ChoiceNet Implementation

ChoiceNet has two main features; 1) dynamically downloadable filters and, 2) centralized site list storage and lookup. You can use either feature 0 of each other, or together, depending on the application.

Dynamically Downloadable Filters

Dynamically downloadable filters extends Lucent's current RADIUS authorization feature. Access providers can now implement unique per-user filters without needing to create and maintain the user filters on all dial-in communications servers on the network.

To assign a filter to a user, a filter name is added to the user's RADIUS user profile. In the example below, user jpsmith has a filter named "F(jpsmith)" assigned. The name of this filter is sent back to the PortMaster when jpsmith successfully logs on. The PortMaster assigns this filter to jpsmith's dial-in port and is used for the rest of jpsmith's session. If the filter F(jpsmith) isn't stored locally on the PortMaster, a filter download request is initiated to the ChoiceNet server. If the filter, "F(jpsmith)", is stored on the server, the filter rule definitions are sent to the PortMaster.

Specific filters can contain as few as one rule, such as (permit smtp) which would restrict the user to email only. Filters can also be defined with both permit and deny rules. For example, rcbrown's filter definition (see diagram) says that he is permitted to access the company's intranet (such as an internal web server) but not allowed to access the world wide web on the Internet. User "akjones" is restricted from accessing Internet Relay Chat (IRC) and Usenet.

Filters can also be defined to permit access to a few sites. Using ChoiceNet, access providers can offer value added services such as multiplayer game accounts. Permit filters could be used to allow subscribers access to a defined set of game servers, and not the rest of the Internet.

When there is a desire to permit or deny multiple sites for a user or group of users, the centralized site list lookup feature of ChoiceNet should be considered.

Downloadable filters can also be used to dynamically assign filters for dial-up ISDN or analog routers when PortMaster Communications Servers are used as multi-port routing hubs.

Filter diagram

Centralized Site Lists and Filters

ChoiceNet's centralized site list lookup feature allows the PortMaster or Lucent's IRX and Office routers to permit or deny access depending on how a filter rule is defined. A centralized site list t ed as "sex sites"can be used in a deny filter to restrict access to any of these sites, or in a permit filter that only allows access to these sites.

The ChoiceNet server is a clearinghouse for 0 site lists defined by 0, non-profit, or individuals. One or more site lists can be specified within a user filter.

Lists can be used in several ways:

- Permit lists
With the permit model, you begin without any access and then specifically build what access is allowed. One or more permit lists can be used to allow access to authorized sites.

- Deny lists
Similar to today's PC-blocking software solution, users can be denied access to a site if it appears on a specified list. The deny model is access to all sites except what is not on a list.

- Business productivity
Deny lists can be used for non-business related sites that are accessed frequently during the work day.

- Business security
Permit and deny lists used on a company's dial-in access server controls a dial-in user's access to internal network resources. Filters that restrict access to certain company subnets or data servers can be assigned to users. This reduces the risk that a non-authorized user, with the employee's login/password, can get to confidential information.

Application Diagram