System and method for detecting and preventing security

US 5,805,801 A
Filed: 01/09/1997
Issued: 09/08/1998
Est. Priority Date: 01/09/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for providing security against intrusion in a computer network having a plurality of managed devices, said method comprising the steps of:

discovering by a first managed device each of said plurality of managed devices that are enabled to provide network security;

detecting an unauthorized address on a first port of said first managed device and disabling said first port;

setting a filter at each of said plurality of managed devices to prevent frames having the unauthorized address from being forwarded through said computer network; and

reenabling said first port after said filtering step has been completed.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing security against intrusion in a campus LAN network is provided. A managed hub discovers each interconnect device in the network that supports the security feature and maintains an interconnect device list of such devices, which may include token ring switches, Ethernet switches, bridges and routers. The managed hub detects an intrusion by an unauthorized address on one of its ports and notifies the interconnect devices of the intrusion by transmitting a security breach detected frame. The interconnect devices set a filter on their respective ports against the intruding unauthorized address. The interconnect devices send a filter set frame to the managed hub which reenables the port where the security intrusion occurred, after all filter set frames are received. A network management station sends a security clear condition frame to remove the filters.

Citations

59 Claims

1. A method for providing security against intrusion in a computer network having a plurality of managed devices, said method comprising the steps of:
- discovering by a first managed device each of said plurality of managed devices that are enabled to provide network security;
  
  detecting an unauthorized address on a first port of said first managed device and disabling said first port;
  
  setting a filter at each of said plurality of managed devices to prevent frames having the unauthorized address from being forwarded through said computer network; and
  
  reenabling said first port after said filtering step has been completed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method for providing security against intrusion of claim 1 further comprising the step of removing of said filter that had been set at each of said plurality of managed devices.
  - 3. The method for providing security against intrusion of claim 1 wherein said first managed device is a managed hub.
  - 4. The method for providing security against intrusion of claim 1 wherein said first managed device is a switch.
  - 5. The method for providing security against intrusion of claim 1 wherein said plurality of managed devices includes a token ring switch.
  - 6. The method for providing security against intrusion of claim 1 wherein said plurality of managed devices includes an Ethernet switch.
  - 7. The method for providing security against intrusion of claim 1 wherein said plurality of managed devices includes a bridge.
  - 8. The method for providing security against intrusion of claim 1 wherein said plurality of managed devices includes a router.
  - 9. The method for providing security against intrusion of claim 1 wherein said computer network includes a local area network.
  - 10. The method for providing security against intrusion of claim 1 further comprising the steps of building and maintaining an authorized address list at said first managed device of addresses that are allowed to connect to each port in said first managed device.
  - 11. The method for providing security against intrusion of claim 10 wherein each entry in said authorized address list includes a port number and an authorized address.
  - 12. The method for providing security against intrusion of claim 1 wherein said discovering step includes the steps of:
    - transmitting a discovery request frame by said first managed device, said discovery request frame having a security feature group address;
      
      receiving said discovery request frame at each of said plurality of managed devices and transmitting a discovery response frame back to said first managed device;
      
      building and maintaining an interconnect device list at said first managed device of said plurality of managed devices that transmitted said discovery response frame back to said first managed device.
  - 13. The method for providing security against intrusion of claim 12 wherein each entry in said interconnect device list includes an address of the managed device that sent the discovery response frame and a time stamp extracted from said discovery response frame.
  - 14. The method for providing security against intrusion of claim 11 wherein said detecting step includes the steps of:
    - comparing, for each port, a source address of a station attempting to connect to said port with the authorized address list of addresses for said port and determining whether said source address is on said authorized address list.
  - 15. The method for providing security against intrusion of claim 12 wherein following said disabling step said method further includes:
    - sending a trap frame by said first managed device to a network management station indicating that an intrusion has been detected on said first port; and
      
      transmitting a security breach detected frame by said first managed device and having said security feature group address to said plurality of managed devices that have entries in said interconnect device list.
  - 16. The method for providing security against intrusion of claim 15 wherein said security breach detected frame includes a source address of an unauthorized station, the port number of said first managed device at which the intrusion occurred, and a time stamp representing the time at which the unauthorized station was detected.
  - 17. The method for providing security against intrusion of claim 16 wherein following the receiving of said security breach detected frame and setting of filters, each of said plurality of managed devices performs the additional steps of:
    - transmitting said security breach detected frame on all ports except the port on which said each managed device received said security breach detected frame;
      
      sending a trap frame to the network management station indicating that said filter has been set as a result of receiving said security breach detected frame; and
      
      transmitting a filter set frame to said first managed device.
  - 18. The method for providing security against intrusion of claim 17 wherein said filter set frame includes the address of said each managed device sending said filter set frame, the source address of said unauthorized station, the port number of said first managed device at which the intrusion occurred, and a time stamp representing the time at which the unauthorized station was detected.
  - 19. The method for providing security against intrusion of claim 1 wherein following said reenabling step said first managed device sends a trap frame to a network management station indicating that said filtering step has been completed.
  - 20. The method for providing security against intrusion of claim 2 wherein said removing step includes transmitting a security clear condition frame to said plurality of managed devices.
  - 21. The method for providing security against intrusion of claim 2 wherein said removing step includes transmitting a security clear condition frame to a selected managed device of said plurality of managed devices.
  - 22. The method for providing security against intrusion of claim 20 or 21 wherein said security clear condition frame includes said unauthorized address.

23. A system for providing security against intrusion in a computer network having a plurality of managed devices, said system comprising:
- means for discovering at a first managed device each of said plurality of managed devices that are enabled to provide network security;
  
  means for detecting an unauthorized address on a first port of said first managed device and means for disabling said first port;
  
  means for setting a filter at each of said plurality of managed devices to prevent frames having the unauthorized address from being forwarded through said computer network; and
  
  means for reenabling said first port of said first managed device after said filtering step has been completed.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 24. The system for providing security against intrusion of claim 23 further comprising means at a network management station for generating a security clear condition frame to initiate the removing of said filter that had been set at each of said plurality of managed devices.
  - 25. The system for providing security against intrusion of claim 23 wherein said first managed device is a managed hub.
  - 26. The system for providing security against intrusion of claim 23 wherein said first managed device is a switch.
  - 27. The system for providing security against intrusion of claim 23 wherein said plurality of managed devices includes a token ring switch.
  - 28. The system for providing security against intrusion of claim 23 wherein said plurality of managed devices includes an Ethernet switch.
  - 29. The system for providing security against intrusion of claim 23 wherein said plurality of managed devices includes a bridge.
  - 30. The system for providing security against intrusion of claim 23 wherein said plurality of managed devices includes a router.
  - 31. The system for providing security against intrusion of claim 23 wherein said computer network includes a local area network.
  - 32. The system for providing security against intrusion of claim 23 further comprising means for building and maintaining an authorized address list at said first managed device of addresses that are allowed to connect to each port in said first managed device.
  - 33. The system for providing security against intrusion of claim 32 wherein each entry in said authorized address list includes a port number and an authorized address.
  - 34. The system for providing security against intrusion of claim 23 wherein said means for discovering includes:
    - means for transmitting a discovery request frame by said first managed device, said discovery request frame having a security feature group address;
      
      means for receiving said discovery request frame at each of said plurality of managed devices and means for transmitting a discovery response frame back to said first managed device;
      
      means for building and maintaining an interconnect device list at said first managed device of said plurality of managed devices that transmitted said discovery response frame back to said first managed device.
  - 35. The system for providing security against intrusion of claim 34 wherein each entry in said interconnect device list includes an address of the managed device that sent the discovery response frame and a time stamp extracted from said discovery response frame.
  - 36. The system for providing security against intrusion of claim 33 wherein said means for detecting includes:
    - means for comparing, for each port, a source address of a station attempting to connect to said port with the authorized address list of addresses for said port and means for determining whether said source address is on said authorized address list.
  - 37. The system for providing security against intrusion of claim 34 further including:
    - means for sending a trap frame by said first managed device to a network management station indicating that an intrusion has been detected on said first port; and
      
      means for transmitting a security breach detected frame by said first managed device and having said security feature group address to said plurality of managed devices that have entries in said interconnect device list.
  - 38. The system for providing security against intrusion of claim 37 wherein said security breach detected frame includes a source address of an unauthorized station, the port number of said first managed device at which the intrusion occurred, and a time stamp representing the time at which the unauthorized station was detected.
  - 39. The system for providing security against intrusion of claim 38 wherein each of said plurality of managed devices further comprises:
    - means for transmitting said security breach detected frame on all ports except the port on which said each managed device received said security breach detected frame;
      
      means for sending a trap frame to the network management station indicating that said filter has been set as a result of receiving said security breach detected frame; and
      
      means for transmitting a filter set frame to said first managed device.
  - 40. The system for providing security against intrusion of claim 39 wherein said filter set frame includes the address of said each managed device sending said filter set frame, the source address of said unauthorized station, the port number of said first managed device at which the intrusion occurred, and a time stamp representing the time at which the unauthorized station was detected.
  - 41. The system for providing security against intrusion of claim 23 wherein said first managed device further comprises means for sending a trap frame to a network management station indicating that said filter has been set at each of said plurality of managed devices.
  - 42. The system for providing security against intrusion of claim 24 wherein said security clear condition frame includes said unauthorized address.

43. A method for providing security against intrusion in a computer network having a managed hub and at least one interconnect device, said method comprising the steps of:
- building and maintaining an authorized address list at said managed hub of addresses that are allowed to connect to each port in said managed hub;
  
  discovering by said managed hub each interconnect device that is enabled to provide network security;
  
  detecting an unauthorized address on a first port of said managed hub and disabling said first port;
  
  setting a filter at each interconnect device to prevent frames having the unauthorized address from being forwarded through said computer network; and
  
  reenabling said first port after said filtering step has been completed.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51)
- - 44. The method for providing security against intrusion of claim 43 further comprising the step of removing of said filter that had been set at each interconnect device.
  - 45. The method for providing security against intrusion of claim 43 wherein said at least one interconnect device includes a token ring switch, an Ethernet switch, a bridge or a router.
  - 46. The method for providing security against intrusion of claim 43 wherein said discovering step includes the steps of:
    - transmitting a discovery request frame by said managed hub, said discovery request frame having a security feature group address;
      
      receiving said discovery request frame at each interconnect device and transmitting a discovery response frame back to said managed hub;
      
      building and maintaining an interconnect device list at said managed hub of each interconnect device that transmitted said discovery response frame back to said managed hub.
  - 47. The method for providing security against intrusion of claim 46 wherein said detecting step includes the steps of:
    - comparing, for each port, a source address of a station attempting to connect to said port with an authorized address list of addresses for said port and determining whether said source address is on said authorized address list.
  - 48. The method for providing security against intrusion of claim 46 wherein following said disabling step said method further includes:
    - sending a trap frame by said managed hub to a network management station indicating that an intrusion has been detected on said first port; and
      
      transmitting a security breach detected frame by said managed hub and having said security feature group address to each interconnect device that has an entry in said interconnect device list.
  - 49. The method for providing security against intrusion of claim 48 wherein following the receiving of said security breach detected frame and setting of filters, each interconnect device performs the additional steps of:
    - transmitting said security breach detected frame on all ports except the port on which said each interconnect device received said security breach detected frame;
      
      sending a trap frame to the network management station indicating that said filter has been set as a result of receiving said security breach detected frame; and
      
      transmitting a filter set frame to said managed hub.
  - 50. The method for providing security against intrusion of claim 43 wherein following said reenabling step said managed hub sends a trap frame to a network management station indicating that said filtering step has been completed.
  - 51. The method for providing security against intrusion of claim 44 wherein said removing step includes transmitting a security clear condition frame to each interconnect device.

52. A system for providing security against intrusion in a computer network having a managed hub and at least one interconnect device, said system comprising:
- means for building and maintaining an authorized address list at said managed hub of addresses that are allowed to connect to each port in said managed hub;
  
  means for discovering by said managed hub each interconnect device that is enabled to provide network security;
  
  means for detecting an unauthorized address on a first port of said managed hub and means for disabling said first port;
  
  means for setting a filter at each interconnect device to prevent frames having the unauthorized address from being forwarded through said computer network; and
  
  means for reenabling said first port of said managed hub after said filtering step has been completed.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59)
- - 53. The system for providing security against intrusion of claim 52 further comprising means at a network management station for generating a security clear condition frame to initiate the removing of said filter that had been set at each interconnect device.
  - 54. The system for providing security against intrusion of claim 52 wherein said at least one interconnect device includes a token ring switch, an Ethernet switch, a bridge or a router.
  - 55. The system for providing security against intrusion of claim 52 wherein said means for discovering includes:
    - means for transmitting a discovery request frame by said managed hub, said discovery request frame having a security feature group address;
      
      means for receiving said discovery request frame at each interconnect device and means for transmitting a discovery response frame back to said managed hub;
      
      means for building and maintaining an interconnect device list at said managed hub of each interconnect device that transmitted said discovery response frame back to said managed hub.
  - 56. The system for providing security against intrusion of claim 55 wherein said means for detecting includes:
    - means for comparing, for each port, a source address of a station attempting to connect to said port with an authorized address list of addresses for said port and means for determining whether said source address is on said authorized address list.
  - 57. The system for providing security against intrusion of claim 55 further including:
    - means for sending a trap frame by said managed hub to a network management station indicating that an intrusion has been detected on said first port; and
      
      means for transmitting a security breach detected frame by said managed hub and having said security feature group address to each interconnect device that has an entry in said interconnect device list.
  - 58. The system for providing security against intrusion of claim 57 wherein each interconnect device further comprises:
    - means for transmitting said security breach detected frame on all ports except the port on which said each interconnect device received said security breach detected frame;
      
      means for sending a trap frame to the network management station indicating that said filter has been set as a result of receiving said security breach detected frame; and
      
      means for transmitting a filter set frame to said managed hub.
  - 59. The system for providing security against intrusion of claim 52 wherein said managed hub further comprises means for sending a trap frame to a network management station indicating that said filter has been set at each interconnect device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Holloway, Malcolm H., Prorock, Thomas Joseph
Primary Examiner(s)
Decady, Albert

Application Number

US08/780,804
Time in Patent Office

607 Days
Field of Search

395/186, 395/187.01, 395/182.02, 395/200.55, 380/3, 380/25, 370/434, 370/488
US Class Current

726/22
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0218   Distributed architectures, ...

H04L 9/40   Network security protocols

System and method for detecting and preventing security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting and preventing security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links