Dynamic access control lists

US 7,623,518 B2
Filed: 04/08/2004
Issued: 11/24/2009
Est. Priority Date: 04/08/2004
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of developing an access control list, comprising:

developing an enhanced access control list including data related to at least one of user names, DNS names, Windows domain names, and physical addresses;

converting, in a network switch, at least one of;

user names into corresponding IP and physical addresses according to data in the enhanced access control list, wherein converting user names into corresponding IP and physical addresses according to data in the enhanced access control list includes;

detecting login packets being communicated over the network;

determining a MAC address from the login packets;

detecting server message block login packets being communicated over the network;

determining an IP address from the server message block login packets; and

developing records in the access control list using the obtained IP address for the respective user name;

DNS names into corresponding IP addresses according to data in the enhanced access control list; and

physical addresses into IP addresses according to data in the enhanced access control list; and

developing, in the network switch, the access control list from each of the operations of converting.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A method controls access of a user to a network including a plurality of hosts coupled together through a network switch. The method includes storing in the network switch an enhanced access control list containing data related to at least one of user names, DNS names, domain names, and physical addresses. A dynamic access control list is generated from the enhanced access control list, with the dynamic access control list containing a plurality of IP addresses that restrict access of the user to the network.

36 Citations

View as Search Results

22 Claims

1. A method of developing an access control list, comprising:
- developing an enhanced access control list including data related to at least one of user names, DNS names, Windows domain names, and physical addresses;
  
  converting, in a network switch, at least one of;
  
  user names into corresponding IP and physical addresses according to data in the enhanced access control list, wherein converting user names into corresponding IP and physical addresses according to data in the enhanced access control list includes;
  
  detecting login packets being communicated over the network;
  
  determining a MAC address from the login packets;
  
  detecting server message block login packets being communicated over the network;
  
  determining an IP address from the server message block login packets; and
  
  developing records in the access control list using the obtained IP address for the respective user name;
  
  DNS names into corresponding IP addresses according to data in the enhanced access control list; and
  
  physical addresses into IP addresses according to data in the enhanced access control list; and
  
  developing, in the network switch, the access control list from each of the operations of converting.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising storing the user names and corresponding IP addresses in a mapping state database that defines current relationships among user names, DNS names, domain names, and physical addresses.
  - 3. The method of claim 1 wherein each physical address comprises a MAC address.
  - 4. The method of claim 1 wherein converting DNS names into corresponding IP addresses according to data in the enhanced access control list comprises:
    - detecting packets having an unknown source IP address;
      
      generating a DNS name query using the source IP address;
      
      receiving a DNS name associated with the IP address responsive to the query; and
      
      developing records in the access control list using the obtained IP address for the respective DNS name.
  - 5. The method of claim 4 further comprising occasionally generating new DNS name queries for the source IP address and thereafter repeating the operations of receiving and developing to update the access control list.
  - 6. The method of claim 4 further comprising occasionally receiving the DNS name associated with the IP address and thereafter repeating the operation of developing to update the access control list.
  - 7. The method of claim 1 wherein converting physical addresses into IP addresses according to data in the enhanced access control list comprises:
    - monitoring DHCP packets communicated over the network;
      
      obtaining an IP address assigned to a particular physical address from the monitored DHCP packets; and
      
      developing records in the access control list using the obtained IP address assigned to a respective physical address.

8. A method of controlling access of a user to a network including a plurality of hosts coupled together through a network switch, the method comprising:
- storing in the network switch an enhanced access control list containing data related to at least one of user names, DNS names, Windows domain names, and physical addresses; and
  
  generating a dynamic access control list from the enhanced access control list, the dynamic access control list containing a plurality of IP addresses that restrict access of the user to the network, wherein generating the dynamic access control list comprises;
  
  mapping user names to IP addresses, wherein mapping user names to IP addresses comprises;
  
  detecting server message block login packets being communicated over the network; and
  
  determining an IP address from the server message block login packets;
  
  mapping user names to physical addresses;
  
  mapping physical addresses to IP addresses;
  
  mapping unknown IP addresses to physical addresses;
  
  mapping unknown IP addresses to DNS names; and
  
  applying rules set forth in the enhanced access control list relating to controlling access of a user to the addresses determined by the operations of mapping to generate the access control list.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 wherein the physical addresses comprise MAC addresses.
  - 10. The method of claim 8 wherein mapping user names to physical addresses comprises:
    - detecting login packets being communicated over the network; and
      
      determining a MAC address from the login packets.
  - 11. The method of claim 8 wherein mapping unknown IP addresses to DNS names comprises:
    - detecting packets having an unknown source IP address;
      
      generating a DNS name query using the source IP address; and
      
      receiving a DNS name associated with the IP address responsive to the query.
  - 12. The method of claim 11 further comprising occasionally generating new DNS name queries for the source IP address and thereafter repeating the operations of generating and receiving.
  - 13. The method of claim 8 wherein mapping unknown IP addresses to physical addresses comprises detecting packets having an unknown source IP address.
  - 14. The method of claim 8 wherein mapping physical addresses to IP addresses comprises:
    - monitoring DHCP packets communicated over the network; and
      
      obtaining an IP address assigned to a particular physical address from the monitored DHCP packets.

15. A network switching circuit, comprising:
- a forwarding circuit operable to detect specific received packets and to provide the specific packets on a processor port, and further operable to receive packets on one of a plurality of ports including the processor port and to forward each received packet to a port corresponding to a destination address contained in the packet subject to access restrictions contained in a dynamic access control list;
  
  a memory circuit coupled to the forwarding circuit, the memory circuit operable to store packets and operable to store an enhanced access control list and a dynamic access control list; and
  
  a processor coupled to the forwarding circuit and to the memory circuit, the processor operable to define the specific packets detected by the forwarding circuit and operable to process the specific packets stored in the memory circuit using the enhanced access control list to generate the dynamic access control list and store the dynamic access control list in the memory circuit, and further operable to provide the specific packets to the processor port of the forwarding circuit after processing the packets.
- View Dependent Claims (16, 17, 18)
- - 16. The network switch of claim 15 wherein the processor further comprises a direct memory access controller coupled between the forwarding engine and the memory.
  - 17. The network switch of claim 15 wherein the switch comprises an Ethernet switch and wherein the packets comprise Ethernet packets.
  - 18. The network switch of claim 15 wherein the enhanced access control list comprises user names, DNS names, Windows domain names, and physical addresses.

19. A computer network, comprising:
- a network switch, including,a forwarding circuit operable to detect specific received packets and to provide the specific packets on a processor port, and further operable to receive packets on one of a plurality of ports including the processor port and to forward each received packet to a port corresponding to a destination address contained in the packet subject to access restrictions contained in a dynamic access control list;
  
  a memory circuit coupled to the forwarding circuit, the memory circuit operable to store packets and operable to store an enhanced access control list and a dynamic access control list; and
  
  a processor coupled to the forwarding circuit and to the memory circuit, the processor operable to define the specific packets detected by the forwarding circuit and operable to process the specific packets stored in the memory circuit using the enhanced access control list to generate the dynamic access control list and store the dynamic access control list in the memory circuit, and further operable to provide the specific packets to the processor port of the forwarding circuit after processing the packets; and
  
  a plurality of hosts, each host coupled to a respective port of the network switch.
- View Dependent Claims (20, 21, 22)
- - 20. The computer network of claim 19 wherein at least some of the hosts comprise personal computer systems.
  - 21. The computer network of claim 19 wherein the network comprises an Ethernet network, and wherein the switch comprises an Ethernet switch and the packets comprise Ethernet packets.
  - 22. The computer network of claim 19 wherein the enhanced access control list comprises user names, DNS names, Windows domain names, and physical addresses.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Lionra Technologies Limited (Atlantic IP Services Limited)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Faulk, Robert L. Jr.
Primary Examiner(s)
Sheikh; Ayaz R
Assistant Examiner(s)
HALIYUR, VENKATESH N

Application Number

US10/822,048
Publication Number

US 20050259654A1
Time in Patent Office

2,056 Days
Field of Search

370352-431, 709225-250, 709/152
US Class Current

370/392
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/35   involving non-standard use ...

H04L 63/101   Access control lists [ACL]

Dynamic access control lists

First Claim

3 Assignments

Litigations

1 Petition

Accused Products

Abstract

36 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic access control lists

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links