Device and Methods for Screening Access to a Computer Network in a Telecommunication System
BACKGROUND OF THE INVENTION 1. Field of the Invention
This invention relates generally to methods and devices for providing access by network terminals in a telecommunication system to a computer network that manages the telecommunication system. More particularly, the invention relates to devices and methods for allowing or denying access to a computer network in a telecommunication system by network terminals in the telecommunication system before the messages are input to the computer network. Such devices are commonly referred to as a "firewall".
2 • Description of the Related Art
The proliferation of complex telecommunication systems and the use of such systems by users has created access and data management problems for the telecommunication systems. Since wireless communication networks are rapidly being integrated with the internet, additional technical, managerial and security issues have become extant in dealing with access control to these hybrid networks from mobile, wireless and other types of terminals.
Integration of the internet with wireless communication systems requires the importation of internet content and sophisticated data services into digital mobile stations, sometimes referred to as "media telephones." In order to accomplish full and consistent integration, a data communication protocol is implemented which seamlessly translates internet messages sent according to internet protocols, for
example the hypertext transport protocol ("http"), to a protocol recognized and understood by the wireless system in use. There are several protocols currently available today which are recognized by wireless systems which are integrated with the internet and other networks. For example, Nokia Corporation produces, markets and sells a messaging system called the NOKIA SMART MESSAGING system that translates internet messages in http to a message that can be understood by a wireless network. Other protocols have been developed to accomplish this task such as the Wireless Access Protocol (WAP) which is a protocol standard that has been developed and implemented on a world-wide basis. The WAP protocol is described in several documents such as, for example, Wireless Application Protocol Architecture, Version 30 - April 30, 1998, published by the Wireless Application Protocol Forum, Ltd. , the teachings of which are incorporated herein by reference; and Wireless Application Protocol, Wireless Application Environment Specification Version 1.1 (May 24, 1999), the teachings of which are also incorporated herein by reference .
Regardless of which messaging protocol is used to translate the http messages to messages understandable by the wireless system, it has become increasingly necessary to devise ways in which unwanted users or terminals in the system can be denied access to the wireless network. This is necessary since the proliferation of users of the internet has caused requests for access to many wireless systems to be overwhelming, thereby reducing the ability of the wireless systems to perform their functions and to operate efficiently.
Various solutions have been attempted in the past to restrict access to telecommunication networks. "Firewall" products, known • to those skilled in the art, have' been employed to prevent unauthorized users or clients to create protocol traffic on the network. The problem with prior art firewalls is that they have been implemented as separate devices which raise the costs of the telecommunication system and which require separate maintenance and care. Moreover, firewall products have typically been "transport bearer specific," i.e., they are individually usable only with the particular message bearer protocol for which they are designed. Thus, for example, if Transport Control Protocol/Internet Protocol
(TCP/IP) or User Datagram Protocol/Internet Protocol (UDP/IP) is used, the firewall will only screen TCP/IP or UDP/IP messages, completely ignoring messages requesting access to the network using other types of transport protocols.
Alternatively, access restrictions have been implemented on top of the protocol stack as part of the request for processing application. The problem with this approach is that it is computationally expensive, and allows access to the network for all messages even when some of the messages will ultimately be screened since they will not be sent to another destination or Uniform Resource Language (URL) location. This defeats the major purpose of screening unwanted message since the unwanted messages are allowed access to the network, at least for a short period of time, thereby clogging network traffic and dominating network resources.
Thus, there exists a long- felt, but unresolved, need in the art for systems and methods for screening access to a server in a network. The solution to this problem should be bearer-independent and be
integrated at the bearer level of the server rather than the protocol or application levels of the server. Furthermore, these methods and devices should ensure that no access is permitted to the network for unwanted messages for any protocol in which the unwanted message requests are sent.
SUMMARY OF THE INVENTION
In accordance with the present invention systems and methods configure a computer network that includes a plurality of terminals to either accept or deny access to the network of particular network terminals. After receiving a request for access from a particular network terminal, the request for access is then screened before the request is input to a server in the network. If the request is from a terminal that is allowed access to the network, then that particular message is input to the network and the terminal from which that message was received is given access to the network. However, if the request is from a terminal that has been denied access to the network, the message output from the denied terminal is not allowed access to the network.
By screening the access requests before the requests are input to the server, the inventive systems and methods greatly facilitate the efficient use of server processing time and compute cycles. Additionally, since the access requests are screened before the requests are input to the server, the access requests are analyzed at the protocol bearer level of the network, thereby allowing messages of any protocol to be efficiently screened. This also eliminates the need for separate firewalls for screening messages to be
maintained in the network which greatly reduces the costs and complexities of the network.
These and other features of the present invention will become apparent from the following detailed description considered in conjunction with the accompanying drawings. It is to be understood, however, that the drawings are designed solely for purposes of illustration and not as a definition of the limits of the invention, for which reference should be made to the appended claims.
BRIEF DESCRIPTION OF THE DRAWINGS
In the drawings, wherein like reference characters identify similar elements throughout the several views:
Figure 1 is a block diagram of a server architecture which implements the systems and methods of the present invention for screening access to a wireless network; and Figure 2 is a flow chart of a preferred method for screening unwanted messages from entering a wireless system in accordance with the present invention.
DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EMBODIMENTS Figure 1 is a block diagram of a gateway server hierarchy 10 which implements the inventive 'systems and methods. It will be appreciated by those skilled in the art that server 10 may be embodied in software alone, or may also be implemented as a separate processor for performing the server functions to be described in more detail below. Moreover, server 10 may implement any particular protocol or protocols necessary for translating, implementing or otherwise enabling Internet or wireless communications . In a preferred
embodiment, server 10 implements the WAP protocol described briefly above and therefore server 10 will be referred to throughout as WAP server 10. While the preferred embodiment of the invention has been . shown implemented as a WAP server, any other protocol which is usable in a hybrid internet/wireless network may implement the inventive systems and methods with equal efficacy. The present invention is applicable to any such protocol but, for illustrative purposes, will be described throughout with respect only to the WAP protocol .
The WAP server 10 preferably comprises a wireless protocol stack (WPS) 20 which provides access control functionality for the server 10 after a security manager has defined which network terminals are to be given access to the WAP server 10 as will be described in more detail below. Several bearer adapters 30 are placed below WPS 20 and access the several bearers through bearer drivers 40. The bearer adapters 30 provide all of the required functionality to interpret wireless messages which will be received by the WAP server 10.
A "bearer adapter" is any particular wireless protocol in which a message can be sent for processing by the WAP server 10. Thus, bearer adapters 30 may be a short message signaling (SMS) phone bearer adapter CSD bearer adapter 70, a CIMD Nokia short message signaling center (SMSC) bearer adapter, an IS-95 bearer adapter and/or any other bearer adapter which is needed to support message receipt and processing by WAP server 10. The function of the bearer adapters has been specified in the Wireless Datagram Protocol (WDP) of the WAP specification incorporated herein by reference above. In accordance with this protocol, the bearer adapter
functions as an adaptation layer or tunnel that maps the WDP protocol functions directly onto a specific bearer. The adaptation layer is different for each bearer and deals with the specific capabilities and characteristics of that particular bearer service. Moreover, at WAP server 10, the adaptation layer terminates and passes the WDP packets onto a WAP proxy server (not shown in Figure 1) via a tunneling protocol which is the interface between the WAP server 10 that supports the bearer service and the WAP Proxy server.
The bearer adapters 30 are thus components that connect WAP server 10 to a wireless network. To support a number of different bearers, WAP server 10 will thus need to have a number of different bearer adapters 30 as shown. All data from a WAP terminal comes to the WAP server 10 through bearer drivers 40 and respective bearer adapter 30. After traversing the bearer adapter 30, the data enters WAP stack 20 which includes the necessary protocol layers to recognize the data. In accordance with the invention, license control is provided by license control module 50. Thus, data entering the WAP server 10 is screened by license control module 50 before is enters the protocol stack 20. To accomplish this salutary result, a bearer gateway 60 which includes license control module 50 is provided between WPS 20 and the bearer adapters 30. All datagram traffic between a bearer adapter 30 and the WPS 20 must pass through bearer gateway 60. Accordingly, bearer gateway 60 performs license control, i.e., access to the WAP server 10 by terminals, and checks if every incoming data packet has access rights or not. If the packet has access rights, it is allowed to proceed to the WPS 20. If the packet does not have access rights, it is discarded.
The packets received by WAP server 10 are constructed in accordance with a service primitive provided by the WDP specification. The service primitive comprises, among others, the following parameters :
The Source Address is the address of the sender and is the unique address of the device making a request to the WDP layer. The source address may be a Mobile Station ISDN (MSISDN) number, an IP address (given as numbers or symbols), an X.25 address, or some other identifier. The length of the Source Address parameter may vary according to what the source is.
The Source Port is the application address or port number associated with the source address of the requesting communication instance. The port number of the sender is a 16-bit number.
The User Data is the data carried by the WDP protocol . The unit of data submitted to or received from the WDP layer is also referred to as the Service Data Unit. This is the complete unit (message, packet, package) of data which the higher layer (at the sender) has submitted to the WDP layer for transmission. The WDP layer will transmit the Service Data Unit and deliver it to its destination without any manipulation of its content.
The Source Address and Source Port parameters are part of a header portion of a WAP message and the User Data is the actual payload of data of the message.
In accordance with the invention, bearer gate 60 will read both the Source Address and the Source Port information in every data packet that is received at the bearer gate through the bearer adapters 30. Each combination of a client address (Source Address) and a client port (Source Port) makes up a concurrent session
and thereby requires one license. This means that the same terminal can consume more than one license, for example if the user is concurrently using two different applications at the terminal by accessing a service via the WAP server 10, e.g., a banking application and a calendar application. Usage additionally of the client port number (Source Port) for identifying the sender is necessary to prevent someone from using a proxy machine to circumvent the license check (with the UDP bearer) , in which case several terminals may go via the Proxy server to the WAP server 10, whereby the Source Address would always be the same. However, the Source Port information in the data packet would still be different.
In a further preferred embodiment, the licenses for access by a terminal to the WAP server 10 are calculated on a session basis. Thus, concurrent sessions are controlled from the same license source. There is no limit to the number of transactions in a session; however, license control in accordance with the invention determines how many sessions are allowed to execute transactions concurrently. During a session, it is desired to set a fixed time window during which a license to access the WAP server 10 must exist for the terminals requesting access thereto. In still a further preferred embodiment, this time window is about ten minutes in length. This means that when a session is established, one license is reserved for every combination of allowed Source Address and Source Port. If no data arrives at the WAP server 10 during the session and in the time window then the license is released. The next time in the session that a transaction is requested from the Source Address and Source Port combination, a new license is needed, i.e. that data in the session is allowed to pass the bearer
gateway 60 only if there still is a free license for that license holder.
More preferably, server 10 further comprises a content filters module 100 and a content sources module 110. The content filters module 100 comprises various encoders, decoders, converters and other functional software modules necessary to filter messages being received by WAP server 10 from the internet. For example, a wireless mark-up language (WML) to wireless mark-up language script (WMLS) encoder may be implemented by content filters module 100. Similarly, a hypertext mark-up language (HTML) to WML converter may also be concurrently or solely implemented by content filters module 100. Those skilled in the art will recognize that yet other functions may be implemented by content filters module 100 depending on the particular applications in which WAP server 10 will be used. In a similar vein, content sources module 110 provides an interface for content sources to be read and processed • by the WAP server 10. Thus, http sources and other types of Internet protocol (IP) sources are handled and input through the content source module 110 to the WAP server 10.
The WAP server 10 also preferably comprises a universal interface (UI) module 70 which includes the required graphical, command and other interfaces so that users can access the WAP server 10. A server manager 80 handles all of the appropriate overhead issues associated with managing each of the software modules in WAP server 10 and particularly interfaces with the bearer gateway 60 to facilitate license control and access to the WPS 20. Other interfaces 90 are provided so that WAP server 10 can communicate with other elements in the wireless network.
As mentioned above, the WAP server 10 may be implemented in software in an appropriate environment . Whichever software environment is chosen to implement the inventive access control methods disclosed herein, Figure 2 depicts a flow chart of a preferred form of the method. Since the preferred form of the method is based on a menu driven system with appropriate icons which can be actuated by a computer mouse, the method may be implemented as a "point and click" process commonly known to those familiar with modern server functionality. However, it will be appreciated that other input devices such as a standard keyboard may be used to choose software selections for access control implementation, especially when other than a simple menu-driven system with icons is utilized.
The method begins at step 100 and at step 110 it is determined whether the particular terminal requesting access is "blacklisted" from the system. To be blacklisted means that under no circumstances shall access to the WAP server 10 ever be granted to this terminal and so at step 120 access is denied. It is then determined at step 130 if access to the WAP server is being requested from a known terminal, i.e. one that during the session a license for access has been granted. If so, then at step 140 access to this terminal is granted. If not, then at step 150 it is determined if the terminal requesting access is an unknown terminal, i.e. a terminal not previously granted a license to the WAP server in a session, and if access for the unknown is allowed. If so, then at step 140 access is allowed and if not then at step 120 access is denied. In this manner access to the WAP server and license control is implemented
Thus, in accordance with the invention access control to the WAP server 10 is efficiently controlled before messages, data or other datagrams actually reach the WAP server. By preventing unallowed terminals access to the WAP server 10 before inputting their messages to the WAP server 10, the computational overhead required to process messages in the WAP server is greatly diminished. This contributes to enhanced server and network performance, and reduces the computation costs associated with the server. Such results have not heretofore been achieved in the art.
While there have been shown and described and pointed out certain novel features of the present invention as applied to preferred embodiments thereof, it will be understood by those skilled in the art that various omissions and substitutions and changes in the methods and apparatus described herein, and in their operation, may be made by those skilled in the art without departing from the spirit and scope of the invention. It is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Substitutions of method steps and elements from one described embodiment to another are also fully intended and contemplated. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.