System and method for local policy enforcement for internet service providers
First Claim
1. An on-premises policy enforcement point (PEP), said PEP being housed within a subscriber premises associated with a plurality of subscribers who utilize an Internet Service Provider (ISP) to access the Internet, said PEP comprising:
- a PEP key;
PEP authentication means for sending the PEP key to an ISP node external to the premises, said ISP node utilizing the PEP key to authenticate the PEP without authenticating individual subscribers;
subscriber authentication means for locally authenticating within the PEP, each of the plurality of subscribers in response to receiving Internet access requests from the subscribers; and
policy enforcement means responsive to the subscriber authentication means for locally authorizing within the PEP, each of the plurality of subscribers to access Internet services to which the subscribers subscribe while preventing the subscribers from accessing services to which the subscribers do not subscribe, said policy enforcement means operating independently of the external ISP node to authenticate subscribers and enforce policies without communicating with the external access node.
1 Assignment
0 Petitions
Accused Products
Abstract
A telecommunications system and method is disclosed for implementing a Policy Enforcement Point (PEP) for an Internet Service Provider (ISP) at the subscriber premises. This PEP enforces policies with respect to authentication of subscribers, authorization to access and services, accounting and mobility of the subscribers. These policies are defined by the ISP operator in a Policy Decision Point (PDP), which is a server connected to the Internet that communicates with the PEP. In addition, the ISP can supply an encryption key for the PEP and an encryption key for a particular subscriber. Thus, all communications between the subscriber and the PEP, as well as between the PEP and the PDP can be encrypted.
40 Citations
32 Claims
-
1. An on-premises policy enforcement point (PEP), said PEP being housed within a subscriber premises associated with a plurality of subscribers who utilize an Internet Service Provider (ISP) to access the Internet, said PEP comprising:
-
a PEP key; PEP authentication means for sending the PEP key to an ISP node external to the premises, said ISP node utilizing the PEP key to authenticate the PEP without authenticating individual subscribers; subscriber authentication means for locally authenticating within the PEP, each of the plurality of subscribers in response to receiving Internet access requests from the subscribers; and policy enforcement means responsive to the subscriber authentication means for locally authorizing within the PEP, each of the plurality of subscribers to access Internet services to which the subscribers subscribe while preventing the subscribers from accessing services to which the subscribers do not subscribe, said policy enforcement means operating independently of the external ISP node to authenticate subscribers and enforce policies without communicating with the external access node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A telecommunications system for conducting an Internet session by at least one subscriber using an Internet Service Provider, said system comprising:
-
a policy enforcement point of the Internet Service Provider, said policy enforcement point being housed within a subscriber premises associated with the at least one subscriber, said policy enforcement point including; means for receiving a subscriber key from the at least one subscriber when the at least one subscriber initiates the Internet session, wherein the subscriber key is associated with a specific subscriber; authentication means for utilizing the subscriber key to locally authenticate within the policy enforcement point, the at least one subscriber; means for sending a policy enforcement point key to the Internet Service Provider for authentication of the policy enforcement point; and policy enforcement means for authorizing the at least one subscriber to access services to which the subscriber subscribes while preventing the subscriber from accessing services to which the subscriber does not subscribe; and an access node of the Internet Service Provider located outside of the subscriber premises, said access node including; means for receiving the policy enforcement point key from the policy enforcement point; and means for utilizing the policy enforcement point key to authenticate the policy enforcement point; wherein the policy enforcement means within the policy enforcement point operates independently of the access node, to authenticate subscribers and enforce policies without communicating with the access node. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method of establishing an Internet session utilizing an Internet Service Provider (ISP), wherein a subscriber within a subscriber premises requests to establish the session, said method comprising the steps of:
-
transmitting a policy enforcement point (PEP) key from an on-premises PEP to an ISP access node located externally to the subscriber premises; authenticating by the external access node, the on-premises PEP based on the received PEP key; receiving at the on-premises PEP, a request to establish the session from at least one subscriber within the subscriber premises, said request including a subscriber key; authenticating by the on-premises PEP, the at least one subscriber based on the received subscriber key without communicating with the external access node; and upon successful authentication of the at least one subscriber, locally authorizing by the on-premises PEP, the at least one subscriber to access Internet services to which the subscriber subscribes while preventing the subscriber from accessing services to which the subscriber does not subscribe, said on-premises PEP operating independently of the external access node to authenticate subscribers and enforce policies without communicating with the external access node. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
-
Specification