Secure virtual LANs
First Claim
1. A local area network, comprising a plurality of end stations and a authentication server, the LAN being segmented into a plurality of virtual local area networks (VLANs), each VLAN comprising at least one member end station, wherein the authentication server keeps track of which end stations are members of which VLAN, keeps track of which end stations are authorized to join which VLAN and administers an authentication test to new end stations joining a VLAN.
21 Assignments
0 Petitions
Accused Products
Abstract
The present invention discloses a method for securely adding a new end station to a local area network (LAN) segmented into a number of virtual local area networks (VLANs). The invention is applicable to various types of LANs such as Ethernet and token ring. The LAN comprises an authentication server (AS) which interacts with each new end station before connection to a VLAN is allowed. The method involves the AS administering a test to the new end station, which may involve prompting the new end station for a password or asking it to encrypt a given number using a secret algorithm known only to the new end station and to the AS. The AS examines the results of this test and determines whether the new end station is permitted to join the VLAN. For added security, the new end station can verify authenticity of the AS by administering a test of its own, which may consist of prompting the AS for a password of its own or asking it to encrypt a new number, the new end station subsequently determining whether the AS is indeed genuine before beginning to transmit any further information. In this way, an end station cannot join a VLAN without authentication by the AS and a legitimate end station can verify whether the test it is asked to pass comes from a legitimate source, thereby avoiding network security breaches.
-
Citations
42 Claims
- 1. A local area network, comprising a plurality of end stations and a authentication server, the LAN being segmented into a plurality of virtual local area networks (VLANs), each VLAN comprising at least one member end station, wherein the authentication server keeps track of which end stations are members of which VLAN, keeps track of which end stations are authorized to join which VLAN and administers an authentication test to new end stations joining a VLAN.
-
5. A local area network, comprising:
-
a plurality of end stations; a plurality of LAN emulation server (LESs); a LAN emulation configuration server (LECS); and an authentication server (AS); the LAN being segmented into a plurality of virtual local area networks (VLANs), each VLAN comprising a respective LES and at least one member end station, each LES keeping track of which end stations are members in the respective VLAN, the LECS keeping track of which end stations are members of which VLAN; wherein the authentication server keeps track of which end stations are authorized to join which VLAN and administers an authentication test to new end stations joining a VLAN. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. A method for securely adding a new station to a local area network (LAN), the LAN comprising a plurality of end stations and an authentication server (AS), the LAN being segmented into a plurality of virtual local area networks (VLANs), each VLAN comprising at least one member end station, wherein the authentication server keeps tracks of which end stations are members of which VLAN, keeps track of which end stations are permitted to join which VLAN and performs authentication of end stations joining a VLAN, the method comprising:
-
the new end station sending to the AS a message identifying both the new end station and a desired VLAN; the new end station taking an authentication test administered by the AS; and upon successful authentication of the new end station, the AS sending to the new end station a message indication that the new end station has been permitted to join the desired VLAN. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A method for securely adding a new end station to a local area network (LAN), the LAN comprising a plurality of end stations, a plurality of LAN emulation servers (LESs), a LAN emulation configuration server (LECS) and an authentication server (AS), each switch communicating with at least one end station, the new end station being connected to a switch, the LAN being segmented into a plurality of virtual local area networks (VLANs), each VLAN comprising a respective LES and at least one member end station, each LES keeping track of which end stations are currently members in the respective VLAN, the LECS keeping track of which end stations are permitted to be members of which VLAN, wherein the authentication server performs authentication of end stations joining a VLAN, the method comprising:
-
the new end station sending to its switch a message identifying both the new end station and a desired VLAN; the switch sending to LECS a message requesting identity of the LES corresponding to the desired VLAN; the LECS sending to the AS a message requesting authentication of the new end station; the AS generating a first encrypted number using a plain number and an algorithm known to the AS and to the new end station; the AS sending to the LECS a message comprising the plain number and the first encrypted number; the LECS sending to the switch a message comprising the plain number; the switch sending to the new end station a message comprising the plain number; the new end station generating a second encrypted number using the plain number and the algorithm; the new end station sending to the switch a message compising the plain bnumber and the second encrypted number; the switch sending to the LECS a message comprising the plain number and the second encrypted number; the LECS comparing the first encrypted number to the second encrypted number; the LECS sending to the LES corresponding to the desired VLAN a message indicating that the new end station intends to join the desired VLAN; the LECS sending to the switch a message comprising identity of the LES corresponding to the desired VLAN; the switch sending to the LES corresponding to the desired VLAN a message requesting that the new end station join the desired VLAN; and the LES corresponding to the desired VLAN sending to the switch a message indicating that the new end station has been allowed to join the desired VLAN. - View Dependent Claims (19, 20, 21, 22, 23)
-
-
24. A method for securely adding a end station to a local area network (LAN), the LAN comprising a plurality of end stations and an authentication server (AS), the LAN being segmented into a plurality of virtual local area networks (VLANs), each VLAN comprising at least one member end station, wherein the authentication server keeps track of which end stations are members of which VLAN, keeps track of which end stations are permitted to join which VLAN and performs authentication of end stations joining a VLAN, the method comprising:
-
the new end station sending to the AS a message identifying both the new end station and a desired VLAN; the AS and the new end station taking an authentication test; upon successful authentication of the new end station, the AS sending to the new end station a message indicating that the new end station has been permitted to join the desired VLAN; and upon successful authentication of the AS, the new end station joining the desired VLAN. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
-
-
32. A method for securely adding a new end station to a local area network (LAN), the LAN comprising a plurality of end stations, a plurality of LAN emulation servers (LESs), a LAN emulation configuration server (LECS) and an authentication server (AS), each switch communicating with at least one end station, the new end station being connected to a switch the LAN being segmented into a plurality of virtual local area networks (VLANs), each VLAN comprising a respective LES and at least one member end station, each LES keeping track of which end stations are currently members in the respective VLAN, the LECS keeping track of which end stations are permitted to be members of which VLAN, wherein the authentication server performs authentication of end stations joining a VLAN, the method comprising:
-
the new end station sending to its switch a message identifying both the new end station and a desired VLAN; the switch sending to the LECS a message requesting identity of the LES corresponding to the desired VLAN; the LECS sending to the AS a message requesting authentication of the new end station; the AS generating a first encrypted number using a first plain number and an algorithm known to the AS and to the new end station; the AS sending to the LECS a message comprising the first plain number and the first encrypted number; the LECS sending to the switch a message comprising the first plain number; the switch sending to the new end station a message comprising the first plain number; the new end station generating a second encrypted number using the first plain number and the algorithm; the new end station generating a third encrypted number using the second plain number and the algorithm; the new end station sending to the switch a message comprising the first plain number, the second encrypted number and the second plain number; the switch sending to the LECS a message comprising the first plain number, the second encrypted number and the second plain number; the LECS comparing the first encrypted number to the second encrypted number; the LECS sending to the AS a message comprising the second plain number; the AS generating a fourth encrypted number from the second plain number and the algorithm; the AS sending to the LECS a message comprising the second plain number and the fourth encrypted number; the LECS sending to the LES corresponding to the desired VLAN a message comprising the second plain number and the fourth encrypted number, and indicating that the new end station intends to join the desired VLAN; the LECS sending to the switch a message comprising identity of the LES corresponding to the desired VLAN; the switch sending to the LES corresponding to the desired VLAN a message requesting that the new end station join the desired VLAN; the LES corresponding to the desired VLAN sending to the switch a message indicating that the new end station has been allowed to join the desired VLAN; the LES corresponding to the desired VLAN sending to the switch a message comprising the second plain number and the fourth encrypted number; the switch sending to the new end station a message comprising the second plain number and the fourth encrypted number; and the new end station comparing the third encrypted number to the fourth encrypted number. - View Dependent Claims (33, 34, 35, 36, 37)
-
-
38. An authentication server (AS) for use in a local area network (LAN) segmented into a plurality of virtual local area networks (VLANs), each VLAN comprising at least one member end station, comprising:
-
means for keeping track of which end stations are members of which VLAN; means for keeping track of which end stations are permitted to join which VLAN; and in response to a new end station sending to the AS a message identifying both the new end station and a desired VLAN, means for performing authentication of the new end station by administering a test to the new end station and, upon successful authentication of the new end station, sending to the new end station a message indicating that the new end station has been permitted to join the desired VLAN. - View Dependent Claims (39)
-
-
40. An authentication server (AS) for use in a local area network (LAN) segmented into a plurality of virtual local area networks (VLANS), each VLAN comprising at least one member end station, comprising:
-
means for keeping track of which end stations are members of which VLAN; means for keeping track of which end stations are permitted to join which VLAN; and in response to a new end station sending to the AS a message identifying both the new end station and a desired VLAN, means for taking an authentication test together with the new end station and, upon successful authentication of the new end station, the AS sending to the new end station a message indicating that the new end station has been permitted to loin the desired VLAN. - View Dependent Claims (41, 42)
-
Specification