Multiple tiered network security system, method and apparatus

US 20040255154A1
Filed: 06/11/2003
Published: 12/16/2004
Est. Priority Date: 06/11/2003
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus for providing network security, comprising:

a plurality of input ports;

a switching fabric for routing data received on said plurality of input ports to at least one output port; and

control logic adapted to authenticate a physical address of a device coupled to one of said plurality of input ports and to authenticate user information provided by a user of said device only if said physical address is valid.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical MAC address authentication of a device being attached to the network, such as a device being attached to a port of a network switch. The second level includes authentication of the user of the device, such as user authentication in accordance with the 802.1x standard. The third level includes dynamic assignment of the port to a particular VLAN based on the identity of the user. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.

Citations

33 Claims

1. An apparatus for providing network security, comprising:
- a plurality of input ports;
  
  a switching fabric for routing data received on said plurality of input ports to at least one output port; and
  
  control logic adapted to authenticate a physical address of a device coupled to one of said plurality of input ports and to authenticate user information provided by a user of said device only if said physical address is valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein said physical address comprises a Media Access Control (MAC) address.
  - 3. The apparatus of claim 1, wherein said control logic is adapted to compare said physical address of said device to at least one secure physical address.
  - 4. The apparatus of claim 1, wherein said control logic is further adapted to disable said one of said plurality of input ports if said physical address is invalid.
  - 5. The apparatus of claim 1, wherein said control logic is further adapted to drop packets from said device if said physical address is invalid.
  - 6. The apparatus of claim 1, wherein said control logic is further adapted to re-direct packets from said device if said physical address is invalid.
  - 7. The apparatus of claim 1, wherein said control logic is adapted to send said user information to an authentication server and receive an accept or reject message from said authentication server in response to sending said user information.
  - 8. The apparatus of claim 7, wherein said authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 9. The apparatus of claim 1, wherein said control logic is further adapted to assign said one of said plurality of input ports to a virtual local area network (VLAN) associated with said user information if said user information is valid.
  - 10. The apparatus of claim 9, wherein said control logic is adapted to receive a message from an authentication server, wherein said message comprises a VLAN identifier (ID) associated with said user information, and to assign said one of said plurality of input ports to a VLAN associated with said VLAN ID.
  - 11. The apparatus of claim 10, wherein said control logic is further adapted to determine if said VLAN is supported by the apparatus.

12. A method for providing network security, comprising:
- authenticating a physical address of a device coupled to a port of a network switch; and
  
  authenticating user information provided by a user of said device only if said physical address is valid.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein said authenticating a physical address comprises authenticating a Media Access Control (MAC) address.
  - 14. The method of claim 12, wherein said authenticating a physical address of a device comprises comparing said physical address of said device to at least one secure physical address.
  - 15. The method of claim 12, further comprising:
    - disabling said port if said physical address is invalid.
  - 16. The method of claim 12, further comprising:
    - dropping packets from said device if said physical address is invalid.
  - 17. The method of claim 12, further comprising:
    - re-directing packets from said device if said physical address in invalid.
  - 18. The method of claim 12, wherein said authenticating user information comprises:
    - sending said user information to an authentication server; and
      
      receiving an accept or reject message from said authentication server in response to said sending said user information.
  - 19. The method of claim 18, wherein said authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 20. The method of claim 12, further comprising:
    - assigning said port to a virtual local area network (VLAN) associated with said user information only if said user information is valid.
  - 21. The method of claim 20, wherein said assigning said port to a VLAN comprises:
    - receiving a message from an authentication server, wherein said message comprises a VLAN identifier (ID) associated with said user information;
      
      assigning said port to a VLAN associated with said VLAN ID.
  - 22. The method of claim 21, further comprising:
    - determining if said VLAN is supported by said network switch.

23. A network system, comprising:
- a data communications network;
  
  a network switch coupled to said data communications network; and
  
  a user device coupled to a port of said network switch;
  
  wherein said network switch is adapted to authenticate a physical address of said user device and to authenticate user information provided by a user of said user device only if said physical address is valid.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The system of claim 23, wherein said network switch is adapted to authenticate a Media Access Control (MAC) address of said user device.
  - 25. The system of claim 23, wherein said network switch is adapted to compare said physical address of said user device to at least one secure physical address.
  - 26. The system of claim 23, wherein said network switch is further adapted to disable said port if said physical address is invalid.
  - 27. The system of claim 23, wherein said network switch is further adapted to drop packets from said user device if said physical address is invalid.
  - 28. The system of claim 23, wherein said network switch is further adapted to re-direct packets from said user device if said physical address is invalid.
  - 29. The system of claim 23, further comprising:
    - an authentication server coupled to said data communications network;
      
      wherein said network switch is adapted to send said user information to said authentication server and to receive an accept or reject message from said authentication server in response to sending said user information.
  - 30. The system of claim 29, wherein said authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 31. The system of claim 23, wherein said network switch is further adapted to assign said port to a virtual local area network (VLAN) associated with said user information only if said user information is valid.
  - 32. The system of claim 31, further comprising:
    - an authentication server coupled to said data communications network;
      
      wherein said network switch is adapted to receive a message from said authentication server, wherein said message comprises a VLAN identifier (ID) associated with said user information, and to assign said port to a VLAN associated with said VLAN ID.
  - 33. The system of claim 32, wherein said network switch is further adapted to determine if said VLAN is supported by said network switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Foundry Networks LLC (Broadcom, Inc.)
Original Assignee
Foundry Networks Incorporated (Broadcom, Inc.)
Inventors
Kwan, Philip, Ho, Chi-Jui

Application Number

US10/458,628
Publication Number

US 20040255154A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/08 for authentication of entit...

Multiple tiered network security system, method and apparatus

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple tiered network security system, method and apparatus

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links