Peer connected device for protecting access to local area networks

US 20040054926A1
Filed: 10/22/2002
Published: 03/18/2004
Est. Priority Date: 09/11/2002
Status: Active Grant

First Claim

Patent Images

1. An apparatus for controlling access to one or more protected devices each having a physical device address on a computer network by a client device having a physical device address, comprising:

a central processing unit;

a network interface configured to receive address resolution requests broadcast on the network by the client device seeking access to one of the protected devices and to transmit address resolution replies generated by the apparatus on the computer network; and

a security module running on the central processing unit and configured to;

(a) process the address resolution requests from the client device to determine whether the client device is unknown;

(b) transmit address resolution replies on the computer network to block access to the protected devices and allow access to an authentication server, if the client device is unknown;

(c) monitor the authentication server to determine if the client device is authorized or unauthorized by the authentication server, if the client device is unknown;

(d) allow access to the protected devices, if the client device is authorized; and

(e) transmit blocking address resolution replies on the computer network to block access to the protected devices, if the client device is unauthorized;

wherein the apparatus is connected as a peer device on the computer network.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A peer connected device for controlling access by a client device to protected devices on a computer network. The peer connected device has a central processing unit and a network interface configured to receive address resolution requests broadcast on the computer network by the client device seeking access to one of the protected devices and to transmit address resolution replies generated by the apparatus on the computer network. Additionally, a security module is running on the central processing unit and configured to (a) process the address resolution requests from the client device to determine whether the client device is unknown; (b) transmit address resolution replies on the computer network to block access to the protected devices and allow access to an authentication server, if the client device is unknown; (c) monitor the authentication server to determine if the client device is authorized or unauthorized by the authentication server, if the client device is unknown; (d) allow access to the protected devices, if the client device is authorized; and (e) transmit blocking address resolution replies on the computer network to block access to the protected devices, if the client device is unauthorized.

108 Citations

View as Search Results

20 Claims

1. An apparatus for controlling access to one or more protected devices each having a physical device address on a computer network by a client device having a physical device address, comprising:
- a central processing unit;
  
  a network interface configured to receive address resolution requests broadcast on the network by the client device seeking access to one of the protected devices and to transmit address resolution replies generated by the apparatus on the computer network; and
  
  a security module running on the central processing unit and configured to;
  
  (a) process the address resolution requests from the client device to determine whether the client device is unknown;
  
  (b) transmit address resolution replies on the computer network to block access to the protected devices and allow access to an authentication server, if the client device is unknown;
  
  (c) monitor the authentication server to determine if the client device is authorized or unauthorized by the authentication server, if the client device is unknown;
  
  (d) allow access to the protected devices, if the client device is authorized; and
  
  (e) transmit blocking address resolution replies on the computer network to block access to the protected devices, if the client device is unauthorized;
  
  wherein the apparatus is connected as a peer device on the computer network.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus recited in claim 1, wherein the security module is further configured to:
    - determine if the client device is connected to the computer network;
      
      wherein the access blocking module ceases blocking data link layer access to the network devices by the client device if the client device is no longer connected to the computer network; and
      
      wherein the access monitoring module causes the detection module to determine that the client device is unknown if the client device subsequently attempts to access the protected devices.
  - 3. The apparatus recited in claim 1, wherein the security module is further configured to transmit correction address resolution requests on the computer network to update the client device with the physical device address of the protected devices.
  - 4. The apparatus recited in claim 1, wherein the restriction address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to the physical device address of one of the protected devices.
  - 5. The apparatus recited in claim 1, wherein the blocking address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to a broadcast address.

6. An apparatus for controlling access to one or more network devices, including one or more protected devices among the network devices, each having a physical device address on a computer network by a client device having a physical device address, comprising:
- a central processing unit;
  
  a network interface configured to receive address resolution requests broadcast on the network by the client device seeking access to one of the protected devices;
  
  a detection module running on the central processor and configured to process the address resolution requests from the client device to determine whether the client device is unknown;
  
  an access restriction module running on the central processor and configured to block data link layer access to the protected devices and allow access to an authentication server, if the client device is unknown;
  
  an authentication monitoring module running on the central processor and configured to monitor the authentication server to determine if the client device is authorized or unauthorized by the authentication server, if the client device is unknown; and
  
  an access blocking module running on the central processor and configured to block data link layer access to the network devices on the computer network, if the client device is unauthorized;
  
  wherein the apparatus is connected as a peer device on the computer network; and
  
  wherein the apparatus does not require dedicated software on the client device in order to control access to the network devices.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The apparatus recited in claim 6, further comprising:
    - an access monitoring module running on the central processing unit and configured to determine if the client device is connected to the computer network;
      
      wherein the access blocking module ceases blocking data link layer access to the network devices by the client device if the client device is no longer connected to the computer network; and
      
      wherein the access monitoring module causes the detection module to determine that the client device is unknown if the client device subsequently attempts to access the protected devices.
  - 8. The apparatus recited in claim 6, further comprising:
    - a correction module running on the central processor and configured to transmit correction address resolution requests on the computer network via the network interface to update the client device with the physical device address of the protected devices.
  - 9. The apparatus recited in claim 6, wherein the access restriction module blocks access to the protected devices by transmitting restriction address resolution replies on the computer network via the network interface to the protected devices.
  - 10. The apparatus recited in claim 9, wherein the restriction address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to the physical device address of one of the protected devices.
  - 11. The apparatus recited in claim 6, wherein the access blocking module blocks data link layer access to the network devices by broadcasting blocking address resolution replies on the computer network via the network interface.
  - 12. The apparatus recited in claim 11, wherein the blocking address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to a broadcast address.

13. A computer readable memory for directing a computer connected as a peer in a computer network to control access to one or more protected devices each having a physical device address on a computer network by a client device having a physical device address, the computer being configured to receive address resolution requests broadcast on the network by the client device seeking access to one of the protected devices and to transmit address resolution replies generated by the apparatus on the computer network, the memory comprising:
- a security module configured to;
  
  (a) run on the computer;
  
  (b) process the address resolution requests from the client device to determine whether the client device is unknown;
  
  (c) transmit address resolution replies on the computer network to block access to the protected devices and allow access to an authentication server, if the client device is unknown;
  
  (d) monitor the authentication server to determine if the client device is authorized or unauthorized by the authentication server, if the client device is unknown;
  
  (e) allow access to the protected devices, if the client device is authorized; and
  
  (f) transmit blocking address resolution replies on the computer network to block access to the protected devices, if the client device is unauthorized.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer readable memory recited in claim 13, wherein the security module is further configured to:
    - determine if the client device is connected to the computer network;
      
      wherein the access blocking module ceases blocking data link layer access to the network devices by the client device if the client device is no longer connected to the computer network; and
      
      wherein the access monitoring module causes the detection module to determine that the client device is unknown if the client device subsequently attempts to access the protected devices.
  - 15. The computer readable memory recited in claim 13, wherein the security module is further configured to transmit correction address resolution requests on the computer network to update the client device with the physical device address of the protected devices.
  - 16. The computer readable memory recited in claim 13, wherein the restriction address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to the physical device address of one of the protected devices.
  - 17. The computer readable memory recited in claim 13, wherein the blocking address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to a broadcast address.

18. A computer readable memory for directing a computer connected as a peer in a computer network to control access to one or more protected devices each having a physical device address on a computer network by a client device having a physical device address, the computer being configured to receive address resolution requests broadcast on the network by the client device seeking access to one of the protected devices and to transmit address resolution replies generated by the apparatus on the computer network, the memory comprising:
- a detection module configured to run on the computer and to process the address resolution requests from the client device to determine whether the client device is unknown;
  
  an access restriction module configured to run on the computer and to block data link layer access to the protected devices and allow access to an authentication server, if the client device is unknown;
  
  an authentication monitoring module configured to run on the computer and to monitor the authentication server to determine if the client device is authorized or unauthorized by the authentication server, if the client device is unknown; and
  
  an access blocking module configured to run on the computer and to block data link layer access to the network devices on the computer network, if the client device is unauthorized.
- View Dependent Claims (19, 20)
- - 19. The computer readable memory recited in claim 18, wherein the access restriction module blocks access to the protected devices by transmitting restriction address resolution replies on the computer network via the network interface to the protected devices.
  - 20. The computer readable memory recited in claim 18, wherein the access blocking module blocks data link layer access to the network devices by broadcasting blocking address resolution replies on the computer network via the network interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sysxnet Ltd.
Original Assignee
Wholepoint Corp. (Singapore Telecommunications Limited)
Inventors
Dziadziola, David A., Ocepek, Steven R., Lauer, Brian A.

Granted Patent

US 7,448,076 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/10   of different types

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

Peer connected device for protecting access to local area networks

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Peer connected device for protecting access to local area networks

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links