the address of the sender and is the unique address of the device making a request to the WDP layer.
  • the source address may be a Mobile Station ISDN (MSISDN) number, an IP address (given as numbers or symbols), an X.25 address, or some other identifier.
  • MSISDN Mobile Station ISDN
  • IP address given as numbers or symbols
  • X.25 address or some other identifier.
  • the length of the Source Address parameter may vary according to what the source is.
  • the Source Port is the application address or port number associated with the source address of the requesting communication instance.
  • the port number of the sender is a 16-bit number.
  • the User Data is the data carried by the WDP protocol .
  • the unit of data submitted to or received from the WDP layer is also referred to as the Service Data Unit. This is the complete unit (message, packet, package) of data which the higher layer (at the sender) has submitted to the WDP layer for transmission.
  • the WDP layer will transmit the Service Data Unit and deliver it to its destination without any manipulation of its content.
  • Source Address and Source Port parameters are part of a header portion of a WAP message and the User Data is the actual payload of data of the message.
  • bearer gate 60 will read both the Source Address and the Source Port information in every data packet that is received at the bearer gate through the bearer adapters 30.
  • Each combination of a client address (Source Address) and a client port (Source Port) makes up a concurrent session and thereby requires one license.
  • the licenses for access by a terminal to the WAP server 10 are calculated on a session basis.
  • concurrent sessions are controlled from the same license source.
  • license control in accordance with the invention determines how many sessions are allowed to execute transactions concurrently.
  • this time window is about ten minutes in length. This means that when a session is established, one license is reserved for every combination of allowed Source Address and Source Port. If no data arrives at the WAP server 10 during the session and in the time window then the license is released. The next time in the session that a transaction is requested from the Source Address and Source Port combination, a new license is needed, i.e. that data in the session is allowed to pass the bearer gateway 60 only if there still is a free license for that license holder.
  • server 10 further comprises a content filters module 100 and a content sources module 110.
  • the content filters module 100 comprises various encoders, decoders, converters and other functional software modules necessary to filter messages being received by WAP server 10 from the internet.
  • WML wireless mark-up language
  • WMLS wireless mark-up language script
  • HTTP hypertext mark-up language
  • content sources module 110 provides an interface for content sources to be read and processed • by the WAP server 10.
  • http sources and other types of Internet protocol (IP) sources are handled and input through the content source module 110 to the WAP server 10.
  • the WAP server 10 also preferably comprises a universal interface (UI) module 70 which includes the required graphical, command and other interfaces so that users can access the WAP server 10.
  • UI universal interface
  • a server manager 80 handles all of the appropriate overhead issues associated with managing each of the software modules in WAP server 10 and particularly interfaces with the bearer gateway 60 to facilitate license control and access to the WPS 20.
  • Other interfaces 90 are provided so that WAP server 10 can communicate with other elements in the wireless network.
  • the WAP server 10 may be implemented in software in an appropriate environment . Whichever software environment is chosen to implement the inventive access control methods disclosed herein, Figure 2 depicts a flow chart of a preferred form of the method.
  • the method may be implemented as a "point and click" process commonly known to those familiar with modern server functionality.
  • other input devices such as a standard keyboard may be used to choose software selections for access control implementation, especially when other than a simple menu-driven system with icons is utilized.
  • the method begins at step 100 and at step 110 it is determined whether the particular terminal requesting access is "blacklisted" from the system. To be blacklisted means that under no circumstances shall access to the WAP server 10 ever be granted to this terminal and so at step 120 access is denied. It is then determined at step 130 if access to the WAP server is being requested from a known terminal, i.e. one that during the session a license for access has been granted. If so, then at step 140 access to this terminal is granted. If not, then at step 150 it is determined if the terminal requesting access is an unknown terminal, i.e. a terminal not previously granted a license to the WAP server in a session, and if access for the unknown is allowed.
  • access control to the WAP server 10 is efficiently controlled before messages, data or other datagrams actually reach the WAP server.
  • the computational overhead required to process messages in the WAP server is greatly diminished. This contributes to enhanced server and network performance, and reduces the computation costs associated with the server. Such results have not heretofore been achieved in the art.

Abstract

Systems and methods for screening access to a Wireless Access Protocol (WAP) server provide the ability to screen messages received from terminals which are not permitted access to the WAP server before the messages are actually input to the WAP server. A security manager configures the server to accept of deny access to the WAP server to terminals by entering the allowed terminal identification numbers to a WAP protocol stack (WPS) which is accessed to determine if terminals requesting access are entered onto a list of terminals allowed access. If access is permitted, the messages are input to the WAP server, but if access is denied, the messages are not permitted access to the WAP server. By screening the messages before they are input to the WAP server, the efficiency of the WAP server is greatly increased since it is not required to operate in any manner on messages which are denied access.

Description

Device and Methods for Screening Access to a Computer Network in a Telecommunication System
BACKGROUND OF THE INVENTION 1. Field of the Invention
This invention relates generally to methods and devices for providing access by network terminals in a telecommunication system to a computer network that manages the telecommunication system. More particularly, the invention relates to devices and methods for allowing or denying access to a computer network in a telecommunication system by network terminals in the telecommunication system before the messages are input to the computer network. Such devices are commonly referred to as a "firewall".
2 • Description of the Related Art
The proliferation of complex telecommunication systems and the use of such systems by users has created access and data management problems for the telecommunication systems. Since wireless communication networks are rapidly being integrated with the internet, additional technical, managerial and security issues have become extant in dealing with access control to these hybrid networks from mobile, wireless and other types of terminals.
Integration of the internet with wireless communication systems requires the importation of internet content and sophisticated data services into digital mobile stations, sometimes referred to as "media telephones." In order to accomplish full and consistent integration, a data communication protocol is implemented which seamlessly translates internet messages sent according to internet protocols, for example the hypertext transport protocol ("http"), to a protocol recognized and understood by the wireless system in use. There are several protocols currently available today which are recognized by wireless systems which are integrated with the internet and other networks. For example, Nokia Corporation produces, markets and sells a messaging system called the NOKIA SMART MESSAGING system that translates internet messages in http to a message that can be understood by a wireless network. Other protocols have been developed to accomplish this task such as the Wireless Access Protocol (WAP) which is a protocol standard that has been developed and implemented on a world-wide basis. The WAP protocol is described in several documents such as, for example, Wireless Application Protocol Architecture, Version 30 - April 30, 1998, published by the Wireless Application Protocol Forum, Ltd. , the teachings of which are incorporated herein by reference; and Wireless Application Protocol, Wireless Application Environment Specification Version 1.1 (May 24, 1999), the teachings of which are also incorporated herein by reference .
Regardless of which messaging protocol is used to translate the http messages to messages understandable by the wireless system, it has become increasingly necessary to devise ways in which unwanted users or terminals in the system can be denied access to the wireless network. This is necessary since the proliferation of users of the internet has caused requests for access to many wireless systems to be overwhelming, thereby reducing the ability of the wireless systems to perform their functions and to operate efficiently. Various solutions have been attempted in the past to restrict access to telecommunication networks. "Firewall" products, known to those skilled in the art, have' been employed to prevent unauthorized users or clients to create protocol traffic on the network. The problem with prior art firewalls is that they have been implemented as separate devices which raise the costs of the telecommunication system and which require separate maintenance and care. Moreover, firewall products have typically been "transport bearer specific," i.e., they are individually usable only with the particular message bearer protocol for which they are designed. Thus, for example, if Transport Control Protocol/Internet Protocol
(TCP/IP) or User Datagram Protocol/Internet Protocol (UDP/IP) is used, the firewall will only screen TCP/IP or UDP/IP messages, completely ignoring messages requesting access to the network using other types of transport protocols.
Alternatively, access restrictions have been implemented on top of the protocol stack as part of the request for processing application. The problem with this approach is that it is computationally expensive, and allows access to the network for all messages even when some of the messages will ultimately be screened since they will not be sent to another destination or Uniform Resource Language (URL) location. This defeats the major purpose of screening unwanted message since the unwanted messages are allowed access to the network, at least for a short period of time, thereby clogging network traffic and dominating network resources.
Thus, there exists a long- felt, but unresolved, need in the art for systems and methods for screening access to a server in a network. The solution to this problem should be bearer-independent and be integrated at the bearer level of the server rather than the protocol or application levels of the server. Furthermore, these methods and devices should ensure that no access is permitted to the network for unwanted messages for any protocol in which the unwanted message requests are sent.
SUMMARY OF THE INVENTION
In accordance with the present invention systems and methods configure a computer network that includes a plurality of terminals to either accept or deny access to the network of particular network terminals. After receiving a request for access from a particular network terminal, the request for access is then screened before the request is input to a server in the network. If the request is from a terminal that is allowed access to the network, then that particular message is input to the network and the terminal from which that message was received is given access to the network. However, if the request is from a terminal that has been denied access to the network, the message output from the denied terminal is not allowed access to the network.
By screening the access requests before the requests are input to the server, the inventive systems and methods greatly facilitate the efficient use of server processing time and compute cycles. Additionally, since the access requests are screened before the requests are input to the server, the access requests are analyzed at the protocol bearer level of the network, thereby allowing messages of any protocol to be efficiently screened. This also eliminates the need for separate firewalls for screening messages to be maintained in the network which greatly reduces the costs and complexities of the network.
These and other features of the present invention will become apparent from the following detailed description considered in conjunction with the accompanying drawings. It is to be understood, however, that the drawings are designed solely for purposes of illustration and not as a definition of the limits of the invention, for which reference should be made to the appended claims.
BRIEF DESCRIPTION OF THE DRAWINGS
In the drawings, wherein like reference characters identify similar elements throughout the several views:
Figure 1 is a block diagram of a server architecture which implements the systems and methods of the present invention for screening access to a wireless network; and Figure 2 is a flow chart of a preferred method for screening unwanted messages from entering a wireless system in accordance with the present invention.
DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EMBODIMENTS Figure 1 is a block diagram of a gateway server hierarchy 10 which implements the inventive 'systems and methods. It will be appreciated by those skilled in the art that server 10 may be embodied in software alone, or may also be implemented as a separate processor for performing the server functions to be described in more detail below. Moreover, server 10 may implement any particular protocol or protocols necessary for translating, implementing or otherwise enabling Internet or wireless communications . In a preferred embodiment, server 10 implements the WAP protocol described briefly above and therefore server 10 will be referred to throughout as WAP server 10. While the preferred embodiment of the invention has been . shown implemented as a WAP server, any other protocol which is usable in a hybrid internet/wireless network may implement the inventive systems and methods with equal efficacy. The present invention is applicable to any such protocol but, for illustrative purposes, will be described throughout with respect only to the WAP protocol .
The WAP server 10 preferably comprises a wireless protocol stack (WPS) 20 which provides access control functionality for the server 10 after a security manager has defined which network terminals are to be given access to the WAP server 10 as will be described in more detail below. Several bearer adapters 30 are placed below WPS 20 and access the several bearers through bearer drivers 40. The bearer adapters 30 provide all of the required functionality to interpret wireless messages which will be received by the WAP server 10.
A "bearer adapter" is any particular wireless protocol in which a message can be sent for processing by the WAP server 10. Thus, bearer adapters 30 may be a short message signaling (SMS) phone bearer adapter CSD bearer adapter 70, a CIMD Nokia short message signaling center (SMSC) bearer adapter, an IS-95 bearer adapter and/or any other bearer adapter which is needed to support message receipt and processing by WAP server 10. The function of the bearer adapters has been specified in the Wireless Datagram Protocol (WDP) of the WAP specification incorporated herein by reference above. In accordance with this protocol, the bearer adapter functions as an adaptation layer or tunnel that maps the WDP protocol functions directly onto a specific bearer. The adaptation layer is different for each bearer and deals with the specific capabilities and characteristics of that particular bearer service. Moreover, at WAP server 10, the adaptation layer terminates and passes the WDP packets onto a WAP proxy server (not shown in Figure 1) via a tunneling protocol which is the interface between the WAP server 10 that supports the bearer service and the WAP Proxy server.
The bearer adapters 30 are thus components that connect WAP server 10 to a wireless network. To support a number of different bearers, WAP server 10 will thus need to have a number of different bearer adapters 30 as shown. All data from a WAP terminal comes to the WAP server 10 through bearer drivers 40 and respective bearer adapter 30. After traversing the bearer adapter 30, the data enters WAP stack 20 which includes the necessary protocol layers to recognize the data. In accordance with the invention, license control is provided by license control module 50. Thus, data entering the WAP server 10 is screened by license control module 50 before is enters the protocol stack 20. To accomplish this salutary result, a bearer gateway 60 which includes license control module 50 is provided between WPS 20 and the bearer adapters 30. All datagram traffic between a bearer adapter 30 and the WPS 20 must pass through bearer gateway 60. Accordingly, bearer gateway 60 performs license control, i.e., access to the WAP server 10 by terminals, and checks if every incoming data packet has access rights or not. If the packet has access rights, it is allowed to proceed to the WPS 20. If the packet does not have access rights, it is discarded. The packets received by WAP server 10 are constructed in accordance with a service primitive provided by the WDP specification. The service primitive comprises, among others, the following parameters :
The Source Address is the address of the sender and is the unique address of the device making a request to the WDP layer. The source address may be a Mobile Station ISDN (MSISDN) number, an IP address (given as numbers or symbols), an X.25 address, or some other identifier. The length of the Source Address parameter may vary according to what the source is.
The Source Port is the application address or port number associated with the source address of the requesting communication instance. The port number of the sender is a 16-bit number.
The User Data is the data carried by the WDP protocol . The unit of data submitted to or received from the WDP layer is also referred to as the Service Data Unit. This is the complete unit (message, packet, package) of data which the higher layer (at the sender) has submitted to the WDP layer for transmission. The WDP layer will transmit the Service Data Unit and deliver it to its destination without any manipulation of its content.
The Source Address and Source Port parameters are part of a header portion of a WAP message and the User Data is the actual payload of data of the message.
In accordance with the invention, bearer gate 60 will read both the Source Address and the Source Port information in every data packet that is received at the bearer gate through the bearer adapters 30. Each combination of a client address (Source Address) and a client port (Source Port) makes up a concurrent session and thereby requires one license. This means that the same terminal can consume more than one license, for example if the user is concurrently using two different applications at the terminal by accessing a service via the WAP server 10, e.g., a banking application and a calendar application. Usage additionally of the client port number (Source Port) for identifying the sender is necessary to prevent someone from using a proxy machine to circumvent the license check (with the UDP bearer) , in which case several terminals may go via the Proxy server to the WAP server 10, whereby the Source Address would always be the same. However, the Source Port information in the data packet would still be different.
In a further preferred embodiment, the licenses for access by a terminal to the WAP server 10 are calculated on a session basis. Thus, concurrent sessions are controlled from the same license source. There is no limit to the number of transactions in a session; however, license control in accordance with the invention determines how many sessions are allowed to execute transactions concurrently. During a session, it is desired to set a fixed time window during which a license to access the WAP server 10 must exist for the terminals requesting access thereto. In still a further preferred embodiment, this time window is about ten minutes in length. This means that when a session is established, one license is reserved for every combination of allowed Source Address and Source Port. If no data arrives at the WAP server 10 during the session and in the time window then the license is released. The next time in the session that a transaction is requested from the Source Address and Source Port combination, a new license is needed, i.e. that data in the session is allowed to pass the bearer gateway 60 only if there still is a free license for that license holder.
More preferably, server 10 further comprises a content filters module 100 and a content sources module 110. The content filters module 100 comprises various encoders, decoders, converters and other functional software modules necessary to filter messages being received by WAP server 10 from the internet. For example, a wireless mark-up language (WML) to wireless mark-up language script (WMLS) encoder may be implemented by content filters module 100. Similarly, a hypertext mark-up language (HTML) to WML converter may also be concurrently or solely implemented by content filters module 100. Those skilled in the art will recognize that yet other functions may be implemented by content filters module 100 depending on the particular applications in which WAP server 10 will be used. In a similar vein, content sources module 110 provides an interface for content sources to be read and processed by the WAP server 10. Thus, http sources and other types of Internet protocol (IP) sources are handled and input through the content source module 110 to the WAP server 10.
The WAP server 10 also preferably comprises a universal interface (UI) module 70 which includes the required graphical, command and other interfaces so that users can access the WAP server 10. A server manager 80 handles all of the appropriate overhead issues associated with managing each of the software modules in WAP server 10 and particularly interfaces with the bearer gateway 60 to facilitate license control and access to the WPS 20. Other interfaces 90 are provided so that WAP server 10 can communicate with other elements in the wireless network. As mentioned above, the WAP server 10 may be implemented in software in an appropriate environment . Whichever software environment is chosen to implement the inventive access control methods disclosed herein, Figure 2 depicts a flow chart of a preferred form of the method. Since the preferred form of the method is based on a menu driven system with appropriate icons which can be actuated by a computer mouse, the method may be implemented as a "point and click" process commonly known to those familiar with modern server functionality. However, it will be appreciated that other input devices such as a standard keyboard may be used to choose software selections for access control implementation, especially when other than a simple menu-driven system with icons is utilized.
The method begins at step 100 and at step 110 it is determined whether the particular terminal requesting access is "blacklisted" from the system. To be blacklisted means that under no circumstances shall access to the WAP server 10 ever be granted to this terminal and so at step 120 access is denied. It is then determined at step 130 if access to the WAP server is being requested from a known terminal, i.e. one that during the session a license for access has been granted. If so, then at step 140 access to this terminal is granted. If not, then at step 150 it is determined if the terminal requesting access is an unknown terminal, i.e. a terminal not previously granted a license to the WAP server in a session, and if access for the unknown is allowed. If so, then at step 140 access is allowed and if not then at step 120 access is denied. In this manner access to the WAP server and license control is implemented Thus, in accordance with the invention access control to the WAP server 10 is efficiently controlled before messages, data or other datagrams actually reach the WAP server. By preventing unallowed terminals access to the WAP server 10 before inputting their messages to the WAP server 10, the computational overhead required to process messages in the WAP server is greatly diminished. This contributes to enhanced server and network performance, and reduces the computation costs associated with the server. Such results have not heretofore been achieved in the art.
While there have been shown and described and pointed out certain novel features of the present invention as applied to preferred embodiments thereof, it will be understood by those skilled in the art that various omissions and substitutions and changes in the methods and apparatus described herein, and in their operation, may be made by those skilled in the art without departing from the spirit and scope of the invention. It is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Substitutions of method steps and elements from one described embodiment to another are also fully intended and contemplated. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.

Claims

1. A method of limiting access to a computer network that includes a plurality of network terminals, comprising the steps of: configuring the computer network to either accept or deny access to the network of particular network terminals in the plurality of network terminals; receiving from particular network terminals' in the plurality of network terminals requests to access a server in the computer network; and screening, before the requests are input to the server, requests from the network terminals and denying a request for access from a network terminal to which the computer network has been configured to deny access and accepting a request from a particular network terminal to which the computer network has been configured to accept access .
2. The method of claim 1, wherein the configuring step further comprises the steps of: initiating a terminal access control function; determining whether any new terminals should be allowed access to the computer network; and adding an identification of the new allowed terminals to a list of allowed terminals.
3. The method of claim 2, wherein the screening step further comprises the steps of: determining whether a terminal is currently requesting access to the network; and determining whether the terminal currently requesting access to the network is permitted access to the network .
4. The method of claim 3, wherein the configuring step further comprises the step of accessing a security manager to input to the security manager terminal identification numbers associated with terminal numbers that are to be given access to the network.
5. The method of claim 4, further comprising the step of sending a message to the terminal requesting access if access is denied.
6. The method of claim 4, further comprising the step of sending a message to the terminal requesting access if access is permitted.
7. A server for administering and operating a computer network which includes a plurality of network terminals, comprising: an interface operable to receive requests for access to the server from the' particular network terminals in the plurality of network terminals; and a bearer gateway in communication with the interface for screening the access requests to the server from the particular network terminals in the plurality of network terminals before the requests are input to the server, whereby when the server is configured to accept access by the particular network terminals in the plurality of network terminals to the server those particular network terminals are granted access by the to the server, and when the server is configured to deny access by the particular network terminals in the plurality of network terminals to the server those particular network terminals are denied access to the server.
8. The server recited in claim 7, wherein the server further comprises a protocol stack in communication with the bearer gateway for providing access control to the server by terminals attempting to send messages through the bearer gateway according to the configuration established for access to the server.
9. The server recited in claim 9, wherein the server further comprises a bearer adapter module in communication with the bearer gateway for providing bearer drivers to interpret messages sent by the terminals in bearer languages.
10. The server recited in claim 9, wherein the bearer adapter module further comprises a plurality of bearer adapters for translating the bearer languages to a native language recognized by the server.
11. The server recited in claim 10, wherein the server is a wireless access protocol server.
PCT/IB2001/000601 2000-06-26 2001-04-09 Device and methods for screening access to a computer network in a telecommunication system WO2002001832A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001250560A AU2001250560A1 (en) 2000-06-26 2001-04-09 Device and methods for screening access to a computer network in a telecommunication system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US60341100A 2000-06-26 2000-06-26
US09/603,411 2000-06-26

Publications (1)

Publication Number Publication Date
WO2002001832A1 true WO2002001832A1 (en) 2002-01-03

Family

ID=24415317

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2001/000601 WO2002001832A1 (en) 2000-06-26 2001-04-09 Device and methods for screening access to a computer network in a telecommunication system

Country Status (2)

Country Link
AU (1) AU2001250560A1 (en)
WO (1) WO2002001832A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2389483A (en) * 2002-04-11 2003-12-10 Apoapsis Ltd Wireless monitoring for performance and security of network
EP1552414A1 (en) * 2002-06-10 2005-07-13 Akonix Systems, Inc. Systems and methods for a protocol gateway
US8195833B2 (en) 2002-06-10 2012-06-05 Quest Software, Inc. Systems and methods for managing messages in an enterprise network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999056431A2 (en) * 1998-04-28 1999-11-04 Nokia Mobile Phones Limited A method of and a network for handling wireless session protocol (wsp) sessions.
US5991810A (en) * 1997-08-01 1999-11-23 Novell, Inc. User name authentication for gateway clients accessing a proxy cache server
WO2000022794A2 (en) * 1998-10-13 2000-04-20 Nokia Mobile Phones Limited Method of accessing a server computer
WO2001003368A1 (en) * 1999-06-30 2001-01-11 Nokia Corporation License control at a gateway server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5991810A (en) * 1997-08-01 1999-11-23 Novell, Inc. User name authentication for gateway clients accessing a proxy cache server
WO1999056431A2 (en) * 1998-04-28 1999-11-04 Nokia Mobile Phones Limited A method of and a network for handling wireless session protocol (wsp) sessions.
WO2000022794A2 (en) * 1998-10-13 2000-04-20 Nokia Mobile Phones Limited Method of accessing a server computer
WO2001003368A1 (en) * 1999-06-30 2001-01-11 Nokia Corporation License control at a gateway server

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2389483A (en) * 2002-04-11 2003-12-10 Apoapsis Ltd Wireless monitoring for performance and security of network
EP1552414A1 (en) * 2002-06-10 2005-07-13 Akonix Systems, Inc. Systems and methods for a protocol gateway
EP1552414A4 (en) * 2002-06-10 2010-11-24 Akonix Systems Inc Systems and methods for a protocol gateway
US8195833B2 (en) 2002-06-10 2012-06-05 Quest Software, Inc. Systems and methods for managing messages in an enterprise network

Also Published As

Publication number Publication date
AU2001250560A1 (en) 2002-01-08

Similar Documents

Publication Publication Date Title
EP1493290B1 (en) System and method for wireless data terminal management using general packet radio service network
EP1886455B1 (en) System and method for accessing a web server on a device with a dynamic ip-address residing a firewall
KR100458917B1 (en) Accessing a server computer
EP1286514A2 (en) Method and apparatus for distributing authorization to provision mobile devices on a wireless network
US7451476B1 (en) Method and apparatus for interfacing a network to an external element
JP2004528767A (en) Bearer identification tag and method of using the same
US6757734B1 (en) Method of communication
JP4778708B2 (en) Communication device management via GPRS and GSM connections
US7193995B1 (en) License control at a gateway server
FI111586B (en) Manage the migration adapter on the gateway server
JP2005529550A5 (en)
EP1338971B1 (en) Method and terminal for the secure acquisition of applications
EP1236367B1 (en) Safe information interchange between a user of a terminal and a sim application toolkit via wap
WO2002001832A1 (en) Device and methods for screening access to a computer network in a telecommunication system
EP1488657B1 (en) A method for exchanging user-specific data from a mobile network to a service application of an external service provider using a unique application user id code
Ruggaber et al. Using WAP as the enabling technology for CORBA in mobile and wireless environments
FI112137B (en) A system and method for allocating dynamic IP addresses
KR100689736B1 (en) Apparatus and method for broker of converged-access network in heterogeneous wireless access networks environment

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 10763901

Country of ref document: BG

Kind code of ref document: A

Format of ref document f/p: F

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP