MULTIPLE TIERED NETWORK SECURITY SYSTEM, METHOD AND APPARATUS USING DYNAMIC USER POLICY ASSIGNMENT

US 20100223654A1
Filed: 04/28/2010
Published: 09/02/2010
Est. Priority Date: 09/04/2003
Status: Active Grant

First Claim

Patent Images

1. A network access device comprising:

a memory for storing data packets received on a plurality of input ports; and

control logic adapted to;

examine a first data packet stored in the memory, the first data packet comprising a physical address of a user device;

authenticate the physical address;

if the authentication of the physical address indicates the physical address is valid, authenticate one or more user credentials in a second data packet stored in the memory after the physical address is authenticated;

if the authentication of the one or more user credentials indicates the one or more user credentials are valid,dynamically assign the user policy to the one of the plurality of input ports; and

restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and

if the authentication of the physical address indicates the physical address is invalid, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.

115 Citations

View as Search Results

26 Claims

1. A network access device comprising:
- a memory for storing data packets received on a plurality of input ports; and
  
  control logic adapted to;
  
  examine a first data packet stored in the memory, the first data packet comprising a physical address of a user device;
  
  authenticate the physical address;
  
  if the authentication of the physical address indicates the physical address is valid, authenticate one or more user credentials in a second data packet stored in the memory after the physical address is authenticated;
  
  if the authentication of the one or more user credentials indicates the one or more user credentials are valid,dynamically assign the user policy to the one of the plurality of input ports; and
  
  restrict further traffic on the one of the plurality of input ports in accordance with the user policy; and
  
  if the authentication of the physical address indicates the physical address is invalid, block traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The network access device of claim 1 wherein the physical address comprises a Media Access Control (MAC) address.
  - 3. The network access device of claim 1 wherein the control logic is adapted to authenticate the user credentials in accordance with an IEEE 802.1x protocol.
  - 4. The network access device of claim 1 wherein the user policy identifies an access control list.
  - 5. The network access device of claim 1 wherein the user policy includes an access control list.
  - 6. The network access device of claim 1 wherein the user policy identifies a Media Access Control (MAC) address filter.
  - 7. The network access device of claim 1 wherein the user policy includes a Media Access Control (MAC) address filter.
  - 8. The network access device of claim 1 wherein the control logic is adapted to send the one or more user credentials to an authentication server and to receive an accept message from the authentication server if the user credentials are valid.
  - 9. The network access device of claim 8 wherein the authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 10. The network access device of claim 8 wherein the accept message includes the user policy.
  - 11. The network access device of claim 1 wherein the control logic is further adapted to assign the one of the plurality of input ports to a virtual local area network (VLAN) associated with the one or more user credentials if the one or more user credentials are valid.
  - 12. The network access device of claim 11 wherein the control logic is adapted to receive a message from an authentication server, wherein the message comprises a VLAN identifier (ID) associated with the one or more user credentials, and to assign the one of the plurality of input ports to a VLAN associated with the VLAN ID.
  - 13. The device of claim 1 wherein the user credentials comprise a user name and a password.

14. A computer implemented method comprising:
- at a network access device comprising a plurality of input ports, examining a first data packet stored in a memory of the device, the first data packet comprising a physical address of a user device;
  
  authenticating the physical address;
  
  if the authentication of the physical address indicates the physical address is valid, authenticating one or more user credentials in a second data packet stored in the memory after the physical address is authenticated;
  
  if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and
  
  if the authentication of the physical address indicates the physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The method of claim 14 wherein the authenticating a physical address comprises authenticating a Media Access Control (MAC) address.
  - 16. The method of claim 14 wherein the authenticating the user credentials comprises authenticating the user credentials in accordance with an IEEE 802.1x protocol.
  - 17. The method of claim 14 wherein the restricting access comprises restricting access to the one of the plurality of input ports in accordance with an access control list.
  - 18. The method of claim 14 wherein the restricting access comprises restricting access to the one of the plurality of input ports in accordance with a Media Access Control (MAC) address filter.
  - 19. The method of claim 14 wherein the authenticating the user credentials comprises:
    - sending the one or more user credentials to an authentication server; and
      
      receiving an accept message from the authentication server if the one or more user credentials are valid.
  - 20. The method of claim 19 wherein the authentication server comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 21. The method of claim 19 wherein the receiving an accept message comprises receiving an accept message that includes the user policy.
  - 22. The method of claim 14, further comprising:
    - assigning the port to a virtual local area network (VLAN) associated with the one or more user credentials only if the one or more user credentials are valid.
  - 23. The method of claim 22, wherein the assigning the port to a VLAN comprises:
    - receiving a message from an authentication server, wherein the message comprises a VLAN identifier (ID) associated with the user credentials; and
      
      assigning the port to a VLAN associated with the VLAN ID.
  - 24. The method of claim 14 wherein the user credentials comprise a user name and a password.

25. An apparatus comprising:
- a memory for storing data packets received on a plurality of input ports;
  
  means for examining a first data packet stored in the memory, the first data packet comprising a physical address of a user device;
  
  means for authenticating the physical address;
  
  means for, if the authentication of the physical address indicates the physical address is valid, authenticating one or more user credentials in a second data packet stored in the memory after the physical address is authenticated;
  
  means for, if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and
  
  means for, if the authentication of the physical address indicates the physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol.

26. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method, the method comprising:
- at a network access device comprising a plurality of input ports, examining a first data packet stored in a memory of the device, the first data packet comprising a physical address of a user device;
  
  authenticating the physical address;
  
  if the authentication of the physical address indicates the physical address is valid, authenticating one or more user credentials in a second data packet stored in the memory after the physical address is authenticated;
  
  if the authentication of the one or more user credentials indicates the one or more user credentials are valid, dynamically assigning the user policy to the one of the plurality of input ports and restricting further traffic on the port in accordance with the user policy; and
  
  if the authentication of the physical address indicates the physical address is invalid, blocking traffic on the one of the plurality of ports except for packets related to a user authentication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Brocade Communications Systems, Inc. (Broadcom, Inc.)
Inventors
Kwan, Philip, Ho, Chi-Jui

Granted Patent

US 8,239,929 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

MULTIPLE TIERED NETWORK SECURITY SYSTEM, METHOD AND APPARATUS USING DYNAMIC USER POLICY ASSIGNMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

MULTIPLE TIERED NETWORK SECURITY SYSTEM, METHOD AND APPARATUS USING DYNAMIC USER POLICY ASSIGNMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others