Method of securing access to IP LANs

US 7,854,009 B2
Filed: 06/12/2003
Issued: 12/14/2010
Est. Priority Date: 06/12/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A system for internal and Internet communication comprising:

an intranet with a connection through a firewall to the internet;

a plurality of databases requiring differing user security authorization levels to access their contents on the intranet;

an intranet security database listing of clearance levels for intranet users having a user ID and active codeword along with their assigned port locations identified by their MAC and IP addresses;

a plurality of LANs within the intranet each having a separate security system response to a user ID and codeword in the intranet security database to any intranet user to assign a LAN port location to the any user and to provide periodic comparisons of the any user'"'"'s MAC and IP address while on-line against the any user'"'"'s assigned port location MAC and IP addresses at a rate that a periodic comparison precedes any request of the any user for data in order to detect switching of ports by the any user prior to the accessing of any data by the any user wherein during the periodic comparisons the LAN security system compares data in its listings of LAN port locations in present use with the data for assigned LAN port locations of present users for disparities in assigned and on-line address locations of the any user; and

at least one computerized component configured to perform the following;

have the LAN security system assign a security ratings to port sites;

check the user ID and password of a prospective user of a particular port site to determine whether the user is an approved LAN user;

check the security level of the prospective user against the assigned security rating of the particular port site;

assign use of the particular port site to the prospective user in the case that the prospective user is an approved LAN user and has the appropriate security level at least matching the security level of the particular port site;

direct the prospective user to use a proper port site with a lower security rating in the case that the prospective user is an approved LAN user but does not have the appropriate security level to access the particular port site;

record IP and MAC of the particular port assigned to the prospective user;

use the recorded data to periodically compare an on-line port location of the prospective user against the user'"'"'s assigned particular port site at a rate that assures the check proceeds the prospective users request for data;

shut down the prospective user'"'"'s assigned port and used port location to prevent the transfer of data when the on-line port location is not the assigned port location of the prospective user; and

provide access when the on-line port location of the prospective user is the same as the location assigned the prospective user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protection against spoofing is provided in a LAN having at least two service classes, where one service class includes allows access to the LAN, the internet, and the intranet containing the LAN and a more limited service class which allows access to the LAN and the internet but not the intranet databases. A user gains access to the LAN using his or her ID which identifies the user'"'"'s access level. To prevent limited access users from gaining access to the intranet by changing addresses, the system continuously performs periodic checks for address changes. If there is an address change, the port assigned to, or used by the user, is disabled throwing the user off the LAN prior to his or her obtaining the requested data.

124 Citations

17 Claims

1. A system for internal and Internet communication comprising:
- an intranet with a connection through a firewall to the internet;
  
  a plurality of databases requiring differing user security authorization levels to access their contents on the intranet;
  
  an intranet security database listing of clearance levels for intranet users having a user ID and active codeword along with their assigned port locations identified by their MAC and IP addresses;
  
  a plurality of LANs within the intranet each having a separate security system response to a user ID and codeword in the intranet security database to any intranet user to assign a LAN port location to the any user and to provide periodic comparisons of the any user'"'"'s MAC and IP address while on-line against the any user'"'"'s assigned port location MAC and IP addresses at a rate that a periodic comparison precedes any request of the any user for data in order to detect switching of ports by the any user prior to the accessing of any data by the any user wherein during the periodic comparisons the LAN security system compares data in its listings of LAN port locations in present use with the data for assigned LAN port locations of present users for disparities in assigned and on-line address locations of the any user; and
  
  at least one computerized component configured to perform the following;
  
  have the LAN security system assign a security ratings to port sites;
  
  check the user ID and password of a prospective user of a particular port site to determine whether the user is an approved LAN user;
  
  check the security level of the prospective user against the assigned security rating of the particular port site;
  
  assign use of the particular port site to the prospective user in the case that the prospective user is an approved LAN user and has the appropriate security level at least matching the security level of the particular port site;
  
  direct the prospective user to use a proper port site with a lower security rating in the case that the prospective user is an approved LAN user but does not have the appropriate security level to access the particular port site;
  
  record IP and MAC of the particular port assigned to the prospective user;
  
  use the recorded data to periodically compare an on-line port location of the prospective user against the user'"'"'s assigned particular port site at a rate that assures the check proceeds the prospective users request for data;
  
  shut down the prospective user'"'"'s assigned port and used port location to prevent the transfer of data when the on-line port location is not the assigned port location of the prospective user; and
  
  provide access when the on-line port location of the prospective user is the same as the location assigned the prospective user.
- View Dependent Claims (2, 3, 4, 12, 13)
- - 2. The system of claim 1, wherein the security system of any LAN disables any used port of that any LAN when any one of the periodic comparisons of that any used port does not show identity of data with the users assigned port location.
  - 3. The system of claim 2, wherein the LAN security system assigns the port sites with fixed security ratings.
  - 4. The system of claim 3, wherein the security system of a LAN assigns a security rating to a LAN port site based on a security level for a particular user previously assigned that port site.
  - 12. The system of claim 3, wherein the security system directs the any user using a port site exceeding the any user'"'"'s assigned security level to a port site appropriate for the any user'"'"'s security level.
  - 13. The system of claim 4, wherein a LAN security system is run on a DHCP.

5. A method for maintaining security in intranet and internet communication comprising:
- providing a plurality of databases requiring differing user security levels to access their contents on the intranet;
  
  an intranet security data base listing clearance levels for intranet users with a user ID and an active codeword along with a listing of approved LAN users with their port locations by their MAC and IP addresses;
  
  a LAN within the intranet having a security system responsive to a user ID and a codeword in the intranet security database to assign a port location of the LAN to the users;
  
  using the security system to continuously provide periodic comparisons of MAC and IP addresses of active users currently accessing the LAN against the assigned port locations of the active users to detect any active user switching ports from the active user'"'"'s assigned port location to a port location with a less restrictive clearance level;
  
  responding to the periodic comparisons of the LAN security system by disabling one or more ports when a comparison does not show identity of data of the any active users presently used and assigned port locations;
  
  having the LAN security system assign security ratings to port sites;
  
  checking the user ID and password of a prospective user of a particular port site to determine whether the user is an approved LAN user;
  
  checking the security level of the prospective user against the assigned security rating of the particular port site;
  
  assigning use of the particular port site to the prospective user in the case that the prospective user is an approved LAN user and has the appropriate security level at least matching the security level of the particular port site;
  
  directing the prospective user to use a proper port site with a lower security rating in the case that the prospective user is an approved LAN user but does not have the appropriate security level to access the particular port site;
  
  recording IP and MAC of the particular port assigned to the prospective user;
  
  using the recorded data to periodically compare an on-line port location of the prospective user against the user'"'"'s assigned particular port site at a rate that assures the check proceeds the prospective users request for data;
  
  shutting down the prospective user'"'"'s assigned port and used port location to prevent the transfer of data when the on-line port location is not the assigned port location of the prospective user; and
  
  providing access when the on-line port location of the prospective user is the same as the location assigned the prospective user.
- View Dependent Claims (6, 7, 14, 15, 16, 17)
- - 6. The method of claim 5, wherein the LAN security system assigns the port sites with various fixed security ratings.
  - 7. The method of claim 5, wherein the LAN security system assigns a security rating to a port site based on a security rating of a user assigned that port site.
  - 14. The method of claim 5 including the step of disabling the any user'"'"'s assigned port and the port presently in use by the any user where there is no identity of data.
  - 15. The method of claim 5 including the step of disabling the port presently in use by any one of the any active users when there is no identity of data.
  - 16. The method of claim 5 including the step of disabling the any one of the active user'"'"'s assigned port location when there is no identity in data.
  - 17. The method of claim 14, wherein the periodic comparisons precedes any request for data by the any one of the active users.

8. A computer program product on at least one non-transitory computer medium for intranet and internet communication, the program product executing on a processing system and comprising:
- computer code for a plurality of databases requiring differing security clearance levels to be accessed by users on the intranet;
  
  an intranet security database listing clearance levels for intranet users, having a user ID and an active codeword, with their assigned port locations identified by their MAC and IP addresses;
  
  computer code for LANs within the intranet, each LAN having a separate security system response to user IDs and codewords in the intranet security database to assign LAN port locations to users;
  
  computer code to provide continuous periodic comparisons of MAC and IP port addresses currently active on the LANs against the assigned port locations of the users on the LANs to detect any of the users switching ports to prevent unauthorized access by any of the users of one or more of the databases;
  
  computer code to perform the following;
  
  have the LAN security system assign security ratings to port sites;
  
  check the user ID and password of a prospective user of a particular port site to determine whether the user is an approved LAN user;
  
  check the security level of the prospective user against the assigned security rating of the particular port site;
  
  assign use of the particular port site to the prospective user in the case that the prospective user is an approved LAN user and has the appropriate security level at least matching the security level of the particular port site;
  
  direct the prospective user to use a proper port site with a lower security rating in the case that the prospective user is an approved LAN user but does not have the appropriate security level to access the particular port site;
  
  record IP and MAC of the particular port assigned to the prospective user;
  
  use the recorded data to periodically compare an on-line port location of the prospective user against the user'"'"'s assigned particular port site at a rate that assures the check proceeds the prospective users request for data;
  
  shut down the prospective user'"'"'s assigned port and used port location to prevent the transfer of data when the on-line port location is not the assigned port location of the prospective user; and
  
  provide access when the on-line port location of the prospective user is the same as the location assigned the prospective user.
- View Dependent Claims (9, 10, 11)
- - 9. The computer program product of claim 8, wherein the computer code for the LAN security system disables any port when the comparisons do not show identity of data.
  - 10. The computer program product of claim 9, wherein the computer code for the LAN security system assigns a fixed security rating to the port sites.
  - 11. The computer program product of claim 9, wherein the computer code for the LAN security system assigns a security rating to a port site based on the security rating of a user assigned to that port site.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
LinkedIn Corporation (Microsoft Corporation)
Original Assignee
International Business Machines Corporation
Inventors
White, William G., Kim, Moom Ju
Primary Examiner(s)
ZIA, SYED

Application Number

US10/459,964
Publication Number

US 20050005110A1
Time in Patent Office

2,742 Days
Field of Search

None
US Class Current

726/26
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/101 Access control lists [ACL]

Method of securing access to IP LANs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

124 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Method of securing access to IP LANs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

124 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others