Secure server architecture for Web based data management

Abstract

A double firewalled system is disclosed for protecting remote enterprise servers that provide communication services to telecommunication network customers from unauthorized third parties. A first router directs all connection requests to one or more secure web servers, which may utilize a load balancer to efficiently distribute the session connection load among a high number of authorized client users. On the network side of the web servers, a second router directs all connection requests to a dispatcher server, which routes application server calls to a proxy server for the application requested. A plurality of data security protocols are also employed. The protocols provide for an identification of the user, and an authentication of the user to ensure the user is who he/she claims to be and a determination of entitlements that the user may avail themselves of within the enterprise system. Session security is described, particularly as to the differences between a remote user's copper wire connection to a legacy system and a user's remote connection to the enterprise system over a "stateless"public Internet, where each session is a single transmission, rather than an interval of time between logon and logoff, as is customary in legacy systems.

Claims

We claim:

1. A system for securing an enterprise communications network, said system having client access through the public Internet, said system comprising:

(a) a first Internet firewall for accepting service requests from an enterprise client and routing said requests to one or more preselected addresses behind said firewall, said firewall permitting access in compliance with a first set of filtering rules;

(b) at least one secure web server for receiving said service requests and managing a secure client session over the public Internet, said secure server providing session management for said service request, said session management including client identification, validation and a session identifier to link said session with said client, wherein said session identifier is a web cookie generated by a separate server during an entitlements communications, after identification and validation of the client;

(c) a second Internet/Internet firewall for accepting service requests from a secure web server and routing said requests to one or more preselected addresses behind said firewall corresponding to dispatcher servers, said firewall permitting access in compliance with a second set of filtering rules;

(d) at least one dispatcher server for communicating with said secure web server through a second firewall, said second firewall accepting services requests from said secure web server and routing said requests to said dispatcher server in compliance with a second set of filtering rules, said dispatcher server providing system access to said enterprise communications network after client entitlements have been verified; and

(e) a plurality of proxy services linking said dispatcher server to a plurality of system resources over said communications network, said plurality of system resources providing communications network management capabilities for said enterprise client, said system resources responsive to service requests from said enterprise client to generate client data or instructions relating to said communications network.

2. The system for securing an enterprise communications network as claimed in claim 1 wherein said secure web server communicates with said dispatcher server over an encrypted socket connection.

3. The system for securing an enterprise communications network as claimed in claim 2 wherein said system includes encryption between said secure web server and said dispatcher server.

4. The system for securing an enterprise communications network as claimed in claim 3 wherein said system includes a first encryption algorithm for transmission of all customer data between said secure web server and said dispatcher server, and a second encryption algorithm for transmission of all data between said secure web server and said enterprise client.

5. The system for securing an enterprise communications network as claimed in claim 1, wherein said system further comprises a plurality of secure web servers and a load balancing device for managing and distributing a plurality of client sessions across said plurality of secure web servers.

6. The system for securing an enterprise communications network as claimed in claim 1 wherein said web cookie is wrapped and unwrapped by said secure web server at each service request to link a session with said client through a plurality of discrete client service requests in said session to verify said client to said dispatcher server at each transmission of a service request in said session.

7. The system for securing an enterprise communications network as claimed in claim 6 which further includes a web browser for said client which provides secure socket layer encryption of client identification, authentication and said web cookie at each service request.

8. The system for securing an enterprise communications network as claimed in claim 7 wherein said web cookies provide simultaneous session management for a plurality of system resources.

9. A system for securing an enterprise communications network, said system having client access through the public Internet, said system comprising:

(a) a first Internet firewall for accepting service requests from an enterprise client and routing said requests to one or more preselected addresses behind said firewall, said firewall permitting access in compliance with a first set of filtering rules;

(b) a plurality of web servers having said preselected addresses for receiving said service requests and managing a plurality of client sessions over the public Internet, a load of said client sessions per each of said web servers is balanced by web balancers, each of said web servers providing session management for said service request, said session management including client identification, validation and a session identifier to link a session with a client, wherein said session identifier is a web cookie generated by a separate server during an entitlements communications, after identification and validation of the client;

(c) at least one dispatcher server for communicating with said web servers through a second firewall, said second firewall accepting services requests from said web servers and routing said requests to said dispatcher server in compliance with a second set of filtering rules, said dispatcher server providing system access to said enterprise communications network after client entitlements have been verified; and

(d) a plurality of proxy servers linking said dispatcher server to a plurality of application servers within said communications network, said application servers communicating with a plurality of system resources to provide communications network management capabilities for said enterprise clients.

10. The system for securing an enterprise communications network as claimed in claim 9 wherein said web servers are secure servers which encrypt each of said service requests with a first algorithm before transmission to said dispatcher server and a selected one of said proxy and said application servers.

11. The system for securing an enterprise communications network as claimed in claim 9, said communications network further including an authentication server which determines application server entitlements for said client following authentication.

12. The system for securing an enterprise communications network as claimed in claim 9, wherein said system further comprises a load balancing device for managing and distributing a plurality of client sessions across said plurality of web servers.

13. The system for securing an enterprise communications network as claimed in claim 9 wherein said unique web cookie is wrapped and unwrapped by said secure web server at each service request to link a session with said client through a plurality of discrete client service requests in said session to verify said client to said dispatcher server at each transmission of a service request in said session.

14. The system for securing an enterprise communications network as claimed in claim 10 which further includes a web browser for said client which provides secure socket layer (SSL) encryption of client identification, authentication and said web cookie at each service request.

15. The system for securing an enterprise communications network as claimed in claim 14 wherein said system includes RSA encryption for transmission of all customer data between said plurality of secure web servers and said dispatcher server, and SSL encryption for transmission of all data between said secure web servers and said plurality of enterprise clients.

16. A method of securing an enterprise communications network having public access via the public Internet, said method enabling access by a plurality of enterprise clients, said method comprising:

(a) routing all public access requests to one or more first preselected addresses for response via a first set of routing rules;

(b) authenticating a secure web server in response to said request for access and initiating a secure session with a client browser over the Internet;

(c) encrypting communications between said client browser and said secure server with a first security protocol;

(d) routing a request for client authentication and a set of client entitlements from said secure server to a second preselected address at log-on via a second set of routing rules, wherein said client authentication and client and entitlements are provided by an authentication server;

(e) encrypting communications within said network with a second security protocol; and

(f) creating a session management object at each log-on to authenticate the client's browser to the enterprise network at each communication from the browser during the communications session, said session management object including client identification, validation and a session identifier to link a session with a client, wherein said session identifier is a unique web cookie generated by a separate server during an entitlements communications, after identification and validation of the client.

17. The method of securing an enterprise communications network as claimed in claim 16, said method further comprising the step of providing a plurality of application resources to one of said plurality of enterprise clients within said network in accordance with entitlements determined for said one of said plurality of clients at authentication.

18. The method of securing an enterprise communications network as claimed in claim 16 which further includes the step of balancing a plurality of client requests across a plurality of secure web servers to improve response time for each client session.

19. The method of securing an enterprise communications network as claimed in claim, 17, said method further comprising the steps of packet filtering communications between said client browser and said secure web server.

20. The method of securing an enterprise communications network as claimed in claim 19, said method further comprising the step of creating a proxy to filter communications between said secure web server and an application resource within said network.

21. The method of securing an enterprise communications network as claimed in claim 18, wherein said method further includes public key encryption for encrypting communications between the client browser and the network.

22. The method of securing an enterprise communications network as claimed in claim 18 which uses a negotiated SSL protocol to authenticate the secure web server and encrypt communications between the client browser and the secure web server.

23. The method of securing an enterprise communications network as claimed in claim 18, wherein public key encryption is used for said second security protocol within said network.

24. The method of securing an enterprise communications network as claimed in claim 16, wherein said method further includes the step of embedding calls to Java applets in a logon page presented to a one of said plurality of clients at log on, one of said applets creating said session management object in said one client browser.

25. The method of securing an enterprise communications network as claimed in claim 17, wherein said method further includes the step of downloading a collection of Java objects to said client browser for session management following a successful log on, said collection of objects enabling communications with said application resources during said session.

26. The method of securing an enterprise communications network as claimed in claim 24, further comprising the step of examining said unique cookie at each session transmission to maintain session security.

Description

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates in general to securing access to a computer and computer data, and more particularly to a security methodology for securing access to an enterprise network or extranet having access from the public Internet.

2. Background Art

In conventional remote connect computer systems, a connection is made with a large legacy system via a dial-up connection from a customer owned terminal, personal computer or workstation. This connection frequently, although not always, is a fixed copper connection through one or more telco central offices and emulates a terminal addressable by the legacy systems and employs a security methodology dictated by the legacy system. The dial-up access requires custom hardware for a terminal or custom software for a workstation to provide a remote connection. This includes dial-up services, communication services, emulation and/or translation services and generally some resident custom form of the legacy application to interface with the midrange or mainframe computer running the legacy system.

There are several problems associated with this approach. First, the aforementioned software is very hardware dependent, requiring multiple versions of software compatible with each of a wide range of workstations customers generally have. In addition, an extensive inventory of both software and user manuals for distribution to the outside customers is required if an enterprise desires to make its resources available to its customers. Moreover, installing the software generally requires an intensive effort on the customer and the software support team before any reliable and secure sessions are possible.

Secondly, dial-up, modem, and communications software interact with each other in many ways which are not always predictable to a custom application, requiring extensive trouble shooting and problem solving for an enterprise desiring to make the legacy system available to the customer, particularly where various telephone exchanges, dialing standards or signal standards are involved.

Thirdly, although businesses are beginning to turn to the Internet to improve customer service and lower costs by providing Web-based support systems, when an enterprise desires to make more than one system available to the customer, the custom application for one legacy system is not able to connect to a different legacy system, and the customer must generally logoff, logon and re-authenticate to switch from one to the other. The security and entitlement features of the various legacy systems may be completely different, and vary from system to system and platform to platform. The security methodology used by the two legacy systems may be different, requiring different logon interfaces, user or enterprise IDs and passwords. Different machine level languages may be used by the two systems as for example, operating systems utilizing the 256 (=28) character combination EBCDIC used by IBM, and 128 (=27) character combination ASCII used by contemporary personal computers.

It is therefore desired to provide remote customers with secure connectivity to enterprise legacy systems over the public Internet. The public Internet provides access connectivity world wide via the TCP/IP protocol, without need to navigate various disparate security protocols, telephone exchanges, dialing standards or signal standards, thereby providing a measure of platform independence for the customer.

As contemplated with the present invention the customer can run their own Internet Web browser and utilize their own platform connection to the Internet to enable services. This resolves many of the platform hardware and connectivity issues in the customers favor, and leaves the choice of platform and operating system to the customer. Web-based programs can minimize the need for training and support since they utilize existing client software which the user has already installed and already knows how to use. Further, if the customer later changes that platform, then, as soon as the new platform is Internet enabled, service is restored to the customer. The connectivity and communications software burden is thus resolved in favor of standard and readily available hardware and the browser and software used by the public Internet connection.

Secure World Wide Web (Web)-based online systems are now starting to emerge, generally using security protocols supplied by the browser or database vendors. These Web-based online systems usually employ HTTPS and a Web browser having Secure Sockets Layer (SSL) encryption, and they display Hypertext Markup Language (HTML) pages as a graphical user interface (GUI), and often include Java applets and Common Gateway Interface (CGI) programs for customer interaction.

For the enterprise, the use of off-the-shelf Web browsers by the customer significantly simplifies the enterprise burden. Software development and support resources are available for the delivery of the enterprise legacy services and are not consumed by a need for customer support at the workstation level.

However, the use of the public Internet also introduces new security considerations not present in existing copper wire connections, as an open system increases the exposure to IP hijackers, sniffers and various types of spoofers that attempt to collect user IDs and passwords, and exposes the availability of the service to the users when the system is assaulted by syn-flooding, war dialers or ping attacks. These measures also need to be combined with traditional security measures used to prevent traditional hacker attacks, whether by copper wire or the Internet, that might compromise the enterprise system and its data.

SUMMARY OF THE INVENTION

The present invention is directed to a series of security protocols and an integrated system for the same that enables a remote user to interact with one or more application services provided by servers over the public Internet, or an enterprise Extranet. The present invention utilizes the Web paradigm and an integrated graphical user interface to allow easy and convenient access from the user's perspective, wherein the security provisions are transparent to the user, other than the entry of a customary user id and a strong password.

In order to provide cross-platform software operability that is not dependent on a specific operating system or hardware, the present invention is implemented using programming languages, such as Java.TM. which only requires a Java.TM. enabled Web browser. The system of the present invention includes an application backplane unit for controlling and managing the overall user interface system to a number of Web enabled application services, and a common security object for managing security and Java.TM. applets for a number of disparate services available from the servers.

Each service includes its own user interface unit, referred heretofore as a client application, independently implemented of one another and the backplane. Although the client applications are independently developed as separate modules, the system of the present invention provides a capability of integrating the client applications and secured access thereto into one unified system, allowing users to access the individual client applications via the backplane unit and the security object.

The present invention includes centralized user authentication to insure that the remote user has valid access to the system. The authentication procedure generally includes a logon object which prompts for and accepts the user's name and password. The logon object then communicates the logon transaction to a server responsible for screening those remote users attempting to access services. Once a remote user has been authenticated by the system of the present invention, the user need not re-enter their name and password each time the user accesses another server via the respective server's user interface program. In addition, each application may supplement the provided authentication procedure, with its own method of authentication by communicating with its respective servers independently.

Once a validated remote user is logged onto the system, the user is presented with a set of services which the remote user may obtain. The set of services available for each remote user is unique and depends on each user's subscriptions to the services. The set of service subscription, then forms the user's entitlements for the services. Thus, for example, if a user subscribes to a toll free network management service, the user is entitled to access information regarding the service. On the other hand, if the user does not subscribe to the toll free network manager service, that option is not available for the user to select.

The present invention includes a user object to represent a current user logged onto the system. This user object, inter alia, is responsible for obtaining from a server the current user's information including the user's entitlements to various services. The backplane uses the entitlement information to provide only those services available to the user. As explained previously, the backplane will not enable the services to which the user does not have the entitlements, effectually blocking the user from accessing those services.

In addition, the user information is maintained for the duration of a logon session, allowing both the backplane and the client applications to access the information as needed throughout the duration of the session. The backplane and the client applications use the information to selectively provide services to users. Accordingly, it is yet another object of the present invention to provide a mechanism for retrieving and maintaining user information and entitlements such that they are available to processes and threads running on the remote client platform without having to communicate with a server every time the information is needed.

The system of the present invention implements a "keep alive message" passed between a client and a server, also called a "heartbeat." For example, a keep alive message is sent every predefined period, e.g., 1 minute from a client application to the server. When the client application fails to heartbeat consecutively for a predetermined period of time, for example, one hour, the server treats this client application as having exited by closing the application and performing cleanup routines associated with the application. This mechanism effectively prevents unauthorized access unwanted sessions from remaining open in the event of client application failures or user neglect. Accordingly, it is a further object of the present invention to provide a mechanism for detecting communication failures among the "stateless" processes running the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings in which:

FIG. 1 is a diagrammatic overview of the architectural framework of an enterprise Internet network system;

FIG. 2 is an illustrative example of a backplane architecture schematic as invoked from a home page of the present system;

FIG. 3 illustrates an example client GUI presented to the client/customer as a browser Web page;

FIG. 4 is a diagrammatic overview of the software architecture of the enterprise Internet network system.

FIG. 5 is a diagram depicting the physical network architecture in the system of the present invention;

FIG. 6 is an example illustrating a logon Web page of the present invention;

FIG. 7 is a diagram illustrating a security module design having clean separation from the browser specific implementations;

FIG. 8 is a schematic illustration of the message format passed from the user workstation 10 to the secure web server 24 over the public Internet;

FIG. 9 is a high head functional overview of the communications and encryption protocols between the web server and the Dispatcher server;

FIG. 10 is a flow diagram illustrating a logon process to the system of the present invention;

FIG. 11 is a data flow diagram illustrating the present invention's process flow during logon, entitlement request/response, heartbeat transmissions and logoff procedures;

FIG. 12 is a data flow diagram for various transactions communicated in the system of the present invention;

FIG. 13(a) is a schematic illustration showing the message format passed between the Dispatcher server and the application specific proxy;

FIG. 13(b) is a schematic illustration of the message format passed between the application specific proxy back to the Dispatcher server;

FIG. 14 is a diagram illustrating a hierarchical architecture of DMZ web servers utilizing a file server;

FIG. 15 is a diagram illustrating a hierarchical architecture of DMZ web servers, each having a local disk; and

FIG. 16 is a diagram illustrating Application Security process flow.

DESCRIPTION OF THE PREFERRED EMBODIMENT

The present invention is directed to a series of security protocols and procedures used to protect an integrated system that enables a remote user to interact with one or more enterprise applications provided by servers over the public Internet, or an enterprise Extranet. The present invention utilizes the Web paradigm and an integrated graphical user interface to allow easy and convenient access from the user's perspective, wherein the security provisions are transparent to the user, other than the entry of a customary user id and a strong password.

The discussion of the present invention will include an overview of the system in which the various security protocols function and detailed discussions of Communications Security, User Identification and Authentication, Session Security, Enterprise Security and Application security.

Communications security relates to the authenticity of the enterprise web server and the security of the transmitted data through an implementation of the Secure Sockets Layer (SSL) version of HTTPS.

User Identification and Authentication relates to an identification of the user, an authentication of the user to ensure the user is who he/she claims to be and a determination of entitlements that the user may avail themselves of within the enterprise system.

Session Security is directed to the differences between a remote user's copper wire connection to a legacy system and a user's remote connection to the enterprise system over a "stateless" public Internet, where each session is a single transmission, rather than an interval of time between logon and logoff, as is customary in legacy systems.

Enterprise Security is directed to the security of the enterprise network and the data maintained by the various enterprise applications with respect to attacks on the system or data.

ARCHITECTURAL OVERVIEW OF THE WEB-ENABLED SYSTEM

The web-enabled system in which the present security protocols are found is basically organized as a set of common components which together are known as networkMCI Interact, which includes the following major components:

1) an object oriented software architecture detailing the client and server based aspects of networkMCI Interact;

2) a network architecture defining the physical network needed to satisfy the security and data volume requirements of networkMCI Interact;

3) a data architecture detailing the application, back-end or legacy data sources available for networkMCI Interact; and,

4) an infrastructure covering security, order entry, fulfillment, billing, self-monitoring, metrics and support.

Each of these common component area will be generally discussed herein below. A detailed description of each of these components can be found in a related, co-pending U.S. patent application No. 09/159,695, filed Sep. 24, 1998, entitled INTEGRATED CUSTOMER INTERFACE SYSTEM FOR COMMUNICATIONS NETWORK MANAGEMENT, the disclosure of which is incorporated herein by reference thereto.

FIG. 1 is a diagrammatic illustration of the software architecture in which the present invention functions. A first tier of software services are resident on a customer work station 10 and provides customer access to the enterprise system, having one or more downloadable application objects directed to front end business logic as indicated at 11, one or more backplane service objects 12 for managing sessions, one or more presentation services objects 13 for the presentation of customer options and customer requested data in a browser recognizable format and a customer supplied browser 14 and operating system environment for presentation of customer options and data to the customer and for Internet communications over the public Internet.

A second or middle tier 16 is provided, having secure web servers 24 and back end services to provide applications that establish user sessions, govern user authentication and their entitlements, and communicate with adaptor programs to simplify the interchange of data across the network.

A back end or third tier 18 having applications directed to legacy back end services includes database storage and retrieval systems and one or more database servers for accessing system resources from one or more legacy systems 20.

Generally, as explained in co-pending U.S. Pat. application No. 09/159,515, filed Sep. 24, 1998, now U.S. Pat. No. 6,115,040, entitled GRAPHICAL USER INTERFACE FOR WEB ENABLED APPLICATIONS, the disclosure of which is incorporated herein by reference thereto, the customer workstation 10 includes client software capable of providing a platform-independent, browser-based, consistent user interface implementing objects programmed to provide a reusable and common GUI and problem-domain abstractions. More specifically, the client-tier software is created and distributed as a set of Java classes including the applet classes to provide an industrial strength, object-oriented environment over the Internet. Application-specific classes are designed to support the functionality and server interfaces for each application with the functionality delivered through the system being of two-types: 1) cross-product, for example, inbox and reporting functions, and 2) product specific, for example, Toll Free Network Manager or Broadband Manager functions. The system is capable of delivering to customers the functionality appropriate to their product mix.

FIG. 4 is a diagrammatic illustration of the network and platform components of the networkMCI Interact system, including: the Customer workstation 10; the Demilitarized Zone 17 (DMZ); a cluster of Web Servers 24; the MCI Dispatcher Server 26; the MCI application servers 40, and the legacy systems 20.

The customer workstation 10 is browser enabled and includes client applications responsible for presentation and front-end services. Its functions include providing a user interface to various MCI services and supporting communications with MCI's Intranet web server cluster 24. As illustrated in FIG. 2, and more specifically described in the above-referenced co-pending U.S. Patent Application GRAPHICAL USER INTERFACE FOR WEB ENABLED APPLICATIONS, the client tier software is responsible for presentation services to the customer and generally includes a web browser 14 and additional object-oriented programs residing in the client workstation platform 10. The client software is generally organized into a component architecture with each component generally comprising a specific application, providing an area of functionality. The applications generally are integrated using a "backplane" services layer 12 which provides a set of services to the application objects which provide the front end business logic 11 and manages their launch. The networkMCI Interact common set of objects provide a set of services to each of the applications such as: 1) session management; 2) application launch; 3) inter-application communications; 4) window navigation among applications; 5) log management; and 6) version management.

The primary common object services include: graphical user interface (GUI); communications; printing; user identity, authentication, and entitlements; data import and export; logging and statistics; error handling; and messaging services.

FIG. 2 is an diagrammatic example of a backplane architecture scheme illustrating the relationship among the common objects. In this example, the backplane services layer 12 is programmed as a Java applet which can be loaded and launched by the web browser 14. With reference to FIG. 2, a typical user session starts with a web browser 14 creating a backplane 12, after a successful logon. The backplane 12, inter alia, presents a user with an interface for networkMCI Interact application management. A typical user display provided by the backplane 12 may show a number of applications the user is entitled to run, each application represented by buttons depicted in FIG. 2 as buttons 58a, b, c selectable by the user. As illustrated in FIG. 2, upon selection of an application, the backplane 12 launches that specific application, for example, Service Inquiry 54a or Alarm Monitor 54b, by creating the application object. In processing its functions, each application in turn, may utilize common object services provided by the backplane 12. FIG. 2 shows graphical user interface objects 56a, b created and used by a respective application 54a, b for its own presentation purposes.

FIG. 3 illustrates an example client GUI presented to the client/customer as a browser web page 60 providing, for example, a suite 70 of network management reporting applications, which may include: Traffic Monitor 72; a Monitor 73; a Network Manager 74 and Intelligent Routing 75. Access to network functionality is also provided through Report Requester 76, which provides the ability to define and request a variety of reports for the client/customer and a Message Center 77 for providing enhancements and functionality to traditional e-mail communications by providing access to user requested reports and bulk data. Additional network MCI Internet applications not illustrated in FIG. 3 include Online Invoice, relating to electronic invoicing and Service Inquiry related to Trouble Ticket Management.

As shown in FIGS. 2 and 3, the browser resident GUI of the present invention implements a single object, COBackPlane which keeps track of all the client applications, and which has capabilities to start, stop, and provide references to any one of the client applications.

The backplane 12 and the client applications use a browser 14 such as the Microsoft Internet Explorer versions 4.0.1 or higher for an access and distribution mechanism. Although the backplane is initiated with a browser 14, the client applications are generally isolated from the browser in that they typically present their user interfaces in a separate frame, rather than sitting inside a Web page.

The backplane architecture is implemented with several primary classes. These classes include COBackPlane, COApp, COAppImpl, COParm. and COAppFrame classes. COBackPlane 12 is an application backplane which launches the applications 54a, 54b, typically implemented as COApp. COBackPlane 12 is generally implemented as a Java applet and is launched by the Web browser 14. This backplane applet is responsible for launching and closing the COApps.

When the backplane is implemented as an applet, it overrides standard Applet methods init(), start(), stop() and run(). In the init() method, the backplane applet obtains a COUser user context object. The COUser object holds information such as user profile, applications and their entitlements. The user's configuration and application entitlements provided in the COUser context are used to construct the application toolbar and Inbox applications. When an application toolbar icon is clicked, a particular COApp is launched by launchApp() method. The launched application then may use the backplane for inter-application communications, including retrieving Inbox data.

The COBackPlane 12 includes methods for providing a reference to a particular COApp, for interoperation. For example, the COBackPlane class provides a getApp() method which returns references to application objects by name. Once retrieved in this manner, the application object's public interface may be used directly.

The use of a set of common objects for implementing the various functions provided by the system of the present invention, and particularly the use of browser based objects to launch applications and pass data therebetween is more fully described in the above referenced copending application GRAPHICAL USER INTERFACE FOR WEB ENABLED APPLICATIONS, and Appendix A, attached to that application, provides descriptions for the common objects which includes various classes and interfaces with their properties and methods.

As shown in FIG. 4, the aforesaid objects will communicate the data by establishing a secure TCP messaging session with one of the DMZ networkMCI Interact Web servers 24 via an Internet secure communications path 22 established, preferably, with a secure sockets SSL version of HTTPS. The DMZ networkMCI Interact Web servers 24 function to decrypt the client message, preferably via the SSL implementation, and unwrap the session key and verify the users session. After establishing that the request has come from a valid user and mapping the request to its associated session, the DMZ Web servers 24 will re-encrypt the request using symmetric encryption and forward it over a second secure socket connection 23 to the dispatcher server 26 inside the enterprise Intranet.

As will be hereinafter described in greater detail, a networkMCI Interact session is designated by a logon, successful authentication, followed by use of server resources, and logoff. However, the world-wide web communications protocol uses HTTP, a stateless protocol, each HTTP request and reply is a separate TCP/IP connection, completely independent of all previous or future connections between the same server and client. The present invention is implemented with a secure version of HTTP such as S-HTTP or HTTPS, and presently utilizes the SSL implementation of HTTPS. The preferred embodiment uses SSL which provides a cipher spec message which provides server authentication during a session. The preferred embodiment further associates a given HTTPS request with a logical session which is initiated and tracked by a "cookie jar server" 32 to generate a "cookie" or session identifier which is a unique server-generated key that is sent to the client along with each reply to a HTTPS request. The client holds the cookie or session identifier and returns it to the server as part of each subsequent HTTPS request. As desired, either the Web servers 24, the cookie jar server 32 or the Dispatcher Server 26, may maintain the "cookie jar" to map the session identifier to the associated session. A separate cookie jar server 32, as illustrated in FIG. 4 has been found desirable to minimize the load on the dispatcher server 26. A new cookie will be generated when the response to the HTTPS request is sent to the client. This form of session management also functions as an authentication of each HTTPS request, adding an additional level of security to the overall process.

As illustrated in FIG. 4, after one of the DMZ Web servers 24 decrypts and verifies the user session, it forwards the message through a firewall 29b over a TCP/IP connection 23 to the dispatcher server 26 on a new TCP socket while the original socket 22 from the browser is blocking, waiting for a response. The dispatcher server 26 will unwrap an outer protocol layer of the message from the DMZ server cluster 24, and will reencrypt the message with a different encryption key and forward the message to an appropriate application proxy via a third TCP/IP socket 27. While waiting for the proxy response all three of the sockets 22, 23, 27 will be blocking on a receive. While either symmetric or public key encryption can be used, in the preferred embodiment, public key encryption is utilized, with the "public" keys used between components of the network, kept secret. A different public key may be employed for communicating between the dispatcher 26 to the webservers 24 than is used from the webserver 24 to the dispatcher 26. Specifically, once the message is decrypted, the wrappers are examined to reveal the user and the target middle-tier (Intranet application) service for the request. A first-level validation is performed, making sure that the user is entitled to communicate with the desired service. The user's entitlements in this regard are fetched by the dispatcher server 26 from StarOE server 49 at logon time and cached.

If the requestor is authorized to communicate with the target service, the message is forwarded to the desired service's proxy. Each application proxy is an application specific daemon which resides on a specific Intranet server, shown in FIG. 4 as a suite of mid-range servers 40. Each Intranet application server of suite 40(a) is generally responsible for providing a specific back-end service requested by the client, and, is additionally capable of requesting services from other Intranet application servers by communicating to the specific proxy associated with that other application server. Thus, an application server not only can offer its browser a client to server interface through the proxy, but also may offer all its services from its proxy to other application servers. In effect, the application servers requesting service are acting as clients to the application servers providing the service. Such mechanism increases the security of the overall system as well as reducing the number of interfaces.

The network architecture of FIG. 4 may also include a variety of application specific proxies having associated Intranet application servers including: a StarOE proxy for the StarOE application server 49 for handling authentication order entry/billing; an Inbox proxy for the Inbox application server 41, which functions as a container for completed reports, call detail data and marketing news messages, a Report Manager Proxy capable of communicating with a system-specific Report Manager server 42 for generating, managing and scheduling the transmission of customized reports including, for example: call usage analysis information provided from the StarODS server 43; network traffic analysis/monitor information provided from the Traffic view server 44; virtual data network alarms and performance reports provided by Broadband server 45; trouble tickets for switching, transmission and traffic faults provided by Service Inquiry server 46; and toll free routing information provided by Toll Free Network Manager server 47.

As partially shown in FIG. 4, it is understood that each midrange server of suite 40 communicates with one or several consolidated network databases which include each customer's network management information and data. In the present invention the Services Inquiry server 46 includes communication with MCI's Customer Service Management legacy platform 20(a). Such network management and customer network data is additionally accessible by authorized MCI management personnel. As shown in FIG. 4, other legacy or host platforms 20(b), 20(c) and 20(d) may also communicate individually with the Intranet servers for servicing specific transactions initiated at the client browser. The illustrated host platforms 20(a)-(d) are illustrative only and it is understood other host platforms may be interpreted into the network architecture illustrated in FIG. 4 through an intermediate midrange server 40.

Each of the individual proxies may be maintained on the dispatcher server 26, the related application server, or a separate proxy server situated between the dispatcher server 26 and the midrange server 40. The relevant proxy waits for requests from an application client running on the customer's workstation 10 and then services the request, either by handling them internally or forwarding them to its associated Intranet application server 40. The proxies additionally receive appropriate responses back from an Intranet application server 40. Any data returned from the Intranet application server 40 is translated back to client format, and returned over the Internet to the client workstation 10 via the Dispatcher Server 26 and at one of the web servers in the DMZ Services cluster 24 and a secure sockets connection. When the resultant response header and trailing application specific data are sent back to the client browser from the proxy, the messages will cascade all the way back to the browser 14 in real time, limited only by the transmission latency speed of the network.

The networkMCI Interact middle tier software includes a communications component offering three (3) types of data transport mechanisms: 1) Synchronous; 2) Asynchronous; and 3) Bulk transfer. Synchronous transaction is used for situations in which data will be returned by the application server 40 quickly. Thus, a single TCP connection will be made and kept open until the full response has been retrieved.

Asynchronous transaction is supported generally for situations in which there may be a long delay in application server 40 response. Specifically, a proxy will accept a request from a customer or client 10 via an SSL connection and then respond to the client 10 with a unique identifier and close the socket connection. The client 10 may then poll repeatedly on a periodic basis until the response is ready. Each poll will occur on a new socket connection to the proxy, and the proxy will either respond with the resultant data or, respond that the request is still in progress. This will reduce the number of resource consuming TCP connections open at any time and permit a user to close their browser or disconnect a modem and return later to check for results.

Bulk transfer is generally intended for large data transfers and are unlimited in size. Bulk transfer permits cancellation during a transfer and allows the user to resume a transfer at a later point in time.

The DMZ Web servers 24 are found in a special secure network area set aside from the Intranet to prevent potentially hostile customer access. All DMZ equipment is physically isolated and firewalled as illustrated at 29(a), 29(b) from the company Intranet. Similarly, the DMZ equipment is firewalled and obscured from hostile attacks from the public Internet, except for limited web browser access to the web servers which are located in the DMZ. The customer's web browser connects to a web server in the DMZ which in turn connects to the Dispatcher server 26 which acts as a proxy to extract select information from midrange servers 40 located in the company Intranet. A user may not directly connect to any enterprise server in the enterprise Intranet, thus ensuring internal company system security and integrity.

The DMZ also isolates the company Intranet from the public Internet because the web servers 24 located in the DMZ never store or compute actual customer sensitive data. The web servers only put the data into a form suitable for display by the customer's web browser. Since the DMZ web servers 24 do not store customer data, there is a much smaller chance of any customer information being jeopardized in case of a security breach.

All reporting is provided through the Message Center (Inbox) and a Report Requestor application interface which supports spreadsheets, a variety of graph and chart types, or both simultaneously. For example, the spreadsheet presentation allows for sorting by any arbitrary set of columns. The report viewer may also be launched from the Message Center (Inbox) when a report is selected.

By associating each set of report data which is downloaded via the inbox with a small report description object, it is possible to present most reports without report-specific presentation code (the report-specific code is in the construction of the description object). These description objects are referred to as "metadata," or "data about data." At one level, they function like the catalog in a relational database, describing each row of a result set returned from the middle tier as an ordered collection of columns. Each column has a data type, a name, and a desired display format, etc. Column descriptive information will be stored in an object, and the entire result set will be described by a list of these objects, one for each column, to allow for a standard viewer to present the result set, with labeled columns. Nesting these descriptions within one another allows for breaks and subtotaling at an arbitrary number of levels. This further enhances the security for the customer data, for without the meta-data associated with the report, the report data is essentially a meaningless block of data.

Communications Security

Communications security, which relates to the authenticity of the enterprise web server and the security of the transmitted data will be described with respect to an implementation in the preferred embodiment of the invention of the Secure Sockets Layer (SSL) version of HTTPS.

In order for a communication to be secure, it must be known that the message comes from the correct source, that it arrives at the correct destination, that it has not been modified, and has not been intercepted and understood by a third party. Normal encryption protects against understanding the message, even if intercepted, and certain types of cipher encryption provide the ability to determine that the message has been tampered with and in some cases reconstruct the message even if intercepted and intentionally garbled. The disadvantage of normal encryption is the difficulty associated with the secure distribution and updates of the keys used for encryption and decryption.

Public key encryption solves the distribution and update problem, but does not, for the public Internet, ensure the identity of the party with whom one is communicating. A spoofer who appropriates the DNS address of an enterprise for a leg of the Internet can substitute the spoofers public key for the public key of the enterprise with whom the user is attempting to communicate, thereby fooling the user into revealing the user name and password used on the enterprise system. To avoid this problem, digital signatures have been developed to ensure the identity of the sender. They also, simultaneously, commit the sender to the message, avoiding subsequent repudiation.

The communications link between the enterprise and the user may be secured with S-HTTP, HTTPS, or proprietary encryption methodologies, such as VNP or PPTP tunneling, but in the preferred embodiment utilizes the Secure Sockets Layer (SSL) protocol developed by Netscape Communications. It is noted that these solutions are intended for use with IPv4, and that IPv6, presently under comment by the Internet Engineering Steering Group, may enable secure transmissions between client and server without resort to proprietary protocols. The remaining security protocols of the present invention may be used with IPv6 when it becomes an available standard for secure IP communications.

The SSL component of the HTTPS also includes non-repudiation techniques to guarantee that a message originating from a source is the actual identified sender. One technique employed to combat repudiation includes use of an audit trail with electronically signed one-way message digests included with each transaction. This technique employs SSL public-key cryptography with one-way hashing functions.

Another communications issue involving the secure communications link, is the trust associated with allowing the download of the Java common objects used by the present invention, as discussed earlier with respect to the browser, since the Java objects used in the present invention require that the user authorize disk and I/O access by the Java object.

Digital Certificates, such as those developed by VeriSign, Inc. entitled VeriSign Digital ID.TM. provide a means to simultaneously verify the server to the user, and to verify the source of the Java object to be downloaded as a trusted source as will hereinafter be described in greater detail.

As illustrated in FIG. 10, the process starts with the remote customer browser 10 (FIG. 4) launch as indicated at step 280, and the entry of the enterprise URL, such as HTTPS://www.enterprise.com as indicated at step 282. Following a successful connection, the SSL handshake protocol is initiated as indicated at step 283. When a SSL client and server first start communicating, they agree on a protocol version, select cryptographic algorithms, authenticate the server (or optionally authenticate each other) and use public-key encryption techniques to generate shared secrets. These processes are performed in the handshake protocol, which can be summarized as follows: The client sends a client hello message to which the server must respond with a server hello message, or else a fatal error will occur and the connection will fail. The client hello and server hello are used to establish security enhancement capabilities between client and server. The client hello and server hello establish the following attributes: Protocol Version, Session ID, Cipher Suite, and Compression Method. Additionally, two random values are generated and exchanged: ClientHello.random and ServerHello.random.

Following the hello messages, the server will send its digital certificate. Alternately, a server key exchange message may be sent, if it is required (e.g. if their server has no certificate, or if its certificate is for signing only). Once the server is authenticated, it may optionally request a certificate from the client, if that is appropriate to the cipher suite selected.

The server will then send the server hello done message, indicating that the hello-message phase of the handshake is complete. The server will then wait for a client response. If the server has sent a certificate request Message, the client must send either the certificate message or a no_certificate alert. The client key exchange message is now sent, and the content of that message will depend on the public key algorithm selected between the client hello and the server hello. If the client has sent a certificate with signing ability, a digitally-signed certificate verify message is sent to explicitly verify the certificate.

At this point, a change cipher spec message is sent by the client, and the client copies the pending Cipher Spec into the current Cipher Spec. The client then immediately sends the finished message under the new algorithms, keys, and secrets. In response, the server will send its own change cipher spec message, transfer the pending to the current Cipher Spec, and send its finished message under the new Cipher Spec. At this point, the handshake is complete and the client and server may begin to exchange user layer data.

        Client                                        Server
        ClientHello                    - - - - - - - ->
                                                ServerHello
                                          Certificate*
                               ServerKeyExchange*
                                            CertificateRequest*
                                   <- - - - - - - ServerHelloDone
        Certificate*
        ClientKeyExchange
        CertificateVerify*
        [ChangeCipherSpec]
        Finished                         - - - - - - - ->
            [ChangeCipherSpec]
                                       <- - - - - - - -
    Finished
        Login Data             <- - - - - - -> Login HTML
    *Indicates optional or situation-dependent messages that are not always
     sent.

                // Instantiating COSecurity objectCOSecurity
                security = new CoSecurity();
                // Now access a privileged resource
                try {
                    String s =
                    security.getSystemProperty("user.home");
                    System.out.println(s);
                }
                catch(COSecurityException cose)
                {
                    // take care in case of security exception
                }

              // Within the backplane
              COClientSession session = new COClientSession();
              try {
                  Session.logon ("username", "password");
              } catch (COClientLogonException e) { . . . };
              // Should the User object be required
              COUser user = session.getUser();

              COClientSession ss = new COClientSession();
                  try {
                      ss.setURL(urlString);
                      ss.logon("jsmith", "myPassword");
              } catch (CoClientLogonException e) { . . .
              } catch (MalformedURLException e) { . . . };

• Inventors
  Devine, Carol Y.; Shifrin, Gerald A.; Shoulberg, Richard W.;
• Assignee
  WorldCom, Inc. (Clinton, MS)
• Published
  Aug-12-2003
• Current US Classes:
  705/26
  705/27
  707/10
  707/103R
  707/7
  707/8
  707/9
  709/200
  709/201
  709/203
  709/217
  709/218
  709/219
  713/201
• Application #
  159406
• International Classes
  G06F 015/16; G06F 013/14; G06F 013/36
• Field of Search
  709/200-203 709/217-219 709/227 705/26 705/27 707/1-10 707/103 707/517 707/522 707/523 713/201
• Examiner
  Hayes; Gail
• US Patent References:
  4160129
  4345315
  4817050
  4893248
  4972504
  5041972
  5075771
  5131020
  5136707
  5223699
  5228076
  5245533
  5262760
  5285494
  5287270
  5315093
  5325290
  5327486
  5361259
  5369571
  5452446
  5475836
  5481542
  5483596
  5490060
  5491779
  5506893
  5526257
  5530744
  5533108
  5537611
  5539734
  5548726
  5551025
  5555290
  5563805
  5566351
  5586260
  5602918
  5610915
  5621727
  5623601
  5630066
  5649182
  5650994
  5659601
  5666481
  5671354
  5689645
  5692030
  5692181
  5694546
  5696906
  5699403
  5699528
  5706502
  5708780
  5710882
  5721908
  5721913
  5727129
  5734709
  5734831
  5742762
  5742763
  5742768
  5742905
  5745754
  5754830
  5757900
  5764756
  5768501
  5774660
  5778178
  5778377
  5781550
  5781632
  5787160
  5787412
  5790780
  5790789
  5790809
  5793694
  5793762
  5793964
  5796393
  5802320
  5805803
  5812533
  5812654
  5812750
  5815080
  5815665
  5819225
  5819271
  5825769
  5825890
  5826029
  5826269
  5832519
  5835084
  5844896
  5845067
  5845267
  5848233
  5848396
  5848399
  5850517
  5852810
  5852812
  5862325
  5867495
  5870558
  5875236
  5877759
  5881237
  5883948
  5884032
  5884312
  5907681
  5909679
  5909682
  5915001
  5920542
  5923016
  5930764
  5930804
  5933142
  5937165
  5938729
  5949976
  5953389
  5956714
  5958016
  5960411
  5961602
  5963925
  5966695
  5970467
  5974396
  5974441
  5982864
  5983350
  5991733
  5991746
  5991806
  5999965
  5999972
  5999973
  6003079
  6006265
  6011844
  6012090
  6014647
  6014702
  6018768
  6021409
  6023762
  6029182
  6031904
  6032132
  6032184
  6041325
  6041357
  6044144
  6044362
  6049602
  6049789
  6052450
  6058170
  6058381
  6064667
  6065002
  6065059
  6072493
  6073105
  6073122
  6073241
  6078891
  6078924
  6084953
  6085171
  6085190
  6088451
  6088796
  6091808
  6094655
  6104704
  6105131
  6108700
  6108782
  6112238
  6112242
  6115040
  6115458
  6115693
  6115737
  6119109
  6122258
  6128624
  6130933
  6131095
  6131116
  6134584
  6137869
  6145001
  6154744
  6161102
  6161126
  6161128
  6173311
  6182113
  6205456
  6212506
  6212558
  6240450
  6253239
  6286050
  6292481
  6295551
  6377993