Repeaters for secure local area networks
First Claim
1. In a network communicating data frames having an identifiable destination on communication media having a particular media access protocol, a repeater comprising:
- at least first and second ports for connection to the communication media of the network;
a frame regenerator connected between the first and second ports that repeats an incoming frame from the first port to supply a regenerated frame for retransmission on the second port within a time interval which begins before the complete incoming frame has been received by the first port;
access rule logic coupled with the first port to detect incoming frames having destinations not authorized for the second port; and
an override circuit, coupled to the frame regenerator and to the access rule logic, to modify the regenerated frame in response to indication by the access rule logic that the incoming frame has a destination not authorized for the second port.
1 Assignment
0 Petitions
Accused Products
Abstract
A multiport repeater for a local area network installation has (in addition to its conventional functions) means for storing access rules for the items of equipment connected to it. It reads a portion of each frame, which may be all or part of the destination address segment and/or of the source address segment and/or of the control segment of each incoming data frame, or it could be a frame or protocol identifier incorporated in opening bytes of the data segment. It compares the data that it reads with the stored access rules to determine whether the frame is permitted or not. If not, the repeater modifies the frame which it is in the course of re-transmitting, for example by overwriting it with meaningless digits or by encrypting it. It may also report the source address, destination address and reason for deciding to modify the frame to the network controller.
39 Citations
53 Claims
-
1. In a network communicating data frames having an identifiable destination on communication media having a particular media access protocol, a repeater comprising:
-
at least first and second ports for connection to the communication media of the network; a frame regenerator connected between the first and second ports that repeats an incoming frame from the first port to supply a regenerated frame for retransmission on the second port within a time interval which begins before the complete incoming frame has been received by the first port; access rule logic coupled with the first port to detect incoming frames having destinations not authorized for the second port; and an override circuit, coupled to the frame regenerator and to the access rule logic, to modify the regenerated frame in response to indication by the access rule logic that the incoming frame has a destination not authorized for the second port. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. For a network communicating data frames having an identifiable destination on communication media having a carrier sense multiple access with collision detection (CSMA/CD) media access protocol, a multiport repeater comprising:
-
a plurality of ports for connection to the communication media of the network; a frame regenerator connected to the plurality of ports that repeats an incoming frame from a particular port in the plurality of ports to supply respective regenerated frames for retransmission on other ports in the plurality of ports within a time interval which begins before the complete incoming frame has been received by the particular port; access rule logic, coupled with the plurality of ports, to detect whether the incoming frame from the particular port has a destination not authorized for retransmission on the other ports on a per port basis; and an override circuit, coupled to the frame regenerator and the access rule logic, responsive to detection by the access rule logic on a per port basis that the incoming frame has a destination not authorized for retransmission on a given port in the plurality of ports to modify the regenerated frame for retransmission on the given port. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. In a network communicating data frames having an identifiable source on communication media having a particular media access protocol, a repeater comprising:
-
at least first and second ports for connection to the communication media of the network; a frame regenerator connected between the first and second ports that repeats an incoming frame from the first port to supply a regenerated frame for retransmission on the second port within a time interval which begins before the complete incoming frame has been received by the first port; access rule logic coupled with the first port to detect incoming frames having sources not authorized for the first port; and an override circuit, coupled to the frame regenerator and to the access rule logic, to modify the regenerated frame in response to indication by the access rule logic that the incoming frame has a source not authorized for the first port. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. For a network communicating data frames having an identifiable source on communication media having a carrier sense multiple access with collision detection (CSMA/CD) media access protocol, a multiport repeater comprising:
-
a plurality of ports for connection to the communication media of the network; a frame regenerator connected to the plurality of ports that repeats an incoming frame from a particular port in the plurality of ports to supply respective regenerated frames for retransmission on other ports in the plurality of ports within a time interval which begins before the complete incoming frame has been received by the particular port; access rule logic, coupled with the plurality of ports, to detect whether the incoming frame from the particular port has a source not authorized for the particular port; and an override circuit, coupled to the frame regenerator and the access rule logic, responsive to detection by the access rule logic that the incoming frame has a source not authorized for the particular port to modify the regenerated frame for retransmission on the plurality of ports. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
-
27. For a network communicating data frames having an identifiable source on communication media having a carrier sense multiple access with collision detection (CSMA/CD) media access protocol, a multiport repeater comprising:
-
a plurality of ports for connection to the communication media of the network; a frame regenerator connected to the plurality of ports that repeats an incoming frame from a particular port in the plurality of ports to supply respective regenerated frames for retransmission on other ports in the plurality of ports within a time interval which begins before the complete incoming frame has been received by the particular port; access rule logic, coupled with the plurality of ports, to detect whether the incoming frame from the particular port has a source not authorized for the particular port; and a switch circuit, coupled to the frame regenerator and the access rule logic, responsive to detection by the access rule logic that the incoming frame has a source not authorized for the particular port to switch off the particular port. - View Dependent Claims (28, 29, 30)
-
-
31. For a network communicating data frames having an identifiable destination on communication media having a carrier sense multiple access with collision detection (CSMA/CD) media access protocol, a multiport repeater comprising:
-
a plurality of ports for connection to the communication media of the network; a frame regenerator connected to the plurality of ports that repeats an incoming frame from a particular port in the plurality of ports to supply respective regenerated frames for retransmission on other ports in the plurality of ports within a time interval which begins before the complete incoming frame has been received by the particular port; access rule logic, coupled with the plurality of ports, to detect whether the incoming frame from the particular port has a destination not authorized for retransmission on the other ports on a per port basis and whether the incoming frame from the particular port has a source not authorized for the particular port; an override circuit, coupled to the frame regenerator and the access rule logic, responsive to detection by the access rule logic on a per port basis that the incoming frame has a destination not authorized for retransmission on a given port in the plurality of ports to modify the regenerated frame for retransmission on the given port; and a switch circuit, coupled to the frame regenerator and the access rule logic, responsive to detection by the access rule logic that the incoming frame has a source not authorized for the particular port to switch off the particular port. - View Dependent Claims (32, 33, 34, 35, 36, 37)
-
-
38. For a network communicating data frames having an identifiable destination address on communication media, an apparatus comprising:
-
a plurality of ports for connection to communication media of the network; circuitry connected to the plurality of ports that retransmits a data frame being received on a particular port on other ports in the plurality of ports independent of the identifiable destination address, and within a time interval which begins before the data frame has been received completely by the particular port; access rule logic, coupled to the plurality of ports, which detects whether the data frame being received on the particular port has a destination address not authorized for retransmission on at least one of the other ports; and override circuitry, coupled to the plurality of ports and the access rule logic, that is responsive to the detection by the access rule logic that the data frame being received has a destination address not authorized for retransmission on the at least one of the other ports, such that the override circuitry modifies at least a portion of the data frame being retransmitted on the at least one of the other ports. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 53)
-
-
48. For a network communicating data frames having an identifiable source address and an identifiable destination address on communication media operating according to a carrier sense, multiple access with collision detection (CSMA/CD) media access protocol, an apparatus comprising:
-
a plurality of ports for connection to communication media of the network; circuitry connected to the plurality of ports that retransmits a data frame being received on a particular port on other ports in the plurality of ports independent of the identifiable destination address, and within a time interval which begins, within delay limits specified for the protocol, before the data frame has been received completely by the particular port; access rule logic, coupled to the plurality of ports, which detects whether the data frame being received on the particular port has a destination address not authorized for retransmission on at least one of the other ports, and wherein the access rule logic further detects whether the data frame being received on the particular port has a source address not authorized for the particular port; override circuitry, coupled to the plurality of ports and the access rule logic, that is responsive to the detection by the access rule logic that the data frame being received has a destination address not authorized for retransmission on the at least one of the other ports in a manner such that the override circuitry corrupts at least a portion of the data frame being retransmitted on the at least one of the other ports; and disabling circuitry, coupled to the plurality of ports and the access rule logic, that is responsive to the detection by the access rule logic that the data frame being received on the particular port has a source address not authorized for the particular port such that the disabling circuitry disables the particular port. - View Dependent Claims (49, 50, 51, 52)
-
Specification