Nothing Special   »   [go: up one dir, main page]

GB2320595A - Network access control - Google Patents

Network access control Download PDF

Info

Publication number
GB2320595A
GB2320595A GB9626627A GB9626627A GB2320595A GB 2320595 A GB2320595 A GB 2320595A GB 9626627 A GB9626627 A GB 9626627A GB 9626627 A GB9626627 A GB 9626627A GB 2320595 A GB2320595 A GB 2320595A
Authority
GB
United Kingdom
Prior art keywords
virtual
network
access
terminal
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB9626627A
Other versions
GB2320595B (en
GB9626627D0 (en
Inventor
John Bernard Brenner
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujitsu Services Ltd
Original Assignee
Fujitsu Services Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Services Ltd filed Critical Fujitsu Services Ltd
Priority to GB9626627A priority Critical patent/GB2320595B/en
Publication of GB9626627D0 publication Critical patent/GB9626627D0/en
Publication of GB2320595A publication Critical patent/GB2320595A/en
Application granted granted Critical
Publication of GB2320595B publication Critical patent/GB2320595B/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/005Network, LAN, Remote Access, Distributed System
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

User access to an information network, such as the Internet, is controlled so that predetermined access is prevented in such a manner that the control is not easily circumvented. A user interacts with the network via a respective PC terminal (1) which is physically separated from but operatively connectible to a virtual PC (3) included in a PC server (2). The network accessing software (browser) 4 is provided at the virtual PC (3). A control gateway (6) disposed in the communication path between the virtual PC (3) and the network is controlled in order to prevent predetermined access to the network. A supervisor of the user is able to set the prevented access via a respective terminal (7) upon provision of predetermined credentials, passwords etc.

Description

NETWORR ACCESS CONTROL This invention relates to network access control and in particular to controlling access to information services on the Internet or similar networks.
Whilst the Internet is undoubtedly beneficial in that it makes vast quantities of information available, many concerns have been raised with regard to the ease with which, for example, children are able to gain access to unsuitable material from unsuitable sources by means of personal computers (PCs) at schools or homes. Although it is possible to provide measures to control access of PCs to networks, those applied to the individual PCs can be circumvented.
Access control is not required just for children, there are other instances where persons in supervisory roles, such as managers, require to control the access of other persons, such as subordinates, to information networks, in order to reduce costs, prevent access to particular sites, reduce exposure to security risks etc.
An object of the present invention is to provide means which enable people with supervisory roles, such as parents, teachers or managers, to control access to information services on the Internet, or similar networks, by people, such as their children, pupils or subordinates, within the scope of their supervision.
According to one aspect of the present invention there is provided an information network user access control system including a PC terminal via which a user can interact with an information network; a PC server operatively connectible to the PC terminal but physically separate therefrom, the PC server including a virtual PC means having network accessing software; and a gateway, disposed in a communications path between the virtual PC means and the network, controlled to prevent predetermined access to the network.
According to another aspect of the present invention there is provided a method of controlling user access to an information network wherein the user employs a PC and accesses the network via network accessing PC software, including the steps of configuring the PC as a PC terminal, with which the user can interact, and a virtual PC disposed at a PC server physically separate from but operatively connected to the PC terminal, the virtual PC including the network accessing PC software; disposing a control gateway in a communications path between the virtual PC and the network, and controlling the control gateway whereby to prevent predetermined access to the network.
Embodiments of the invention will now be described with reference to accompanying drawings, in which: Figure 1 illustrates an embodiment of the invention when network access by a user is being controlled, Figure 2 illustrates an embodiment of the invention when the network access control is being set by a supervisor, and Figure 3 illustrates the combination of Figure 1 and Figure 2.
Conventionally the Internet, or a similar information network, is accessed from a PC disposed at a premises, such as a school, home, office etc via a dial-up link using a modem, or other links, to an Internet Service Provider. The PC is loaded with and executes various applications (PC software) and in particular for the Internet use, has a so-called browser application which provides access to the information services, such as the Internet World Wide Web, by means of the Internet protocol HTTP. An example of such a browser is Netscape Navigator. Whilst it is not impossible to provide means at the PC to prevent access to certain sites etc, these can be disabled.
The present invention proceeds from the realisation that if the browser is located other than at the user's PC, then access control can be achieved in a manner which is not so easily circumvented.
An embodiment of the invention applicable to an implementation where a plurality of users are connected to a PC server 2 is illustrated in Figure 1, although only one user is indicated.
The PC server 2 comprises a number of virtual PCs 3, two of which are indicated in Figure 1. A virtual PC is comprised by software capable of behaving as if it were a separate PC with its own user interface, processing and storage, and which operates on behalf of the particular person accessing its user interface at a particular time. A virtual PC executes PC software. The PC server 2 is a computer system which is capable of behaving as a collection of virtual PCs which operate concurrently by shared use of its physical resources, and which is capable of redirecting the user interface of each virtual PC to a PC terminal. An example of a PC server is a computer operating under the control of Citrix WinFrame software.
The user in this embodiment is provided with a PC terminal 1, that is a device at which a person sees and operates the user interfaces of virtual PCs that are in PC Servers such as 2 rather than a conventional PC per se. A PC terminal may be comprised by a physical device which behaves as a PC terminal, for example the Wyse Winterm terminal, or software which behaves as a PC terminal in a PC or other personal computer, for example Citrix WinFrame client software. The term PC is that applied to a personal computer which is the subject of particular technical standards variously originating from IBM, Intel and Microsoft. In this embodiment an overall PC is comprised by a configuration of a PC terminal and a virtual PC, the latter being physically separate from the PC terminal but operatively connected thereto.
The virtual PC 3 includes PC software for accessing networks, eg a browser, 4 and may also include other software 5. The PC Server 2 also includes control gateways such as 6 in a communications path to the Internet or other similar networks. Access to the network is mediated by the control gateway. In general terms, a gateway is a means that is inserted in a communications path between separate items of software and which enables communication between them by forwarding data-in-transit towards its destination, but observes or manipulates the data before doing so. A gateway may be comprised by a unit of software. A control gateway is a gateway that exercises control over data communication by selectively rejecting data instead of always forwarding it towards its destination.
There is a respective control gateway inserted in the communications path between each virtual PC and the networks (Internet or similar). The control gateway exerts control over access from the virtual PC to the networks by applying rules which determine what communication is permissible.
These rules are embodied in the control gateway and data structures which it uses. The accesses to the networks originate from the software in the virtual PC concerned, for example Internet browser software.
The control gateway 6 is outside of the virtual PC concerned and is thereby outside of the reach of software in that particular virtual PC, and of software actions initiated at the user interface of that particular virtual PC by the person using it. Also, the PC server 2 is physically separate from the PC terminals, and may be at a remote location. It can, thereby, be outside of the physical reach of the people at the PC terminals. These arrangements make it difficult for the software and users of the virtual PCs to circumvent or tamper with the controls exerted by the control gateways 6, which they could readily do if the control gateway were in the same PC or virtual PC.
Figure 1 shows the apparatus used to control network access by one virtual PC. The same PC server may contain many other virtual PCs with a control gateway for each virtual PC, or with control gateways common to several virtual PCs. The control gateway is shown as located inside the PC server, but it may alternatively be located elsewhere in the path between the virtual PC and the networks, for example it may be implemented by rules in a separate network box.
Alternatively, data structures defining the controls may be in a separate server or shared file accessible from the virtual PC.
There are no changes required to the software in the virtual PC, including the network accessing (browser) software, which is the subject of the controls. The interception of its network communication is external to the virtual PC and hidden from it.
Administrative control of the rules applying to any particular virtual PC (virtual PC x) is exercised via software in another virtual PC (virtual PC y), which is accessible to the person, or persons, with the role that includes supervision of virtual PC x. This administrative software, in virtual PC y, is logically part of the control gateway although, as indicated above, parts of the control gateway may be implemented as physically separate units. One particular virtual PC y may exercise administrative control over one particular virtual PC x or over a group of virtual PCs x.
Figure 2 illustrates this administrative aspect of the apparatus. Administrative actions are initiated by a user (administrator) at the PC terminal 7 accessing the administrative facilities in the control gateway 6. This access may be from any PC terminal at which the user (administrator) provides the appropriate credentials, such as passwords. This may be the same PC terminal as illustrated in Figure 1 but at a different time.
Some examples of the kind of control rules which can be applied are: restrict Internet access to certain periods when network capacity is available and tariffs are low or free; prevent access to particular sites; and prevent access to particular kinds of services. This intervention may be motivated by concerns about cost, prevention of access to unsuitable material from unsuitable sources, and reduction of exposure to security risks. The control rules may also include logging of access activity and collection of statistics; such information is useful for various purposes, such as security audit and performance monitoring. The access control provided may be considered as permitting only predetermined access to the network or, alternatively, as preventing access to predetermined parts or content etc of the network, ie preventing predetermined access to the network.
Figure 3 shows the combination of the operational and administrative functions shown separately in Figures 1 and 2.
No further description is offered since it is considered to be self-explanatory.

Claims (12)

1. An information network user access control system including a PC terminal via which a user can interact with an information network; a PC server operatively connectible to the PC terminal but physically separate therefrom, the PC server including a virtual PC means having network accessing software; and a gateway, disposed in a communications path between the virtual PC means and the network, controlled to prevent predetermined access to the network.
2. An access control system as claimed in Claim 1, wherein the PC server includes a plurality of said virtual PC means and a respective gateway is provided for each virtual PC means.
3. An access control system as claimed in Claim 1, wherein the PC server includes a plurality of said virtual PC means and wherein a said gateway is common to a predetermined number of said plurality of virtual PC means.
4. An access control system as claimed in any one of Claims 1 to 3, wherein the gateway is comprised within a respective virtual PC accessible by a supervisor from a said PC terminal, in response to the provision of predetermined credentials, and whereby the supervisor can change the prevented predetermined access.
5. An access control system as claimed in any one of Claims 1 to 3, wherein the gateway is comprised within a network box separate from the PC server.
6. An access control system as claimed in any one of Claims 1 to 3, wherein data structures defining access controls are disposed in a respective server, or shared file, accessible from the virtual PC and accessible by a supervisor from a said PC terminal, in response to the provision of predetermined credentials, and whereby the supervisor can change the prevented predetermined access.
7. A method of controlling user access to an information network wherein the user employs a PC and accesses the network via network accessing PC software, including the steps of configuring the PC as a PC terminal, with which the user can interact, and a virtual PC disposed at a PC server physically separate from but operatively connected to the PC terminal, the virtual PC including the network accessing PC software; disposing a control gateway in a communications path between the virtual PC and the network, and controlling the control gateway whereby to prevent predetermined access to the network.
8. A method as claimed in Claim 7, wherein the control gateway is comprised within a respective virtual PC accessible by a supervisor from a said PC terminal, upon the provision of predetermined credentials, and including the step of the supervisor changing rules applied to the control gateway whereby to change the prevented predetermined access.
9. A method as claimed in Claim 7, wherein the control gateway is comprised within a network box separate from the PC server but accessible by a supervisor from a said PC terminal, upon the provision of predetermined credentials, and including the step of the supervisor changing rules applied to the control gateway whereby to change the prevented predetermined access.
10. A method as claimed in Claim 7, wherein data structures defining access controls are disposed in a respective server, or shared file, accessible from the virtual PC and accessible by the supervisor from a said PC terminal, upon the provision of predetermined credentials, and including the step of the supervisor changing the data structures whereby to change the prevented predetermined access.
11. An information network user access control system as substantially as herein described with reference to and as illustrated in the accompanying drawings.
12. A method of controlling user access to an information network substantially as herein described with reference to and as illustrated in the accompanying drawings.
GB9626627A 1996-12-21 1996-12-21 Network access control Expired - Lifetime GB2320595B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB9626627A GB2320595B (en) 1996-12-21 1996-12-21 Network access control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9626627A GB2320595B (en) 1996-12-21 1996-12-21 Network access control

Publications (3)

Publication Number Publication Date
GB9626627D0 GB9626627D0 (en) 1997-02-12
GB2320595A true GB2320595A (en) 1998-06-24
GB2320595B GB2320595B (en) 2001-02-21

Family

ID=10804847

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9626627A Expired - Lifetime GB2320595B (en) 1996-12-21 1996-12-21 Network access control

Country Status (1)

Country Link
GB (1) GB2320595B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000067091A2 (en) * 1999-04-29 2000-11-09 Spintronics Ltd. Speech recognition interface with natural language engine for audio information retrieval over cellular network
WO2001088676A2 (en) * 2000-05-16 2001-11-22 Yahoo! Inc. Access server and parental control system for controlling access in internet
WO2003014889A2 (en) * 2001-08-06 2003-02-20 Matsushita Electric Industrial Co., Ltd. License management server, terminal device, license management system and usage restriction control method
US7455590B2 (en) 2003-05-09 2008-11-25 Microsoft Corporation Sending messages in response to events occurring on a gaming service

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2238636A (en) * 1989-12-01 1991-06-05 Sun Microsystems Inc X-window security system
US5406624A (en) * 1992-09-04 1995-04-11 Algorithmic Research Ltd. Data processor systems

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2238636A (en) * 1989-12-01 1991-06-05 Sun Microsystems Inc X-window security system
US5406624A (en) * 1992-09-04 1995-04-11 Algorithmic Research Ltd. Data processor systems

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000067091A2 (en) * 1999-04-29 2000-11-09 Spintronics Ltd. Speech recognition interface with natural language engine for audio information retrieval over cellular network
WO2000067091A3 (en) * 1999-04-29 2002-05-02 Spintronics Ltd Speech recognition interface with natural language engine for audio information retrieval over cellular network
WO2001088676A2 (en) * 2000-05-16 2001-11-22 Yahoo! Inc. Access server and parental control system for controlling access in internet
WO2001088676A3 (en) * 2000-05-16 2003-02-13 Yahoo & Excl Access server and parental control system for controlling access in internet
WO2003014889A2 (en) * 2001-08-06 2003-02-20 Matsushita Electric Industrial Co., Ltd. License management server, terminal device, license management system and usage restriction control method
WO2003014889A3 (en) * 2001-08-06 2004-04-22 Matsushita Electric Ind Co Ltd License management server, terminal device, license management system and usage restriction control method
US7455590B2 (en) 2003-05-09 2008-11-25 Microsoft Corporation Sending messages in response to events occurring on a gaming service

Also Published As

Publication number Publication date
GB2320595B (en) 2001-02-21
GB9626627D0 (en) 1997-02-12

Similar Documents

Publication Publication Date Title
US6564327B1 (en) Method of and system for controlling internet access
US5987606A (en) Method and system for content filtering information retrieved from an internet computer network
US7587459B2 (en) Remote application publication and communication system
US20020010768A1 (en) An entity model that enables privilege tracking across multiple treminals
JP2002351829A (en) Providing computing service through online network computer environment
GB2320595A (en) Network access control
Arbanowski et al. The human communication space: Towards i-centric communications
Cisco Glossary
Cisco 1 - Introduction
KR100359559B1 (en) Method of real private network service
Brazier et al. Are law-abiding agents realistic?
EP1227646A1 (en) Service platform and a telecommunication system, a method and use thereof
US20030046398A1 (en) Method and system for managing a plurality of console devices in a network
JP2006092040A (en) Service provision system and method
Pescatore Secure use of the World Wide Web: keeping browsers and servers from getting snared
Kessler Build great firewalls
US20110321163A1 (en) Platform for a computer network
Edwards Security gets easier, cheaper
Sattid et al. Information security standards for e-businesses
Krull Marketing information systems audit
Cochrane Unleashing the intranet
Raynovich Firewall gets Web capabilities
Miao et al. Campus Network Control Management System Based on Python
Gardner Bringing laptops to class: the front lines of curricular computing
Derriennic et al. Use of failure-intensity models in the software-validation phase for telecommunications.

Legal Events

Date Code Title Description
PE20 Patent expired after termination of 20 years

Expiry date: 20161220