[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

GB2494892A - System and Method for Monitoring Network Connections - Google Patents

System and Method for Monitoring Network Connections Download PDF

Info

Publication number
GB2494892A
GB2494892A GB1116324.3A GB201116324A GB2494892A GB 2494892 A GB2494892 A GB 2494892A GB 201116324 A GB201116324 A GB 201116324A GB 2494892 A GB2494892 A GB 2494892A
Authority
GB
United Kingdom
Prior art keywords
text
client device
authenticated
connection
wireless client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1116324.3A
Other versions
GB201116324D0 (en
Inventor
Kevin Epsworth
Andrew Louke
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cloud Networks Ltd
Original Assignee
Cloud Networks Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cloud Networks Ltd filed Critical Cloud Networks Ltd
Priority to GB1116324.3A priority Critical patent/GB2494892A/en
Publication of GB201116324D0 publication Critical patent/GB201116324D0/en
Priority to PCT/GB2012/052346 priority patent/WO2013041880A1/en
Publication of GB2494892A publication Critical patent/GB2494892A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system and method for controlling access to a network service or resource by a wireless client device 3 is described. A captive portal 9 intercepts data packets transmitted from the wireless client device, determines that the wireless client device is a non-authenticated device and processes the intercepted data packets to determine if the non-authenticated client device is allowed access to the network service or resource. When the data packets from the client device match a connection profile defining network characteristics for the data packets, the portal allows access and enables monitoring and accounting of the intercepted data packets for the non-authenticated device. The connection profile may define a destination network address or address range, a destination port or port range, a packet count threshold or a byte count threshold.

Description

System and Method for Monitoring Network Connections
Field of the Invention
[00011 This invention relates to a network access system, and more particularly to a S system to enable improved monitoring of network connections within a publicly accessible wireless network.
Background of the Invention
[0002] Publicly accessible network access systems are generally known, in which wireless networking devices registered with the system can connect to a protected service or resource, such as access to the Internet, via wireless access points in the system, commonly referred to as hotspots. In such systems, network activity by the connected devices though the core network of the system is typically monitored for tracking, management, accounting and billing purposes. A captive portal may be provided to intercept all network data packets from a client device connecting to the network until the device and user are authenticated and authorized. Typically, the captive portal stores a login web page that is displayed by a browser on the client device to force authentication before the device is permitted access to a requested protected service or resource. The level of authentication may differ depending on the service provider and may involve one or more of device and user authentication, transfer and confirmation of payment, and output and acceptance of usage policies.
[0003] Conventional network access systems typically control and restrict connectivity and access to the protected service or resource to wireless networking devices that are registered with the system. For example, the Remote Authentication Dial in User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization and Accounting (AAA) management for devices to access services and resources through the core network of the system, The RADILTS protocol facilitates the authentication of users or devices before granting them access to a network, the authorization of those users or devices for certain network services and the accounting for usage of those services, [0004] However, in such systems, all of the devices must be registered with the network access system, for example in a centralized database of registered devices, and the same evel of AAA management must be performed for each device that wishes to use a network service before that wireless client device is allowed to establish an active connection to the protected service or resource via the wireless access point. Detailed accounting of access and usage is subsequently monitored for each registered device that is connected via the system.
10005] What is desired is an improved system infrastmcture that facilitates controlled access to a protected service or resource without the processing and memory burdens of conventional network access systems.
Statements of the Invention
100061 Aspects of the present invention are set out in the accompanying claims.
100071 According to one aspect of the present invention, an apparatus is provided for controlling access to a network service or resource by a wireless client device, the apparatus comprising means for intercepting data packets transmitted from the wireless client device; means for determining that the wireless client device is a non-authenticated device; means for processing the intercepted data packets to determine whether the non-authenticated client device is allowed access to the network service or resource, wherein the non-authenticated client device is allowed access when it is determined that the data packets match a connection profile defining at least one network characteristic for the data packets; and means for monitoring the intercepted data packets for the non-authenticated device.
100081 In another aspect, a system is provided for controlling access to a protected service or resource by authenticated and authorized devices, the system comprising a connection tracker in a network router, the connection tracker adapted to provide access to the protected service or resource to a non-authenticated and non-authorized device based on an associated connection profile.
100091 In another aspect, the present invention provides a method for controlling access to a protected service or resource by authenticated and authorized devices, by providing access to the protected service or resource to a non-authenticated and non-authorized device based on an associated connection profile.
100101 In yet another aspect, there is provided a computer program arranged to carry out the above method when executed by a programmable device.
Brief Description of the Drawings
100111 There now follows, by way of example only, a detailed description of embodiments of the present invention, with references to the figures identified below.
Figure 1 is a block diagram showing the main components of a network access system according to an embodiment of the invention.
Figure 2 is a flow diagram illustrating the main processing steps performed by the system of Figure I according to an embodiment.
Figure 3, which comprises Figures 3a and 3b, is a flow diagram illustrating in more detail main processing steps performed by the connection tracker and network access controller components of the system of Figure 1 according to an embodiment.
Figure 4, which comprises Figures 4a and 4b, is an illustration of exemplaiy profile and connection profile tables of the profile definition data used by the system to control access according to an embodiment.
Figure 5 is a state diagram illustrating the main states of a network connection according to an exemplary embodiment.
Detailed Description of Embodiments of the Invention Overview 100121 A specific embodiment of the invention will now be described for a system for controlling access to a protected service or resource via a wireless network, The protected service or resource may be user requested access to Internet resources via a web server and/or gateway, or access to network services such as Voice Over IP through respective servers and network components. Referring to Figure 1, a network access system I according to an embodiment comprises a client device 3 connected to a node of a core communication network 5, illustrated in this embodiment as a wireless access point 7. The client device 3 may be any form of electronic device such as a computer terminal, laptop, mobile telephone or other computing device, with a wireless network interface for Local Area Network (LAN) communications, Those skilled in the art will appreciate that the core communication network S may include both wireless and wired data links through a plurality of communication networks.
10013] A captive portal 9 intercepts network data packets from the client device 3 connected to the core network 5, to provide for authentication, authorization and accounting of the network connections. The captive portal 9 includes a central network router 11 for intercepting and tracking network connections to requested application services, The captive portal 9 also includes a central web server 15 for facilitating communication of network data and messages between components of the captive portal 9. An application cluster 17 in the captive portal 9 includes a network access controller (NAC) 19 in communication with the router 11 via the web server 15, for provisioning and maintaining sessions in the core networkS. The NAC 19 stores and maintains session data 20 in a central database or data store 35. Although the web server 15 is illustrated as a separate central component of the captive portal 9 in Figure 1, those skilled in the art will appreciate that the application cluster 17, AAA module 21, DHCP server 39 and database 35 may form part of the web server 15 of the captive portal 9.
100141 The NAC 19 is also in communication with an Authentication, Authorization and Accounting (AAA) module 21 for handling the authentication of the client device 3 before granting access to the core network, the authorization of the client device 3 for particular protected services and resources including external application services, and the accounting of usage by the client device 3 of those services and resources.
Depending on the configuration of the service provider, the AAA module 21 may include one of more AAA sub-modules for respective specific forms of authentication, authorization and accounting. A voucher AAA sub-module 23 may be included for providing temporary access to the protected services and resources by way of time-based vouchers. One or more vendor AAA sub-modules 25 may be included for controlLing and restricting access based on a specific vendor associated with the client device 3. As an example, a client device 3 may be pre-registered with a particular mobile telephone service provider that allows access to protected services and resources via the communication network 5, in such a case, the device 3 is an authenticated device and the respective vendor AAA sub-module 25 will be identified and used to perform authentication, authorization and accounting for the client device 3, 100151 The AAA module 17 may be a hosted AAA server farm (not shown) based on the well known RADIUS (Remote Authentication Dial In User Service) protocol, and in this embodiment, includes a Roampoint Radius proxy 25 for secure communication with an external RADIUS server and for logging all RADIUS accounting records, starts, interims and stops used and mediated, that form the basis for generation of Charging Data Records (CDR). The proxy 25 can log the accounting records in an accounting table 22 in the database 35. The AAA module 2] can receive requests from the NAC 19 to create and maintain Radius sessions in the system, for example requests to start new Radius sessions, start accounting for created Radius sessions and stop existing Radius sessions. Those skilled in the art will appreciate that an alternative protocol to RADIUS may instead be implemented for the AAA module 21. A billing system (not shown) coupled to the AAA module 21 may be provided for performing administrative and billing functions for the services and resources, based on the information of accounting usage by the client devices logged by the AAA module 21 100161 The network router 11 identifies and stores connection information 26 about the current or last known state of each network connection passing through the network, for example using tables stored at the operating system kernel level. "iptables" for example is a known application program for accessing connection tables in an IP-based communications network. A connection tracker 27 in the router 11 is an administration tool for netfilter connection tracking and is used to search, list inspect and maintain the current connections information 26. In this embodiment, the connection tracker 27 is a daemon process mnning in the operating system kernel of the router II. The connection tracker 27 may track the network connections within an in memory hash table based on calculated packet and byte counters. The connection tracker 27 may also determine connection state changes and communicate the state changes as events to the NAC 19. As those skilled in the art will appreciate, the kernel tracks and stores a list of connections in memory, which are obtained by the connection tracker 27 for example by connecting to an associated API or by calling a system command with a predefined set of arguments.
100171 The connection tracker 27 is configured to determine if' an active connection is associated with an authenticated client device 3, that is a client device 3 which is registered with the service provider and therefore suitable for AAA processing according to the protocol of the network access system 1. The connection tracker 27 is configured to also track Accounting Non-Authenticated Session (ANAS) connections, that is connections from client devices 3 that are not registered with the system I and therefore not suitable for authentication and authorization by an AAA module, but must also be tracked for accounting purposes. In this embodiment, the connection tracker 27 tracks ANAS connections based on profile definition data 31 stored for example as tables in a database 35, as will be described in more detail below.
100181 The connection tracker 27 communicates with a remote service in the NAC 19 to access and retrieve an up-to-date copy of the profile definition data 31 from the database 35, and to store the retrieved profile definition data as cached profile definition data 33 in a profile cache 37 for improved database performance. Updated profile definition data may be retrieved from the database 35 at predefined time intervals, for example hourly or daily, or in response to an update event notification. The profile cache 37 may be configured with eviction policies to ensure that the cached profile definition data 33 stored in the profile cache 37 is always up-to-date. For example, each profile may be associated with a start and end date, and the NAC 19 may determine if a particular profile is still valid.
[0019] The captive portal 9 also includes a DHCP sewer 39 for automatically configuring the client device 3 with an assigned network parameter in response to a DFICP request packet received from the client device 3 via the router 11, as is well known in the art. In this embodiment for example, the DI-ICP server 39 assigns the client device 3 with an IP address and a lease time for the allocated IP address. The DHCP server 39 may also assign the client device 3 with other fP configuration parameters. The DHCP server 39 may be configured to automatically allocate IP addresses from a predefined range of IP addresses assigned to the captive portal 9 or to perform allocation based on a table defining IP address and client device Media Access Control (MAC) address pairs. The DHCP server 39 manages the pool of fP address and information about client device configuration as DHCP configuration data 41 in the data storage 35.
[00201 The application cluster 17 also includes a Secure Access Portal 43 (SAP) for providing secure access by allowed devices to protected services and resources external to the system 1 and the core network 5, a redirect application 45 for forwarding data packets from allowed devices on to intended destinations external to the system 1 and the core network 5, and an extranet 47 for providing the presentation layer that may be used by the NAC 9 to provision new profile definitions 31 in the database 35.
1002t1 The web server 15 may include a plurality of servers forming a web server farm and all HTTP/HTTPS traffic between the connection tracker 27 and the NAC 19 would go via the web server farm to be load balanced, 100221 The web server 15, network router II, application services module 13, AAA module 21, DHCP server 39 and application cluster 17 of the captive portal 9 may be arranged as components in a wired network.
Network Access Process 100231 A brief description has been given above of the components fonuing part of the network access system I of this embodiment, A more detailed description of the operation of these components in this embodiment ll now be given with reference to the flow diagrams of Figures 2 and 3 for an example computer-implemented process for controlling access to a protected service or resource via a wireless network, using the system illustrated in Figure 1.
[0024] As shown in Figure 2, the process begins at step 52-I where the client device 3 identifies a wireless access point 7 of the core network 5 of the system 1. At step S2-3, the client device 3 then transmits a join request message to the wireless access point 7.
At step S2-5, the router II in the captive portal 9 intercepts the join request and processes the join request at step S2-7 to establish an active connection for the client device 3, for example using the DHCP server 39 to assign the client device 3 with an IP address and a lease time for the allocated IP address for automatically configuring the client device 3 as is known in the art.
100251 At step S2-9, the connection tracker 27 in the router 11 then determines if the client device 3 is registered with the system 1 and eligible for an authenticated session.
If at step S2-9 the router 11 determines that the connection is not eligible for an authenticated session, then at step S2-1 1, the connection tracker 27 in the router I I S determines if the connection is eligible for a non-authenticated session based on stored connection profile definition data, as will be described in more detail below. If the connection is not eligible as an ANAS, then processing proceeds to step 52-13 where the client device 3 informs the user that registration is required before the client device 3 is allowed access to the requested protected service or resource via a MAC authenticated session. This may be in the form of a web page prompting the user to sign up and register the client device 3 with the system 1. On the other hand, if the connection is determined to be eligible as an ANAS, then at step S2-15, the NAC 19 provisions a new ANAS for the active connection and sends an accounting start to the AAA module 21. In response, at step S2-17, the AAA module 21 logs the accounting record for the new session in the accounting table 22 of the database 35.
100261 The NAC 19 then transmits confirmation of the new session to the connection tracker 27 of the router 11 at step S2-l9, and confirmation of the new session is passed on by the connection tracker 27 to the client device 3 at step 52-21 to indicate to the client device 3 that tracked and accounted access to the requested protected service or resource has been granted for the non-authenticated session. Accordingly, at step S2- 23, the client device 3 commences transmission of network data over the active connection, The network data is intercepted by the router ii and the connection tracker 27 continues to track the connection and transmit session update events to the NAC 19 at step S2-25. The NAC 19 maintains the session at step S2-27 and updates packet counters within the active session records responsive to receiving session update requests from the connection tracker 27. The NAC 19 also transmits accounting interim packets to the AAA module 21 to update the accounting record in the accounting table 22, at step 52-29. The processing of steps 52-23 to 52-29 are then repeated until the connection tracker 27 determines that the connection is closed or no longer active and informs the NAC 19 accordingly. In response, the NAC 19 updates the packet counters in the session record one final time, closes the tracked session and transmits a session stop instruction to the AAA module 21 at step S2-27. In response, the AAA module 21 removes the active session record from the accounting table 22 at step 52-29, in an embodiment, the AAA module 21 may be configured to generate or update a separate accounting record for all connections that match the profile associated with this connection. In this way, accounting may be carried out to track all network usage in the system from non-authenticated client devices that match a particular profile, for example for all ANAS associated with a Session Initial Protocol (SIP) session where the profile is defined by the known destination IP address.
100271 Returning back to step S2-9, if the connection tracker 27 in the router 11 determines that the client device 3 is not registered with the system 1 and therefore not eligible for an authenticated session, then processing proceeds to step S2-3 1 where the NAC 19 transmits a request for MAC authentication of the client device 3 to the AAA module 21 in accordance with the AAA protocol implemented by the system for handling authenticated sessions. At step S2-3 3, the AAA module 21 carries out MAC authentication and user authorization as required and informs the NAG 19 on successful authentication and authorization. At step S2-3 5, the NAG 19 receives confirmation of authentication and authorization by the AAA module 21, creates a new session record for the authenticated session and sends an accounting start instruction back to the AAA module 21. Processing then proceeds to step S2-17 where the AAA module 21 logs the accounting record for the new session in a similar way to handflng of an ANAS, except that the accounting record is associated with an authenticated client device that is registered with the system 1 and the account record may therefore include additional information about the particular client device 3.
[0028] Figure 3, which comprises Figures 3a and 3b, is a flow diagram illustrating in more detail exemplary steps of an embodiment for tracking current connections by the connection tracker 27 in the router II and transmitting connection events to the NAG 19. As shown in Figure 3a, this process begins at step S3-1 where the connection tracker 27 instructs the NAG 19 to initialise the network access provisioning services.
Responsive to the received instruction, the NAG 19 retrieves the profile data 31 and connection profile 33 from the database 35 and communicates the retrieved profile definition data to the connection tracker 27. The connection tracker 27 receives the profile definition data from the NAC 27 at step S3-3 and stores the received profile definition data in the profile cache 37 at step S3-5. At step 53-7, the connection tracker 27 obtains a list of the active connections passing through the network 5, from the current connections information 26 maintained by the router 11 at kernel level. As discussed above, the connection tracker 27 tracks the connections and can communication information about the connections to the NAG 27 in batches or periodically. The connection tracker 27 can track connections that are buffered for a period of time, where duplicate connections are merged and packet and byte counters are summed before the connections information is sent over to the NAG 27.
100291 At step 53-9, the connection tracker 27 identifies an active connection from the list of active connections to be processed, this being a first active connection from the list when the process is carried out for the first time. At step S3-1 I, the identified active connection is processed to determine if the connection is associated with an authenticated session. As mentioned above, an active connection from a client device 3 may be associated with an authenticated session because the client device 3 is pre-registered with a particular mobile telephone service provider that allows access to protected services and resources via the communication network 5. In such a case, the client device 3 is an authenticated device and the connection tracker 27 can determine that an active network session is an authenticated session based on the accounting records stored in the accounting taMe 22 in the database 35. Accordingly, if the connection tracker 27 determines, at step 531, that the present active connection is associated with an authenticated session, then subsequent processing of the active connection proceeds in accordance with a known protocol for handling authenticated sessions, For example, as mentioned above, the active connection may be processed using a respective vendor AAA sub-module 25 to perform authentication, authorization and accounting for the client device 3 before allowing access to the requested protected service or resource.
100301 On the other hand, if at step S3-tl, the connection tracker 27 determines that the active connection is not associated with an authenticated session, then the active connection is considered to be from a client device 3 that is requesting access to protected services or resources through an Accounting Non-Authenticated Session (ANAS). In this embodiment, the connection tracker 27 processes the ANAS by determining if the active connection matches a predefined profile. Accordingly, at step 53-13, the connection tracker 27 determines if the active connection matches a connection profile 33 in the profile cache 37. If the active connection matches a connection profile, then at step 53-] 5 the connection tracker 27 detennines if the active connection is a new connection, that is a connection from a client device 3 that is being processed for the first time and therefore does not have an associated session record in the session data 20 of the database 35. As this is the first active connection being processed, the processing proceeds to step 53-] 7 where the connection tracker 27 transmits information about the tracked connections, including the new active connection, to the NAC 27.
[0031] At step 53-19, the NAC 27 determines if the new active connection is eligible to be transformed into a session. For example, the connection tracker 27 can determine if a connection is eligible by firstly performing a lookup to determine if a user is in a valid venue and secondly, based on the 11' address, performing a lookup of the DHCP lease information that is used to create the session record. If it is determined that the connection is not eligible as a session, then the current connection is not considered further and processing proceeds to step 53-29 described below. On the other hand, if it is determined that the connection is eligible as a session, then at step 53-21, the NAC 19 receives the session start request from the connection tracker 27 and creates a new active session record for the ANAS session and stores the created session record as session data 20 in the database 35. The NAC 19 then sends an accounting start instruction to the AAA module 2] at step S3-23. The accounting start instruction includes information associated with the matching connection profile, such as a particular destination IP address, so that the AAA module 21 can create a Charging Data Record to track that ANAS session, that is network traffic addressed to that particular destination IP address that matches the same connection profile. The AAA module 2t also stores a log of all accounting records in the accounting table 22 in the database 35. At step S3-25, the NAC 19 receives confirmation from the AAA module 21 that accounting has been initiated for the ANAS session, and the NAC 19 informs the connection tracker 27 that an active ANAS record has been created.
100321 The connection tracker 27 receives at step S3-27 confirmation from the NAC 19 that the active session record has been created and the processing proceeds to step S3- 29 where the connection tracker 27 determines if it is necessary to perform an update of the profile definition data in the profile cache 37. As mentioned above, the cached profile definition data may be updated in regular time-based intervals or may be based on other determining factors such as responsive to an update instruction or to an empty cache if all of the profiles have expired. If at step 53-29 it is determined that the cached profile data requires updating, then processing returns to step 53-3 where the connection tracker 27 obtains a latest copy of the profile definition data 31 from the database 35 via the NAC 19 as described above.
[0033] On the other hand, if at step S3-29 it is determined that the cached profile definition data 33 does not require an update, then processing returns instead to step 53- 9 where the connection tracker 27 determines if there is another active connection in the obtained list of active connections to be processed. The above-described steps are repeated for the next active connection in the obtained list. However, if at step 53-IS it is determined that the next active connection is not a new connection, that is a session record has already been created and is present in the session data 20 of the database 35, then processing proceeds to step S3-31 where the connection tracker 27 determines and updates if necessary the state of the active connection in the current connection information 26. At step S3-33, the connection tracker 27 sends any change of state for the tracked connection to the NAC 19, for subsequent updating of the tracking and accounting information according to the implemented accounting protocols. Processing then returns to step S3-29 as described above.
[0034] In this way, the system I provides a connection tracker 27 in the router 1] that advantageously controls, tracks and enables accounting of network access to protected services or resources via both authenticated sessions and Accounting Non-Authenticated Sessions through the communications network 5, established between client devices 3 and the captive portal 9 via one or more wireless access points 7, using profiles which effectively define a whitelist of criteria such as particular destination IP addresses, ports and bandwidth for which active network connections matching the In 1 3 whitelisted criteria can be established and tracked without requiring authentication and authorization of the requesting client devices.
Profile Tables
100351 Tn the embodiment described above, the connection tracker 27 tracks ANAS connections based on profile definition data 3T stored as tables in the database 35.
Figure 4, which comprises Figures 4a and 4b, is a schematic diagram of an exemplary data structure for storing the profile definition data 31 for use by the connection tracker 27 to control access according to the embodiment, in this exemplary embodiment, the profile definition data 31 is configured using a profile table 31a for example as illustrated in Figure 4a, and a connection_profile table 31b for example as illustrated in Figure 4b, 100361 An example of a profile entry in the profile table 3 la would be for a particular Tnternet Service Provider, which could have one or more associated rows in the connection_profile table 31b which may be used by the connection tracker 27 to identify which TCP or IJDP connections are to be considered. Charging Data Records (CDI&) may be created for a single source IP address that generates traffic matching a single profile, which means that multiple connections may be active but only a single CDR will be generated. Tf more than one profile has traffic, each matched connection will have a respective, possibly overlapping, CDR.
[0037] As shown in Figure 4a, the profile table 31a in this exemplary embodiment includes the following fields for each profile or row in the table: -an identification value which may be generated from an integer sequence, -a valid_from and valid_to value, which may define a time-based window of validity for the profile, whereby only profiles that are currently valid will be considered, -a description, which may be for information purposes only, -an interval time value, which may define a number of seconds between interim update for packets in an active session, -an idle_timeout value, which may define a number of seconds that a session can be active with no connections before the session is idled out, -a hard timeout value, which may define a maximum time that a session S will be tracked for, to stop stale sessions that can occur during a system failover, and -a username value, which may be the actual name of a user which can be used in the generated CDR records.
100381 As shown in Figure 4b, the connection_profile table 31b in this exemplary embodiment includes the following fields for each profile or row in the table: -a protocol value, which may define the type of connection to track, such as TCP or UDP, -a dst_range value, which may define a destination 1P address or range to be monitored, -a dst port start and dst_port end value, which may be used to define which particular destination ports or range of ports to monitor, -a profile_id value, which may define a 1-N foreign key to profile table association, -a pkt threshold_in and pkt threshold_out value, which may define a number of packets that must be transferred per second for this connection to be considered active', -a byte_threshold_in and byte_threshold_out value, which may define a number of bytes that must be transferred per second for this connection to be considered active', and -an idle timeout value, which may define a number of seconds that a connection can remain in an IDLE state before the connection is considered closed. This means that a connection may still be in the kernel table but would be considered idled out. If traffic starts up again, then this can trigger an entirely new session.
100391 As those skilled in the art will appreciate, not all of the above described fields are required for each profile definition, and particular values may be set as null or left empty for example. Additionally, the addition and maintenance to a profile may not be a frequent occurrence and the profile definition data 3 1 might stay unchanged for weeks. However, when the profile definition data 3 1 is changed, the connection tracker 27 is configured to obtain an updated copy of the changed data so that the cached profile definition data 35 is not out of sync with the updated profile definition data 3] for a period that exceeds the iteration time period of the connection tracker's execution.
Connection State Update 100401 In step 53-31 described above, the connection tracker 27 determines and updates if necessary the state of an existing connection that matches a profile and is currently being tracked, that is a connection having a session record in the session data 20 of the database 35. Figure 5 is a state diagram illustrating the main states of a network connection according to an exemplary embodiment.
100411 As shown in Figure 5, connections that are active but are not yet being tracked have a NEW state 101. If the packet or byte count is above a predefined threshold, then the connection is added to the tracked connections as NEW to be tracked. A NEW event with current traffic statistics is sent to NAC 19. If the packet or byte count is below the predefined threshold, then the connection is not added to the tracked connections.
100421 Connections that are active and are already in tracked connections have an ACTIVE state] 02. If the packet or byte count is above a predefined threshold, then the connection remains in the ACTIVE state] 02 and the connection tracker 27 updates the traffic counts for that connection and records the timestamp of the last measurement.
An UPDATE event is sent to the NAC] 9 with the traffic update statistics, If the packet or byte count is below the predefined threshold, then the connection has become PASSIVE 103.
100431 Connections that are active and are already tracked as NEW] 0] are processed in a similar manner to a connection with an ACTIVE state 102. If the packet or byte count is above a predefined threshold, then the connection is updated with an ACTIVE state 102 and the connection tracker 27 updates the traffic counts for that connection.
The timestamp of the last measurement is also recorded. An UPDATE event is sent to the NAC 19 with the traffic update statistics. If the packet or byte count is below the predefined threshold, then the connection is updated with a PASSIVE state 103.
[00l Connections that have new network traffic activity but are tracked as PASSIVE 103 and processed to check the packet or byte count. If the packet or byte count is above the predefined threshold, then the connection is updated with an ACTIVE state 102. However, if the packet or byte count is below a predefined threshold, then the connection remains in the PASSIVE state 103. The conuection tracker 27 also determines if a connection has been in the PASSIVE state 103 for an amount of time exceeding a predefined timeout limit, and if so, the connection is DELETED 104 and removed from the tracked connections. A DELETE or STOP event is sent to the NAC 19 with an indication that the cause for termination is an Idle Timeout.
[0045] Finally, connections that are ACTIVE and tracked but identified by the connection tracker 27 to have been closed and therefore not having any network activity are also DELETED 104 and removed from the tracked connections. A DELETE or STOP event is sent to the NAC 19 with an indication that the cause for termination is user based. The connection tracker 27 may determine that a connection has been closed for example if it is no longer in an ESTABLISHED TCP state, or if a timestamp for a last measurement of updated traffic statistics does not match the most recent update.
Alternative Embodiments [0046] It will be understood that embodiments of the present invention are described herein by way of example only, and that various changes and modifications may be made without departing from the scope of the invention.
[0047] For example, in the embodiments described above, the system includes a captive portal for processing active connections based on stored profile definitions, and allowing and tracking non-authenticated sessions for connections matching a profile.
The components of the captive portal communicate therebetween via a web server and network communication links of a secured LAN. As those skilled in the art will appreciate, the captive portal may be implemented as a distributed system and the components of the captive portal in communication therebetween using any combination of network communication paths. As a further alternative, the components of the captive portal, such as the connection tracker and network access controller, may be adapted for direct communication therebetween.
100481 In the embodiments described above, the network access system is illustrated with a single captive portal having a single network router. As those skilled in the art S will appreciate, the network access system may include a plurality of captive portals and/or network routers, and a respective connection tracker may be provided on each instance of a network router. In such an arrangement, it is beneficial that the state of the connections in a particular connection tracker be replicable, for example by maintaining in memory connections of one network node to another node to facilitate efficient handover if one node fails.
[0049] In the embodiment described above, the captive portal comprises a plurality of separate components, including servers, routers and application modules, As those skilled in the art will appreciate, the components of the captive portal may be implemented as any combination of hardware and/or software, and the system may store a plurality of computer programs or software in memory, which when executed enable the system components to implement embodiments of the present invention as discussed herein. Additionally, those skilled in the art will appreciate that the software may be stored on a non-transitory computer program medium or product, and loaded into the system using any known instrument, such as removable storage disk or drive, hard disk drive, or communication interface, to provide some examples.
[0050] Alternative embodiments may be envisaged, which nevertheless fall within the scope of the following claims,

Claims (1)

  1. <claim-text>CLAIMSI. An apparatus for controlling access to a network service or resource by a wireless client device, the apparatus comprising: means for intercepting data packets transmitted from the wireless client device; means for determining that the wireless client device is a non-authenticated device; means for processing the intercepted data packets to determine whether the non-authenticated client device is allowed access to the network service or resource, wherein the non-authenticated client device is allowed access when it is determined that the data packets match a connection profile defining at least one network characteristic for the data packets; and means for monitoring the intercepted data packets for the non-authenticated device.</claim-text> <claim-text>2. The apparatus of claim 1, further comprising means for accessing a database of registered wireless client devices and wherein said determining means is arranged to determine that a wireless client device is a non-authenticated device when said wireless client device is not in the database of registered wireless client devices.</claim-text> <claim-text>3. The apparatus of claim I or 2, wherein the means for monitoring is arranged to track network statistics based on the intercepted data packets.</claim-text> <claim-text>4. The apparatus of claim 3, wherein the means for monitoring is further arranged to combine network statistics for all intercepted data packets that match the same connection profile.</claim-text> <claim-text>5, The apparatus of any preceding claim, further comprising means for creating an accounting non-authenticated session associated with the intercepted data packets from the non-authenticated wireless client device.</claim-text> <claim-text>6. The apparatus of claim 5, further comprising means for maintaining a list of sessions from wireless client devices that are to be monitored, and an associated connection state for each network connection.</claim-text> <claim-text>7, The apparatus of claim 6, wherein a network connection is updated with a passive connection state when it is determined that a packet or byte count is below a predetermined threshold.</claim-text> <claim-text>8. The apparatus of claim 7, wherein a passive network connection is removed from the list of sessions to be monitored when it is determined that the packet or byte count is below a predetermined threshold.</claim-text> <claim-text>9. The apparatus of any preceding claim, further comprising means for storing a plurality of connection profiles, each connection profile defining one or more of a desfination network address or address range, a destination port or port range, a packet count threshold and a byte count threshold.</claim-text> <claim-text>10. The apparatus of any preceding claim, further comprising means for accessing a connection profile from a cache memory.</claim-text> <claim-text>11. The apparatus of any preceding claim, further comprising means for determining that the wireless client device is an authenticated device and means for determining if the authenticated wireless client device is allowed access to the network service or resource based on a Authentication, Authorisation and Accounting protocol.</claim-text> <claim-text>12. A method of controlling access to a network service or resource by a wireless client device, the method comprising: intercepting data packets transmitted from the wireless client device; determining that the wireless client device is a non-authenticated device; processing the intercepted data packets to determine whether the non-authenticated client device is allowed access to the network service or resource, wherein the non-authenticated client device is allowed access when it is determined that the data packets match a connection profile defining at least one network characteristic for the data packets; and monitoring the intercepted data packets for the non-authenticated device.</claim-text> <claim-text>13. The method of claim 12, further comprising providing a database of registered wireless client devices and wherein a wireless client device is determined to be a non-authenticated device when said wireless client device is not in the database of registered wireless client devices.</claim-text> <claim-text>14. The method of claim 12 or 13, wherein monitoring the intercepted data packets comprises track network statistics based on the intercepted data packets.</claim-text> <claim-text>15. The method of claim 14, further comprising combining network statistics for all intercepted data packets that match the same connection profile.</claim-text> <claim-text>16. The method of any one of claims 12 to 15, further comprising creating an accounting non-authenticated session associated with the intercepted data packets from the non-authenticated wireless client device.</claim-text> <claim-text>17. The method of claim 16, further comprising maintaining a list of sessions from wireless client devices that are to be monitored, and an associated connection state for each network connection.</claim-text> <claim-text>IS, The method of claim 17, wherein a network connection is updated with a passive connection state when it is determined that a packet or byte count is below a predetermined threshold.</claim-text> <claim-text>19. The method of claim 18, wherein a passive network connection is removed from the list of sessions to be monitored when it is determined that the packet or byte count is below a predetermined threshold.</claim-text> <claim-text>20. The method of any one of claims U to 19, further comprising storing a plurality of connection profiles, each connection profile defining one or more of a destination network address or address range, a destination port or port range, a packet count threshold and a byte count threshold.</claim-text> <claim-text>21. The method of any one of claims 12 to 20, further comprising determining that the wireless client device is an authenticated device and determining if the authenticated wireless client device is allowed access to the network service or resource based on a Authentication, Authorisation and Accounting protocol.</claim-text> <claim-text>22. A system for controlling access to a protected service or resource by authenticated and authorized devices, the system being arranged to determine that a first wireless client device is an authenticated device and to provide accounted access to the protected service or resource to the authenticated device after authentication and authorisation of the device, and the system being further arranged to determine that a second wireless client device is not an authenticated device and to provide accounted access to the protected service or resource to the non-authenticated device based on an associated connection profile.</claim-text> <claim-text>23. A storage medium comprising machine readable instructions stored thereon for causing a programmable device to become configured as the apparatus in accordance with any one of claims to 11.</claim-text> <claim-text>24, A storage medium comprising machine readable instructions stored thereon for causing a computer system to perform a method in accordance with any one of claims 1 2 to 21.</claim-text>
GB1116324.3A 2011-09-21 2011-09-21 System and Method for Monitoring Network Connections Withdrawn GB2494892A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB1116324.3A GB2494892A (en) 2011-09-21 2011-09-21 System and Method for Monitoring Network Connections
PCT/GB2012/052346 WO2013041880A1 (en) 2011-09-21 2012-09-21 Apparatus, method and system for controlling access to a network service or resource by a wireless client device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1116324.3A GB2494892A (en) 2011-09-21 2011-09-21 System and Method for Monitoring Network Connections

Publications (2)

Publication Number Publication Date
GB201116324D0 GB201116324D0 (en) 2011-11-02
GB2494892A true GB2494892A (en) 2013-03-27

Family

ID=44937637

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1116324.3A Withdrawn GB2494892A (en) 2011-09-21 2011-09-21 System and Method for Monitoring Network Connections

Country Status (2)

Country Link
GB (1) GB2494892A (en)
WO (1) WO2013041880A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109804610B (en) 2017-03-23 2022-05-13 柏思科技有限公司 Method and system for limiting data traffic transmission of network enabled devices

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020041689A1 (en) * 2000-10-05 2002-04-11 Shinichi Morimoto LAN that allows non-authenticated external terminal station to access a predetermined device in LAN
US20040190522A1 (en) * 2003-03-31 2004-09-30 Naveen Aerrabotu Packet filtering for level of service access in a packet data network communication system
US20080250478A1 (en) * 2007-04-05 2008-10-09 Miller Steven M Wireless Public Network Access

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7269727B1 (en) * 2003-08-11 2007-09-11 Cisco Technology, Inc. System and method for optimizing authentication in a network environment
US7756509B2 (en) * 2006-03-31 2010-07-13 Intel Corporation Methods and apparatus for providing an access profile system associated with a broadband wireless access network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020041689A1 (en) * 2000-10-05 2002-04-11 Shinichi Morimoto LAN that allows non-authenticated external terminal station to access a predetermined device in LAN
US20040190522A1 (en) * 2003-03-31 2004-09-30 Naveen Aerrabotu Packet filtering for level of service access in a packet data network communication system
US20080250478A1 (en) * 2007-04-05 2008-10-09 Miller Steven M Wireless Public Network Access

Also Published As

Publication number Publication date
GB201116324D0 (en) 2011-11-02
WO2013041880A1 (en) 2013-03-28

Similar Documents

Publication Publication Date Title
US7894359B2 (en) System and method for distributing information in a network environment
US7062253B2 (en) Method and system for real-time tiered rating of communication services
EP2241058B1 (en) Method for configuring acls on network device based on flow information
US20040177247A1 (en) Policy enforcement in dynamic networks
EP1054529A2 (en) Method and apparatus for associating network usage with particular users
US20080072285A1 (en) Method and system for tracking a user in a network
US7324551B1 (en) System and method for managing bandwidth in a network environment
JP7205044B2 (en) Improvements related to network communication
JP5988311B2 (en) Issuing service offer sets to device agents with on-device service selection
CN115622931A (en) Adaptive software defined wide area network application specific probing
Park et al. Smart base station-assisted partial-flow device-to-device offloading system for video streaming services
US7424538B2 (en) Service control network system
WO2013041882A2 (en) User authentication in a network access system
US7587485B1 (en) System and method for supplicant based accounting and access
EP1705869A1 (en) Method and apparatus for locating mobile device users within a wireless computer network
CN112787975B (en) Method, device and system for determining type of access device
GB2494892A (en) System and Method for Monitoring Network Connections
US11968238B2 (en) Policy management system to provide authorization information via distributed data store
US20070136575A1 (en) Method and data processing system for determining user specific usage of a network
KR20160059825A (en) VIRTUAL 802.1x METHOD AND DEVICE FOR NETWORK ACCESS CONTROL
Liu et al. Community Cleanup: Incentivizing Network Hygiene via Distributed Attack Reporting
CA2946633A1 (en) Remote system and internet access
Zaghloul et al. Relating the AAA and the radio access rates in 3G cellular networks

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)