Security apparatus and method for local area networks
First Claim
1. A method for blocking access to one or more protected devices each having a physical device address and being connected to a computer network by a client device having a physical device address and being connected to the computer network, comprising the steps of:
- (a) receiving address resolution requests broadcast on the network by the client device seeking access to one of the protected devices;
(b) processing the address resolution requests to determine whether the client device is an unknown device;
(c) if the client device is unknown as determined in step (b), adding a record identifying the client device in a restricted client list;
(d) while the client device record is present in the restricted client list, transmitting address resolution replies on the computer network to block access to the protected devices and allow access to an authentication server, and monitoring the authentication server to determine if the client device is authorized or unauthorized by the authentication server;
(e) if the client device is authorized as determined in step (d), removing the client device record from the restricted client list and adding the client device record to an allowed client list;
(f) while the client device record is present in the allowed client list, allowing access to the protected devices;
(g) if the client device is unauthorized as determined in step (d), removing the client device record from the restricted client list and adding the client device record to a blocked client list; and
(h) while the client device record is present in the blocked client list, transmitting blocking address resolution replies on the computer network to block access to the protected devices.
11 Assignments
0 Petitions
Accused Products
Abstract
The present invention includes a method and apparatus for controlling data link layer access to protected servers on a computer network by a client device. Address resolution requests broadcast on the network by the client device seeking access to any network device are received and then processed to determine whether the client device is unknown. If the client device is unknown, restriction address resolution replies are transmitted to the protected devices to restrict access by the client device to the protected devices and allow access to an authentication server. The authentication server is monitored to determine if the client device is authorized or unauthorized by the authentication server. If the client device is authorized, access is allowed to the protected devices. If the client device is unauthorized, blocking address resolution replies are transmitted on the computer network to block access by the client device to all other network devices.
84 Citations
36 Claims
-
1. A method for blocking access to one or more protected devices each having a physical device address and being connected to a computer network by a client device having a physical device address and being connected to the computer network, comprising the steps of:
-
(a) receiving address resolution requests broadcast on the network by the client device seeking access to one of the protected devices; (b) processing the address resolution requests to determine whether the client device is an unknown device; (c) if the client device is unknown as determined in step (b), adding a record identifying the client device in a restricted client list; (d) while the client device record is present in the restricted client list, transmitting address resolution replies on the computer network to block access to the protected devices and allow access to an authentication server, and monitoring the authentication server to determine if the client device is authorized or unauthorized by the authentication server; (e) if the client device is authorized as determined in step (d), removing the client device record from the restricted client list and adding the client device record to an allowed client list; (f) while the client device record is present in the allowed client list, allowing access to the protected devices; (g) if the client device is unauthorized as determined in step (d), removing the client device record from the restricted client list and adding the client device record to a blocked client list; and (h) while the client device record is present in the blocked client list, transmitting blocking address resolution replies on the computer network to block access to the protected devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus for blocking access to one or more protected devices each having a physical device address and being connected to a computer network by a client device having a physical device address and being connected to the computer network, the apparatus comprising:
-
receiving means for receiving address resolution requests broadcast on the network by the client device seeking access to one of the protected devices; processing means for processing the address resolution requests to determine whether the client device is an unknown device; first list control means for adding a record identifying the client device in a restricted client list if the client device is unknown as determined by the processing means; restriction transmitting means for transmitting address resolution replies on the network to block access to the protected devices and allow access to an authentication server while the client device record is present in the restricted client list; monitoring means for monitoring the authentication server to determine if the client device is authorized or unauthorized by the authentication server; second list control means for removing the client device record from the restricted client list and adding the client device record to an allowed client list if the client device is authorized as determined by the monitoring means; allowing means for allowing access to the protected devices while the client device record is present in the allowed client list; third list control means means for removing the client device record from the restricted client list and adding the client device record to a blocked client list if the client device is unauthorized as determined by the monitoring means; and blocking means for transmitting blocking address resolution replies on the computer network to block access to the protected devices while the client device record is present in the blocked client list. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. An apparatus for blocking access to one or more protected devices each having a physical device address and being connected to a computer network by a client device having a physical device address and being connected to the computer network, the apparatus comprising:
-
a processor; a network interface configured to receive address resolution requests broadcast on the network by the client device seeking access to one of the protected devices; a detection module configured to process the address resolution requests to determine whether the client device is an unknown device; a list control module configured to add a record identifying the client device in a restricted client list if the client device is unknown; an access restriction module configured to transmit address resolution replies on the network to block access to the protected devices and allow access to an authentication server while the client device record is present in the restricted client list; an authentication monitoring module configured to monitor the authentication server to determine if the client device is authorized or unauthorized by the authentication server, wherein the list control module is further configured to remove the client device record from the restricted client list and to add the client device record to an allowed client list if the client device is authorized by the authentication server, the access restriction module is further configured to allow access to the protected devices while the client device record is present in the allowed client list, the list control module is further configured to remove the client device record from the restricted client list and add the client device record to a blocked client list if the client device is unauthorized by the authentication server; and an access blocking module configured to transmit blocking address resolution replies on the computer network to block access to the protected devices while the client device record is present in the blocked client list. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
Specification