HK1113879A - Method, system, and program product for connecting a client to a network - Google Patents
Method, system, and program product for connecting a client to a network Download PDFInfo
- Publication number
- HK1113879A HK1113879A HK08109129.7A HK08109129A HK1113879A HK 1113879 A HK1113879 A HK 1113879A HK 08109129 A HK08109129 A HK 08109129A HK 1113879 A HK1113879 A HK 1113879A
- Authority
- HK
- Hong Kong
- Prior art keywords
- client
- software
- software modules
- list
- network
- Prior art date
Links
Description
Technical Field
The present invention relates generally to methods, systems, and program products for connecting clients to a network. In particular, the present invention relates to a method, system and program product for authenticating a user of a client and software loaded thereon prior to providing a full connection to a network.
Background
As computer networks have become an integral part of society, greater security is needed. Currently, most networks perform user-based authentication before allowing a user or a client device he/she operates to establish a connection with the network. The most typical way of user-based authentication is based on user identification and a password. Not only does this authentication serve to establish network connections in the workplace, it has also become a standard for many Web sites and online services.
Unfortunately, ensuring that a user is who they say is not the only problem in network computing. In particular, the continuing evolution of computer viruses, spyware, adware, and the like, has resulted in an ever-increasing problem between personal computer users and network operators. For example, in many cases, a user may inadvertently pass a virus to a computer network after establishing a connection with the computer network. In this regard, many network administrators have implemented policies that require certain programs, such as antivirus software, to be installed on a client device prior to establishing a connection.
Unfortunately, the policing of these policies is typically handled by individual users. That is, policies are typically implemented only as a set of guidelines that are left to the user to ensure satisfaction. For such an implementation, there is no guarantee that the guidelines are met before a connection to the network is established. Thus, the spread of viruses and the like will only continue to expand. This is particularly true when more workers become mobile/remote and use laptop computers and other "portable" computing devices instead of their workplace computers. That is, it is more difficult to ensure that the mobile computing device complies with the requirements than a workplace-based computing device that the network operator can directly access.
In view of the foregoing, there is a need for a method, system and program product for connecting a client to a network. In particular, there is a need for a system that is capable of authenticating both the user seeking to establish a connection to a network and the required software on the client.
Disclosure of Invention
In general, the present invention provides a method, system and program product for connecting a client to a network. In particular, according to the present invention, both user credentials and software credentials are authenticated before allowing the connection. In this regard, one or more user credentials are received at the client (e.g., from a user). Thereafter, a software agent, typically running on the client, will determine whether one or more software modules identified in the list of required software modules have been installed on the client. For each software module installed on the client, the agent will generate a software certificate. The user credentials and software credentials will then be sent to the server, which will allow the connection if the user credentials are valid and a valid software credential is provided for each software module identified in the list of required software modules.
A first aspect of the invention provides a method for connecting a client to a network, comprising: receiving one or more user credentials at the client; determining, with a software agent, whether one or more software modules identified in a list of required software modules have been installed on the client; generating a software certificate for each of the one or more software modules determined to be installed on the client; sending the one or more user credentials and the one or more software credentials to a server; and connecting the client to the network if the one or more user credentials are valid and a valid software credential is provided for each software module identified in the list of required software modules.
A second aspect of the present invention provides a system for connecting a client to a network, comprising: a system for receiving one or more user credentials at the client; a system for determining whether one or more software modules identified in a list of required software modules have been installed on the client; a system for generating a software certificate for each of one or more software modules determined to be installed on the client; and a system for sending the one or more user credentials and the one or more software credentials to a server, wherein if the one or more user credentials are valid and a valid software credential is provided for each software module identified in the list of required software modules, connecting the client to the network.
A third aspect of the present invention provides a program product stored on a computer readable medium for connecting a client to a network, the computer readable medium comprising program code for performing the steps of: receiving one or more user credentials at the client; determining, with a software agent, whether one or more software modules identified in a list of required software modules have been installed on the client; generating a software certificate for each of the one or more software modules determined to be installed on the client; sending the one or more user credentials and the one or more software credentials to a server, wherein if the one or more user credentials are valid and a valid software credential is provided for each software module identified in the list of required software modules, connecting the client to the network.
A fourth aspect of the present invention provides a method for deploying an application for connecting a client to a network, comprising: providing a computer infrastructure for: receiving user credentials and security credentials for each of one or more software modules determined to be loaded onto the client; authenticating the user certificate and the one or more security certificates to determine their validity; and if the user credentials are valid, and if a valid software credential has been provided for each software module identified in the list of required software modules, then allowing connection to the network.
A fifth aspect of the present invention provides computer software embodied in a propagated signal for connecting a client to a network, the computer software comprising instructions for causing a computer system to perform the following functions: receiving user credentials and security credentials for each of one or more software modules determined to be loaded onto the client; authenticating the user certificate and the one or more security certificates to determine their validity; and if the user credentials are valid and if a valid software credential has been provided for each software module identified in the list of required software modules, allowing connection to the network, wherein if any software module in the list of required software modules is not loaded onto the client, not allowing connection.
Accordingly, the present invention provides a method, system and program product for connecting a client to a network.
Drawings
These and other features of this invention will be readily apparent from the following detailed description of the various aspects of the invention taken in conjunction with the accompanying drawings in which:
fig. 1 depicts a system for connecting a client to a network in accordance with the present invention.
Fig. 2 depicts a flow chart of a method according to the invention.
The drawings are not necessarily to scale. The drawings are merely schematic representations, not intended to portray specific parameters of the invention. The drawings are only for purposes of illustrating exemplary embodiments of the invention and are not to be construed as limiting the scope of the invention. In the drawings, like numbering represents like elements.
Detailed Description
As indicated above, the present invention provides a method, system and program product for connecting a client to a network. In particular, according to the present invention, both user credentials and software credentials are authenticated before allowing the connection. In this way, one or more user credentials are received at the client (e.g., from the user). Thereafter, a software agent, typically running on the client, will determine whether one or more software modules identified in the list of required software modules have been installed on the client. For each software module installed on the client, the agent will generate a software certificate. The user credentials and software credentials will then be sent to the server, which will allow the connection if the user credentials are valid and a valid software credential is provided for each software module identified in the list of required software modules.
Referring now to FIG. 1, a system 10 for connecting a client 12 to a network 14 is shown. The network 14 includes a server 16. It should be understood, however, that network 14 may include other components (e.g., hardware, software, etc.) not shown in fig. 1 for simplicity. Further, network 14 can include any combination of various communication connections. For example, network 14 can include addressable connections that may use any combination of wired and/or wireless transmission methods. Further, network 14 may include one or more of any type of network, including the Internet, a Wide Area Network (WAN), a Local Area Network (LAN), a Virtual Private Network (VPN), and so forth. If the communication occurs via the Internet, the connection may be provided by conventional TCP/IP sockets-based protocol, and the client 12 may use an Internet service provider to establish the Internet connection. However, it should be understood that the client 12 and the server 16 may be any type of computer capable of performing their respective functions. Examples of this include, among others, handheld devices, laptop computers, desktop computers, workstations, and the like.
In any event, client 12 is shown to include a processing unit 20, a memory 22, a bus 24, and input/output (I/O) interfaces 26. Further, the client 12 is shown in communication with an external I/O device/resource 28, as well as a storage system 30. In general, processing unit 20 executes computer program code, such as client security system 40, that is stored in memory 22 and/or storage system 30. While executing computer program code, processor 20 can read and/or write data to memory 22, storage system 30, and/or I/O interface 26. Bus 24 provides a communication link between components within client 12. External devices 28 may include any devices (e.g., keyboard, pointing device, display, etc.) that enable a user to interact with client 12 and/or any devices (e.g., network card, modem, etc.) that enable client 12 to communicate with one or more other computing devices, such as server 16.
Communication between the client 12 and the server 16 may occur over one or more networks. Client 12 is only representative of various possible computer infrastructures that can include numerous combinations of hardware. For example, processing unit 20 may comprise a single processing unit, or be distributed across one or more processing units in one or more locations, e.g., on a client and server. Similarly, memory 22 and/or storage system 30 may comprise any combination of various types of data storage and/or transmission media that reside at one or more physical locations. Further, I/O interfaces 26 can comprise any system for exchanging information with one or more external devices 28. Still further, it should be understood that one or more additional components (e.g., system software, math co-processor, etc.) not shown in FIG. 1 can be included in client 12. Further, if client 12 comprises a handheld device or the like, it should be understood that one or more external devices 28 (e.g., a display) and/or storage system 30 may be contained within client 12, not externally as shown.
In accordance with the present invention, storage system 30 may be any type of system (e.g., a database) capable of providing storage for information (e.g., environmental details, variables, etc.). As such, storage system 30 may include one or more storage devices, such as a magnetic disk drive or an optical disk drive. In another embodiment, storage system 30 includes data distributed across, for example, a Local Area Network (LAN), Wide Area Network (WAN) or a Storage Area Network (SAN) (not shown). Although not shown, additional components, such as cache memory, communication systems, system software, etc., may be incorporated into client 12. It should also be understood that, although not shown for purposes of simplicity, server 16 will include computerized components similar to client 12.
Shown in memory 22 of client 12 is client security system 40, which will collect credentials/information for user 18 and software modules 48 loaded on client 12 to ensure that the security required for client 12 to connect to network 14 is provided. As shown, client security system 40 includes client analytics system 42, certificate system 44, and output system 46. Client security system 40 is typically a software agent or the like provided to client 12, as will be described further below. However, this need not be the case. Shown loaded on server 16 (e.g., in memory) is authentication system 50 that will notify client 12 of requirements for establishing communication with network 14, and will receive credential information from client 12 to determine whether such requirements are satisfied. It will be appreciated, however, that the description of client security system 40 and authentication system 50 of fig. 1 is merely illustrative, and that the corresponding functionality that it provides thereby may be implemented through different configurations of subsystems.
In one illustrative example, assume that client 12 is a laptop computer with which user 18 attempts to connect to his/her workplace computer network 14 (e.g., via server 16). In the exemplary embodiment, client security system 40 will be loaded on the client prior to establishing or attempting a connection. In one embodiment, the client security system 40 is transmitted from the server 16 to the client 12 via the client interface system 52. However, this need not be the case. Rather, client security system 40 may be loaded on client 12 (e.g., from a computer-readable medium such as a CD-ROM) independently of interaction with server 16. In any event, as noted above, client security system 40 generally includes a software agent configured to examine client 12 at both the user level and the software level. Thus, the user 18 will initially provide one or more user credentials, such as a user identification and password. These user credentials will be received by client security system 40 (e.g., via credential system 44).
In accordance with the present invention, client analysis system 42 will analyze client 12 to determine whether one or more software modules identified in the list of required software modules 62 are loaded on client 12. Generally, the list of required software modules 62 includes the software modules required to establish communication with the network 14. Examples of such software modules include, among others, the following: a specific operating system, a specific operating system tier, specific antivirus software, a specific antivirus software tier, a specific application tier, a specific security patch tier, a specific spyware, a specific adware, and a specific adware tier. It should be appreciated that the list of required software modules 62 is typically provided directly to the client 12 (e.g., using the client security system/agent 40). However, it may alternatively be provided to a location (e.g., storage unit 30) that the client 12 has accessed.
In any case, client analysis system 42 may query client 12 to determine what software modules 48 are loaded thereon, or automatically analyze client 12 to determine the same content. In any event, since the determination by software module 48 may take a considerable amount of time, client 12 may optionally be granted a temporary connection to network 14 through connection system 58 (of authentication system 50). In the event that the analysis and authentication of the client 12 is not complete, the temporary connection may end after a predetermined amount of time has been reached. In a typical embodiment, client analysis system 42 will identify software modules 48 identified in the list of required software modules 62 that are loaded on client 12 and that are not loaded on client 12. For example, assume that the list of required software modules 62 contains the following software modules: software patch "A", operating system "X", level "2.0" and antivirus software "Z", level "3.0". Assume further that all of these software modules are determined to be loaded on the client (e.g., as software module 48) except for antivirus software "Z", level "3.0". In this case, client analytics system 42 can output metadata like the following two lists:
I. loaded software module
Software Patch "A
Operating System "X", level "2.0
Missing software modules
Antivirus software "Z", level "3.0
However, if the client 12 actually contains all three required software modules (e.g., the actual program or an incorrect version thereof), the list of "missing software modules" may simply state "none" (or the like), or it may be completely eliminated.
In any event, for each software module 48 identified by client analytics system 42, using message digest 5(MD5) techniques, certificate system 44 will generate a software certificate. As is known, MD5 is an algorithm used to verify data integrity by generating a 128-bit message digest from a data input (which may be a message of any length) that is required to be unique to that particular data as if the fingerprint were for a particular individual. In typical embodiments, the security credentials for each software module will at least identify the software program and its corresponding version.
Once the software certificates have been generated, the output system 46 transmits them, along with the user certificates, to the server 16 where they are received by the client interface system 52. In an exemplary embodiment, the client 12 and the server 16 may communicate using a Diffie-Hellman key agreement protocol (also referred to as exponential key agreement), which allows the client 12 and the server 16 to communicate securely (e.g., which allows the client 12 and the server 16 to exchange their secret data checksums over an insecure medium without any prior secrets). When received, user credential system 54 and software credential system 56 will attempt to authenticate the user credentials and software credentials to determine their validity, which may be accomplished using any known technique. For example, 802.1x port-based authentication at the switch level may be utilized. In any event, the user credentials (e.g., user identification and password) will be compared by user credentials system 52 to those stored in directory 60. If a match is established, the user credentials have been authenticated and are valid. In this regard, the directory 60 may be a Lightweight Directory Access Protocol (LDAP) directory 60 and the server 16 may be an LDAP server.
Software certificate system 56 compares the details of software module 48 as identified in the software certificate to the requirements identified in the list of required software modules 62. As noted above, a software certificate will typically identify a particular software program and its corresponding version. This information will be compared to the requirements contained in the list 62. The connection system 58 will establish the desired connection only if the user credentials are valid and a valid software credential is provided for each required software module identified in the list 62. Thus, if the user credentials are not valid, the connection is not allowed. Furthermore, if the client 12 lacks a required software module (e.g., an actual program or an incorrect version), then no connection is allowed.
As noted above, client 12 may have been allowed to temporarily connect to network 14 while waiting for the results of the process of the present invention. If the process is successful, the connection will no longer be temporary. However, if the procedure is unsuccessful, the connection will be terminated. Further, as described above, if the checking process is not completed within the predetermined amount of time, the temporary connection will be terminated and the process will continue the next time client 12 seeks to find a connection to network 14.
Referring now to FIG. 2, a flow diagram 100 of a method in accordance with the present invention is shown. The first step S1 provides the software agent to the client. A second step S2 receives one or more user credentials on the client. A third step S3 determines, using the software agent, whether one or more software modules identified in the list of required software modules have been installed on the client. If not, the process ends in step S4. However, if one or more such modules are found on the client, then a software certificate is generated for each module in step S5. Then, in step S6, the user certificate and the software certificate are transmitted to the server. In step S7, it is determined whether the user certificate is valid. If not, the process ends. However, if the user certificate is valid, it is determined in step S8 whether a valid software certificate has been provided to each software module identified in the list of required software modules. If not, the process terminates. However, if a valid software connection has been provided for each software module identified in the list, then the client is connected to the network in step S9.
It should be appreciated that the teachings of the present invention may be offered as a business method on a subscription, advertising, and/or fee basis. For example, client security system 40 (FIG. 1) and/or a computer infrastructure, such as client 12 and/or server 16 (FIG. 1), may be generated, maintained, supported, and/or deployed by a service provider that provides the functions described herein for users. That is, the service provider may provide a client-to-network connection as shown and discussed above. In this regard, the invention can also include providing a computer infrastructure, and deploying an application for executing the invention on the computer infrastructure.
It is to be understood that the present invention may be implemented in hardware, software, a propagated signal, or any combination thereof. Any kind of computer/server system(s), or other apparatus adapted for carrying out the methods described herein, is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, carries out the respective methods described herein. Alternatively, a specific use computer, containing specialized hardware for carrying out one or more of the functional tasks of the invention, could be utilized.
The present invention can also be embodied in a computer program product stored on a computer-readable medium and/or as a propagated signal transmitted between two or more systems, which comprises all the respective features enabling the implementation of the methods described herein, and which-when loaded in a computer system/deployed to a computing infrastructure-is able to carry out these methods. Computer program products, applications, software programs, and software are synonymous in the context of this document and mean any expression, in any language, code, or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following: (a) conversion to another language, code or notation; and/or (b) reproduction in a different material form.
The foregoing description of various aspects of the invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed, and obviously, many modifications and variations are possible. Such modifications and variations that may be apparent to a person skilled in the art are intended to be included within the scope of this invention as defined by the accompanying claims.
Claims (15)
1. A method for connecting a client to a network, comprising:
receiving one or more user credentials at the client;
determining, with a software agent, whether one or more software modules identified in a list of required software modules have been installed on the client;
generating a software certificate for each of the one or more software modules determined to be installed on the client;
sending the one or more user credentials and the one or more software credentials to a server; and
connecting the client to the network if the one or more user credentials are valid and a valid software credential is provided for each software module identified in the list of required software modules.
2. The method of claim 1, further comprising providing the software agent to the client.
3. The method of claim 1 or claim 2, further comprising identifying, with the software agent, any software modules in the list of required software modules that are missing on the client.
4. The method of any preceding claim, wherein the list of required software modules comprises at least one required software module selected from the group consisting of a particular operating system, a particular operating system hierarchy, a particular antivirus software hierarchy, a particular application hierarchy, a particular security patch hierarchy, a particular spyware hierarchy, a particular adware, and a particular adware hierarchy.
5. A method as claimed in any preceding claim, wherein the list of required software modules is stored on a server and is accessible by the agent.
6. The method of any preceding claim, further comprising authenticating the one or more user credentials and the one or more software credentials at a server to determine their validity prior to the connecting step.
7. A system for connecting a client to a network, comprising:
a system for receiving one or more user credentials at the client;
a system for determining whether one or more software modules identified in a list of required software modules have been installed on the client;
a system for generating a software certificate for each of one or more software modules determined to be installed on the client; and
a system for sending the one or more user credentials and the one or more software credentials to a server, wherein the client is connected to the network if the one or more user credentials are valid and a valid software credential is provided for each software module identified in the list of required software modules.
8. The system of claim 7, wherein the system comprises a software agent.
9. The system of claim 7 or claim 8, wherein the software agent is loaded onto a client.
10. A system as claimed in any one of claims 7 to 9, further comprising a system for identifying any software modules in the list of required software modules that are missing on the client.
11. The system of any of claims 7 to 10, wherein the list of required software modules includes at least one required software module selected from the group consisting of a particular operating system, a particular operating system tier, a particular antivirus software tier, a particular application tier, a particular security patch tier, a particular spyware tier, a particular adware, and a particular adware tier.
12. A system as claimed in any one of claims 7 to 11, wherein the list of required software modules is stored on a server and is accessible by the client.
13. The system of any of claims 7 to 12, further comprising:
a system for authenticating the one or more user credentials; and
a system for authenticating the one or more software certificates.
14. A method for deploying an application for connecting a client to a network, comprising:
providing a computer infrastructure for:
receiving user credentials and security credentials for each of one or more software modules determined to be loaded onto the client;
authenticating the user certificate and the one or more security certificates to determine their validity; and
if the user credentials are valid, and if a valid software credential has been provided for each software module identified in the list of required software modules, then connection to the network is allowed.
15. A computer program comprising program code means adapted to perform all the steps of any of claims 1 to 6 when said program is run on a computer.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/119,436 | 2005-04-28 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| HK1113879A true HK1113879A (en) | 2008-10-17 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6510236B1 (en) | Authentication framework for managing authentication requests from multiple authentication devices | |
| US6438550B1 (en) | Method and apparatus for client authentication and application configuration via smart cards | |
| EP3258374B1 (en) | Systems and methods for detecting and reacting to malicious activity in computer networks | |
| US8365266B2 (en) | Trusted local single sign-on | |
| US8220032B2 (en) | Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith | |
| US8041955B2 (en) | Grid mutual authorization through proxy certificate generation | |
| US7904952B2 (en) | System and method for access control | |
| US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
| CA2448853C (en) | Methods and systems for authentication of a user for sub-locations of a network location | |
| US20050240777A1 (en) | Method and apparatus for detecting grid intrusions | |
| EP2755162A2 (en) | Identity controlled data center | |
| WO2022144024A1 (en) | Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization | |
| US20220311777A1 (en) | Hardening remote administrator access | |
| US20080072304A1 (en) | Obscuring authentication data of remote user | |
| CN111355726A (en) | Identity authorization login method and device, electronic equipment and storage medium | |
| CN111769956B (en) | Service processing method, device, equipment and medium | |
| US20090150988A1 (en) | Authenticated service virtualization | |
| EP3674938B1 (en) | Identifying computing processes on automation servers | |
| JP2022512352A (en) | Timestamp-based authentication including redirection | |
| WO2006114361A1 (en) | Method, system, and program product for connecting a client to a network | |
| JP7513584B2 (en) | Method, computer program product, and system for managing shared authentication credentials - Patents.com | |
| CN116415217A (en) | Instant authorization system based on zero trust architecture | |
| CN111241523A (en) | Authentication processing method, apparatus, device and storage medium | |
| US7308578B2 (en) | Method and apparatus for authorizing execution for applications in a data processing system | |
| CN116915456A (en) | Authentication method, device, system, terminal equipment and medium |