Security apparatus and method for local area networks

US 7,499,999 B2
Filed: 05/31/2006
Issued: 03/03/2009
Est. Priority Date: 09/11/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method for blocking access to one or more protected devices on a computer network-by a client device having a physical device address, comprising the steps of:

(a) receiving address resolution requests broadcast on the computer network by the client device seeking access to one of the protected devices, each of the one or more protected devices having a physical device address;

(b) processing the address resolution requests to determine whether the client device is an unknown device;

(c) if the client device is unknown as determined in step (b), placing the client device in a restricted status, and transmitting restricted address resolution replies to the protected on the computer network to block access to the protected devices by the client device and allow access to an authentication server;

(d) if the client device is unknown as determined in step (b), monitoring the authentication server to determine if the client device is authorized or unauthorized by the authentication server;

(e) if the client device is authorized as determined in step (d), removing the restricted status for the client device and allowing access to the protected devices; and

(f) if the client device is unauthorized as determined in step (d), changing the restricted status to a blocked status and transmitting block address resolution replies at predetermined intervals on the computer network to block access to the protected devices by the client device.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention includes a method and apparatus for controlling data link layer access to protected servers on a computer network by a client device. Address resolution requests broadcast on the network by the client device seeking access to any network device are received and then processed to determine whether the client device is unknown. If the client device is unknown, restriction address resolution replies are transmitted to the protected devices to restrict access by the client device to the protected devices and allow access to an authentication server. The authentication server is monitored to determine if the client device is authorized or unauthorized by the authentication server. If the client device is authorized, access is allowed to the protected devices. If the client device is unauthorized, blocking address resolution replies are transmitted on the computer network to block access by the client device to all other network devices.

Citations

23 Claims

1. A method for blocking access to one or more protected devices on a computer network-by a client device having a physical device address, comprising the steps of:
- (a) receiving address resolution requests broadcast on the computer network by the client device seeking access to one of the protected devices, each of the one or more protected devices having a physical device address;
  
  (b) processing the address resolution requests to determine whether the client device is an unknown device;
  
  (c) if the client device is unknown as determined in step (b), placing the client device in a restricted status, and transmitting restricted address resolution replies to the protected on the computer network to block access to the protected devices by the client device and allow access to an authentication server;
  
  (d) if the client device is unknown as determined in step (b), monitoring the authentication server to determine if the client device is authorized or unauthorized by the authentication server;
  
  (e) if the client device is authorized as determined in step (d), removing the restricted status for the client device and allowing access to the protected devices; and
  
  (f) if the client device is unauthorized as determined in step (d), changing the restricted status to a blocked status and transmitting block address resolution replies at predetermined intervals on the computer network to block access to the protected devices by the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method recited in claim 1, wherein the restriction address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to the physical device address of one of the protected devices.
  - 3. The method recited in claim 2, wherein the is-at physical device address is a randomly changing physical device address pre-determined to not be connected to the computer network.
  - 4. The method recited in claim 1, wherein the blocking address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to a broadcast address.
  - 5. The method recited in claim 4, wherein the is-at physical device address is a randomly changing physical device address pre-determined to not be connected to the computer network.
  - 6. The method recited in claim 1, further comprising the steps of:
    - (g) if the block address replies are transmitting in accordance with step (f), transmitting an address resolution request on the computer network destined for the client device;
      
      (h) if an address resolution reply is received in response to the address resolution request transmitted on the computer network, determining whether the address resolution reply received contains a source physical device address corresponding to the physical device address of the client device;
      
      (i) if the source physical address of the address resolution reply received and the physical device address of the client device are the same as determined in step (h), repeating step (g);
      
      (j) if the source physical device address of the address resolution reply received and the physical device address of the client device are the same as determined in step (h), ceasing the transmission of the blocking address resolution replies.
  - 7. The method recited in claim 1, further comprising the steps of:
    - (g) if access is allowed in accordance with step (e), transmitting an address resolution request on the computer network destined for the client device;
      
      (h) if an address resolution reply is received in response to the address resolution request transmitted on the computer network, determining whether the address resolution reply contains a source physical device address corresponding to the physical device address of the client device;
      
      (i) if the source physical device address of the address resolution reply received and the physical device address of the client device are the same as determined in step (h), repeating step (g);
      
      (j) if the source physical device address of the address resolution reply received and the physical device address of the client device are different as determined in step (h), ceasing allowing the client device access to the protected devices.
  - 8. The method recited in claim 1, further comprising the step of:
    - transmitting correction address resolution replies on the computer network to update the client device with the physical device address of the protected devices.
  - 9. The method recited in claim 8, wherein the correction address resolution replies contain a is-at physical device address corresponding to the physical device address of one of the one or more protected devices and a destination physical device address corresponding to a broadcast address.
  - 10. The method recited in claim 1, wherein no dedicated software is required on the client device.
  - 11. The method recited in claim 1, wherein the blocking address resolution replies are configured to disable the client device.

12. An apparatus comprising memory and processing for blocking access to one or more protected devices on a computer network by a client device having a physical device address, comprising the steps of:
- means for receiving address resolution requests broadcast on the computer network by the client device seeking access to one of the protected devices, each of the one or more protected devices having physical device address;
  
  means for processing the address resolution requests to determine whether the client device is an unknown device;
  
  means for placing the client device in a restricted status, and transmitting restriction address resolution replies to the protected devices on the computer network to block access to the protected devices by the client and allow access to the authentication server if the client device is unknown;
  
  means for monitoring the authentication server to determine if the client device is authorized or unauthorized by the authentication server if the client device is unknown;
  
  means for removing the restricted status for the client device and allowing access to the protected device if the client device is authorized; and
  
  means for changing the restricted status to a blocked status and transmitting blocking address resolution replies at predetermined intervals on the computer network to block access to the protected devices by the client device if the client device is unauthorized.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 13. The apparatus recited in claim 12, wherein the restriction address resolution replies contain a source physical device address corresponding to the physical device address of the client device, and is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to the physical device address of one of the protected devices.
  - 14. The apparatus recited in claim 13, wherein the is-at physical device address is a randomly changing physical device address pre-determined to not be connected to the computer network.
  - 15. The apparatus recited in claim 12, wherein the blocking address resolution replies contain a source physical device address corresponding to the physical device address of the client device, an is-at physical device address different than the physical device address of the client device, and a destination physical device address corresponding to a broadcast address.
  - 16. The apparatus recited in claim 15, wherein the is-at physical device address is a randomly changing physical device address pre-determined to not be connected to the computer network.
  - 17. The apparatus recited in claim 12, comprising:
    - means for transmitting an address resolution request on the computer network destined for the client device if blocking address replies are transmitted;
      
      means for receiving an address resolution reply in response to the address resolution request transmitted on the computer network;
      
      means for determining whether the address resolution reply received contains a source physical device address different than the physical device address of the client device; and
      
      means for ceasing the transmission of the blocking address resolution replies if the source physical device address of the address resolution reply received is different than the physical device address of the client device.
  - 18. The apparatus recited in claim 12, further comprising the steps of:
    - means for transmitting an address resolution request on the computer network destined for the client device if the client is allowed access to the protected devices;
      
      means for transmitting an address resolution request on the computer network destined for the client device if blocking address replies are transmitted;
      
      means for receiving an address resolution reply in response to the transmitted address resolution request;
      
      means for determining whether the address resolution reply received contains a source physical device address corresponding to the physical device address of the client device; and
      
      means for disallowing access to the protected devices by the client device if the source physical device address of the address resolution reply received is different than the physical device address of the client device.
  - 19. The apparatus recited in claim 12, further comprising:
    - means for transmitting correction address resolution replies on the computer network to update the client device with the physical device address of the protected devices.
  - 20. The apparatus recited in claim 19, wherein the correction address resolution replies contain a is-at physical device address corresponding to the physical device address of one of the one or more protected devices and a destination physical device address corresponding to a broadcast address.
  - 21. The apparatus recited in claim 12, wherein the apparatus is connected as a peer device on the computer network.
  - 22. The apparatus recited in claim 12, wherein no dedicated software is required in the client device.
  - 23. The apparatus recited in claim 12, wherein the blocking address resolution replies are configured to disable the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sysxnet Ltd.
Original Assignee
Mirage Networks Inc. (Singapore Telecommunications Limited)
Inventors
Dziadziola, David A., Ocepek, Steven R., Lauer, Brian A.
Primary Examiner(s)
Flynn; Nathan J
Assistant Examiner(s)
Joo; Joshua

Application Number

US11/443,653
Publication Number

US 20070008942A1
Time in Patent Office

1,007 Days
Field of Search

709/217, 709223-225, 709/229, 726 2- 3
US Class Current

709/225
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/10   of different types

H04L 63/08   for authentication of entit...

Security apparatus and method for local area networks

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Security apparatus and method for local area networks

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links