Metropolitan area network arrangement for serving virtual data networks
First Claim
1. In a network for serving users of a plurality of user groups, a method of preventing users of one group from obtaining unauthorized access to users of another group, comprising the steps of:
- generating a user authorization data base for authorizing access by a first user to members of ones of a plurality of groups from input from a superuser;
processing a login packet, comprising an identification of a login destination user group and an identification of said first user, from said first user to determine whether said first user is authorized in said authorization data base to access said destination user group;
if said determining step determines that said first user is authorized to access said destination user group, recording data in a source checker data base indicating that said first user is authorized to send packets to said destination user group;
thereafter, ascertaining in said recorded data, for every data entity, comprising said identification of said first user and an identification of a destination user group for said data entity, whether said first user is authorized to send data to said destination user group; and
transmitting said data entry to a user of said destination user group if said ascertaining step indicates that said first user is authorized.
1 Assignment
0 Petitions
Accused Products
Abstract
A high capacity metropolitan area network (MAN) is described. Data traffic from users is connected to data concentrators at the edge of the network, and is transmitted over fiber optic data links to a hub where the data is switched. The hub includes a plurality of data switching modules, each having a control means, and each connected to a distributed control space division switch. Advantageously, the data switching modules, whose inputs are connected to the concentrators, perform all checking and routing functions, while the 1024×1024 maximum size space division switch, whose outputs are connected to the concentrators, provides a large fan-out distribution network for reaching many concentrators from each data switching module. Distributed control of the space division switch permits several million connection and disconnection actions to be performed each second, while the pipelined and parallel operation within the control means permits each of the 256 switching modules to process at least 50,000 transactions per second. The data switching modules chain groups of incoming packets destined for a common outlet of the space division switch so that only one connection in that switch is required for transmitting each group of chained packets from a data switching module to a concentrator. MAN provides security features including a port identification supplied by the data concentrators, and a check that each packet is from an authorized source user, transmitting on a port associated with that user, to an authorized destination user that is in the same group (virtual network) as the source user.
194 Citations
8 Claims
-
1. In a network for serving users of a plurality of user groups, a method of preventing users of one group from obtaining unauthorized access to users of another group, comprising the steps of:
-
generating a user authorization data base for authorizing access by a first user to members of ones of a plurality of groups from input from a superuser; processing a login packet, comprising an identification of a login destination user group and an identification of said first user, from said first user to determine whether said first user is authorized in said authorization data base to access said destination user group; if said determining step determines that said first user is authorized to access said destination user group, recording data in a source checker data base indicating that said first user is authorized to send packets to said destination user group; thereafter, ascertaining in said recorded data, for every data entity, comprising said identification of said first user and an identification of a destination user group for said data entity, whether said first user is authorized to send data to said destination user group; and transmitting said data entry to a user of said destination user group if said ascertaining step indicates that said first user is authorized. - View Dependent Claims (2, 3, 4)
-
-
5. In a data network, a method of transmitting data entities from a source user to a user that is member of a group, comprising the steps of:
-
supplying, for every data entity transmitted by said source user, a source user port identification from within said network and outside control of said source user; ascertaining, for every data entity, comprising an identification of said source user and said group, whether said source user is authorized to transmit data entities to a user of said group from said identified source user port; and transmitting said data entity to a user of said group if said ascertaining step indicates that said source user is authorized.
-
-
6. In a network for serving users of a plurality of user groups, a method of preventing users of one group from obtaining unauthorized access too users of another group, comprising the steps of:
-
generating a user authorization data base for authorizing access by a first user to members of ones of a plurality of groups from input from a superuser; supplying, for data packets transmitted by said first user, a source user port identification from within said network and outside control by said first user; processing a login packet, comprising an identification of a destination user group, an identification of said first user, and a user port identification for said first user, from said first user to determine whether said first user is authorized in said authorization data base to transmit data packets from said source user port for said first user to a member of said destination user group; if said authorization step indicates that said first user is authorized to send packets to a member of said destination user group, recording data to indicate that said first user is authorized to send packets to said destination user group from said source user port; if said authorization step further indicates that said first user is authorized to receive data from members of said destination user group, recording that said first user is authorized to receive packets form said members of said destination user group at said source user port; thereafter, ascertaining, for every data packet, comprising said identification of said first user, said user port for said first user, and an identification of a destination user group, whether said first user is authorized to send data from a port identification of said data packet to a member of said destination user group; transmitting said data packet to a user of said destination group if said ascertaining step indicates that said first user is authorized; and recording identifications of users and user ports which transmit unauthorized packets.
-
-
7. A data network, comprising:
-
a source authorization data base comprising data indicating, for each active source user, authorization for said source user and at least one source group of which said source user is a member; a destination authorization data base comprising data indicating, for each active destination user, authorization for said destination user and at least one destination user group of which said destination user is a member; and means, responsive to source user, destination user, and group data in a data packet received by said network for checking in said source authorization data base and said destination authorization data base whether said source user and group is authorized to transmit to said destination user and group. - View Dependent Claims (8)
-
Specification