Security apparatus and method for local area networks

US 7,124,197 B2
Filed: 10/22/2002
Issued: 10/17/2006
Est. Priority Date: 09/11/2002
Status: Active Grant

First Claim

Patent Images

1. A method for blocking access to one or more protected devices each having a physical device address and being connected to a computer network by a client device having a physical device address and being connected to the computer network, comprising the steps of:

(a) receiving address resolution requests broadcast on the network by the client device seeking access to one of the protected devices;

(b) processing the address resolution requests to determine whether the client device is an unknown device;

(c) if the client device is unknown as determined in step (b), adding a record identifying the client device in a restricted client list;

(d) while the client device record is present in the restricted client list, transmitting address resolution replies on the computer network to block access to the protected devices and allow access to an authentication server, and monitoring the authentication server to determine if the client device is authorized or unauthorized by the authentication server;

(e) if the client device is authorized as determined in step (d), removing the client device record from the restricted client list and adding the client device record to an allowed client list;

(f) while the client device record is present in the allowed client list, allowing access to the protected devices;

(g) if the client device is unauthorized as determined in step (d), removing the client device record from the restricted client list and adding the client device record to a blocked client list; and

(h) while the client device record is present in the blocked client list, transmitting blocking address resolution replies on the computer network to block access to the protected devices.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention includes a method and apparatus for controlling data link layer access to protected servers on a computer network by a client device. Address resolution requests broadcast on the network by the client device seeking access to any network device are received and then processed to determine whether the client device is unknown. If the client device is unknown, restriction address resolution replies are transmitted to the protected devices to restrict access by the client device to the protected devices and allow access to an authentication server. The authentication server is monitored to determine if the client device is authorized or unauthorized by the authentication server. If the client device is authorized, access is allowed to the protected devices. If the client device is unauthorized, blocking address resolution replies are transmitted on the computer network to block access by the client device to all other network devices.

84 Citations

View as Search Results

36 Claims

1. A method for blocking access to one or more protected devices each having a physical device address and being connected to a computer network by a client device having a physical device address and being connected to the computer network, comprising the steps of:
- (a) receiving address resolution requests broadcast on the network by the client device seeking access to one of the protected devices;
  
  (b) processing the address resolution requests to determine whether the client device is an unknown device;
  
  (c) if the client device is unknown as determined in step (b), adding a record identifying the client device in a restricted client list;
  
  (d) while the client device record is present in the restricted client list, transmitting address resolution replies on the computer network to block access to the protected devices and allow access to an authentication server, and monitoring the authentication server to determine if the client device is authorized or unauthorized by the authentication server;
  
  (e) if the client device is authorized as determined in step (d), removing the client device record from the restricted client list and adding the client device record to an allowed client list;
  
  (f) while the client device record is present in the allowed client list, allowing access to the protected devices;
  
  (g) if the client device is unauthorized as determined in step (d), removing the client device record from the restricted client list and adding the client device record to a blocked client list; and
  
  (h) while the client device record is present in the blocked client list, transmitting blocking address resolution replies on the computer network to block access to the protected devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method recited in claim 1, further comprising the steps of:
    - (i) determining when the client device is no longer connected to the computer network; and
      
      (j) when the client device is no longer connected to the computer network, removing the client device record from the allowed client list if the client device record is in the allowed client list and removing the client device record from the blocked client list if the client device record is in the blocked client list.
  - 3. The method recited in claim 1, wherein the address resolution replies transmitted in step (d) contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to the physical device address of one of the protected devices.
  - 4. The method recited in claim 3, wherein the is-at physical device address is pre-determined to not be connected to the computer network.
  - 5. The method recited in claim 1, wherein the blocking address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to a broadcast address.
  - 6. The method recited in claim 5, wherein the is-at physical device address is pre-determined to not be connected to the computer network.
  - 7. The method recited in claim 1, further comprising the steps of:
    - (i) if the blocking address replies are transmitting in accordance with step (h), transmitting an address resolution request on the computer network destined for the client device;
      
      (j) if a responsive address resolution reply is received in response to the address resolution request transmitted in step (i), determining whether the responsive address resolution reply contains a source physical device address corresponding to the physical device address of the client device;
      
      (k) if the source physical device address of the responsive address resolution reply and the physical device address of the client device are the same as determined in step (j), repeating step (i);
      
      (l) if the source physical device address of the responsive address resolution reply and the physical device address of the client device are different as determined in step (j), ceasing the transmission of the blocking address resolution replies.
  - 8. The method recited in claim 1, further comprising the steps of:
    - (i) if access is allowed in accordance with step (f), transmitting an address resolution request on the computer network destined for the client device;
      
      (j) if a responsive address resolution reply is received in response to the address resolution request transmitted in step (i), determining whether the responsive address resolution reply contains a source physical device address corresponding to the physical device address of the client device;
      
      (k) if the source physical device address of the responsive address resolution reply and the physical device address of the client device are the same as determined in step (j), repeating step (i);
      
      (l) if the source physical device address of the responsive address resolution reply and the physical device address of the client device are different as determined in step (j), ceasing allowing the client device access to the protected devices.
  - 9. The method recited in claim 1, further comprising the step of:
    - transmitting correction address resolution requests on the computer network to update the client device with the physical device address of the protected devices.
  - 10. The method recited in claim 9, wherein the correction address resolution replies contain an is-at physical device address corresponding to the physical device address of one of the one or more protected devices and a destination physical device address corresponding to a broadcast address.
  - 11. The method recited in claim 1, wherein no dedicated software is required on the client device.
  - 12. The method recited in claim 1, wherein the blocking address resolution replies are configure to disable the client device.

13. An apparatus for blocking access to one or more protected devices each having a physical device address and being connected to a computer network by a client device having a physical device address and being connected to the computer network, the apparatus comprising:
- receiving means for receiving address resolution requests broadcast on the network by the client device seeking access to one of the protected devices;
  
  processing means for processing the address resolution requests to determine whether the client device is an unknown device;
  
  first list control means for adding a record identifying the client device in a restricted client list if the client device is unknown as determined by the processing means;
  
  restriction transmitting means for transmitting address resolution replies on the network to block access to the protected devices and allow access to an authentication server while the client device record is present in the restricted client list;
  
  monitoring means for monitoring the authentication server to determine if the client device is authorized or unauthorized by the authentication server;
  
  second list control means for removing the client device record from the restricted client list and adding the client device record to an allowed client list if the client device is authorized as determined by the monitoring means;
  
  allowing means for allowing access to the protected devices while the client device record is present in the allowed client list;
  
  third list control means means for removing the client device record from the restricted client list and adding the client device record to a blocked client list if the client device is unauthorized as determined by the monitoring means; and
  
  blocking means for transmitting blocking address resolution replies on the computer network to block access to the protected devices while the client device record is present in the blocked client list.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The apparatus recited in claim 13 further comprising:
    - connection determining means for determining when the client device is no longer connected to the computer network; and
      
      fourth list control means for removing the client device record from the allowed client list if the client device record is in the allowed client list when the client device is no longer connected to the computer network; and
      
      fifth list control means for removing the client device record from the blocked client list if the client device record is in the blocked client list when the client device is no longer connected to the computer network.
  - 15. The apparatus recited in claim 13, wherein the address resolution replies transmitted while the client device record is present in the restricted client list contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to the physical device address of one of the protected devices.
  - 16. The apparatus recited in claim 15, wherein the is-at physical device address is pre-determined to not be connected to the computer network.
  - 17. The apparatus recited in claim 13, wherein the blocking address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to a broadcast address.
  - 18. The apparatus recited in claim 17, wherein the is-at physical device address is pre-determined to not be connected to the computer network.
  - 19. The apparatus recited in claim 13 further comprising:
    - resolution transmitting means for transmitting an address resolution request on the computer network destined for the client device if the blocking address replies are transmitting by the blocking means;
      
      resolution means for determining whether a responsive address resolution reply contains a source physical device address corresponding to the physical device address of the client device if the responsive address resolution reply is received in response to the address resolution request transmitted by the resolution transmitting means;
      
      repeating means for repeating the resolution transmitting means if the source physical device address of the responsive address resolution reply and the physical device address of the client device are the same as determined by the resolution means;
      
      cease-blocking means for ceasing the transmission of the blocking address resolution replies if the source physical device address of the responsive address resolution reply and the physical device address of the client device are different as determined by the resolution means.
  - 20. The apparatus recited in claim 13, further comprising:
    - resolution transmitting means for transmitting an address resolution request on the computer network destined for the client device if access is allowed by the allowing means;
      
      resolution means for determining whether a responsive address resolution reply contains a source physical device address corresponding to the physical device address of the client device if the responsive address resolution reply is received in response to the address resolution request transmitted by the resolution transmitting means;
      
      repeating means for repeating the resolution transmitting means if the source physical device address of the responsive address resolution reply and the physical device address of the client device are the same as determined by the resolution means;
      
      cease-allowing means for ceasing allowing the client device access to the protected devices if the source physical device address of the responsive address resolution reply and the physical device address of the client device are different as determined by the resolution means.
  - 21. The apparatus recited in claim 13, further comprising:
    - correction-transmitting means for transmitting correction address resolution requests on the computer network to update the client device with the physical device address of the protected devices.
  - 22. The apparatus recited in claim 21, wherein the correction address resolution replies contain an is-at physical device address corresponding to the physical device address of one of the one or more protected devices and a destination physical device address corresponding to a broadcast address.
  - 23. The apparatus recited in claim 13, wherein no dedicated software is required on the client device.
  - 24. The apparatus recited in claim 13, wherein the blocking address resolution replies are configured to disable the client device.

25. An apparatus for blocking access to one or more protected devices each having a physical device address and being connected to a computer network by a client device having a physical device address and being connected to the computer network, the apparatus comprising:
- a processor;
  
  a network interface configured to receive address resolution requests broadcast on the network by the client device seeking access to one of the protected devices;
  
  a detection module configured to process the address resolution requests to determine whether the client device is an unknown device;
  
  a list control module configured to add a record identifying the client device in a restricted client list if the client device is unknown;
  
  an access restriction module configured to transmit address resolution replies on the network to block access to the protected devices and allow access to an authentication server while the client device record is present in the restricted client list;
  
  an authentication monitoring module configured to monitor the authentication server to determine if the client device is authorized or unauthorized by the authentication server, whereinthe list control module is further configured to remove the client device record from the restricted client list and to add the client device record to an allowed client list if the client device is authorized by the authentication server,the access restriction module is further configured to allow access to the protected devices while the client device record is present in the allowed client list,the list control module is further configured to remove the client device record from the restricted client list and add the client device record to a blocked client list if the client device is unauthorized by the authentication server; and
  
  an access blocking module configured to transmit blocking address resolution replies on the computer network to block access to the protected devices while the client device record is present in the blocked client list.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The apparatus recited in claim 25 further comprising:
    - an access monitoring module configured to determine when the client device is no longer connected to the computer network, whereinthe list control module is further configured to remove the client device record from the allowed client list if the client device record is in the allowed client list when the client device is no longer connected to the computer network, andthe list control module is further configured to remove the client device record from the blocked client list if the client device record is in the blocked client list when the client device is no longer connected to the computer network.
  - 27. The apparatus recited in claim 25, wherein the address resolution replies transmitted while the client device record is present in the restricted client list contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to the physical device address of one of the protected devices.
  - 28. The apparatus recited in claim 27, wherein the is-at physical device address is pre-determined to not be connected to the computer network.
  - 29. The apparatus recited in claim 25, wherein the blocking address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to a broadcast address.
  - 30. The apparatus recited in claim 29, wherein the is-at physical device address is pre-determined to not be connected to the computer network.
  - 31. The apparatus recited in claim 25 further comprising:
    - a resolution module configured to transmit an address resolution request on the computer network destined for the client device if the blocking address replies are transmitting by the access blocking module, whereinthe resolution module is further configured to determine whether a responsive address resolution reply contains a source physical device address corresponding to the physical device address of the client device if the responsive address resolution reply is received in response to the address resolution request,the resolution module is further configured to cause the transmitting of the address resolution request to be repeated if the source physical device address of the responsive address resolution reply and the physical device address of the client device are the same, andthe resolution module is further configured to cause the transmission of the blocking address resolution replies to cease if the source physical device address of the responsive address resolution reply and the physical device address of the client device are different.
  - 32. The apparatus recited in claim 25, further comprising:
    - a resolution module configured to transmit an address resolution request on the computer network destined for the client device if access is allowed by the allowing module, whereinthe resolution module is further configured to determine whether a responsive address resolution reply contains a source physical device address corresponding to the physical device address of the client device if the responsive address resolution reply is received in response to the address resolution request transmitted by the blocking module,the resolution module is further configured to cause the transmitting of the address resolution to be repeated if the source physical device address of the responsive address resolution reply and the physical device address of the client device are the same, andthe resolution module is further configured to cause allowing the client device access to the protected devices to cease if the source physical device address of the responsive address resolution reply and the physical device address of the client device are different.
  - 33. The apparatus recited in claim 25, further comprising:
    - a correction module configured to transmit correction address resolution requests on the computer network to update the client device with the physical device address of the protected devices.
  - 34. The apparatus recited in claim 33, wherein the correction address resolution replies contain an is-at physical device address corresponding to the physical device address of one of the one or more protected devices and a destination physical device address corresponding to a broadcast address.
  - 35. The apparatus recited in claim 25, wherein no dedicated software is required on the client device.
  - 36. The apparatus recited in claim 25, wherein the blocking address resolution replies are configured to disable the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sysxnet Ltd.
Original Assignee
Mirage Networks Inc. (Singapore Telecommunications Limited)
Inventors
Dziadziola, David A., Ocepek, Steven R., Lauer, Brian A.
Primary Examiner(s)
Follansbee, John
Assistant Examiner(s)
Joo, Joshua

Application Number

US10/277,765
Publication Number

US 20040049586A1
Time in Patent Office

1,456 Days
Field of Search

726/2, 709/225
US Class Current

709/232
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/10   of different types

H04L 63/08   for authentication of entit...

Security apparatus and method for local area networks

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Security apparatus and method for local area networks

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links