IP-closed circuit system and method

US 9,219,617 B2
Filed: 04/29/2011
Issued: 12/22/2015
Est. Priority Date: 04/30/2010
Status: Active Grant

First Claim

Patent Images

1. A switching module comprising:

a first port group comprising at least one source port, wherein each source port in the first port group is configured for;

(i) testing if a data frame received at that source port includes a tag and, only if a tag is not included, modifying a data frame transmitted by a data source in communication with that source port by including in the data frame a tag comprising a unique port ID that is based on a source chip ID and a source port number, and (ii) routing the modified data frame to a destination port in a second port group, the destination port being adapted to communicate with a receiver, if a unique port number assigned to the destination port is associated with the tag in a routing table assigned to the source port; and

a control unit for assigning a unique port ID comprising a source chip ID and a port number combination to each port in the first and second port groups, and for assigning to each port in the first port group a routing table including at least one tag and at least one destination port number associated with the at least one tag.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a switching module for creating and operating secure networks of data sources and monitoring stations, and for providing controlled access to the data sources and monitoring stations from public networks.

29 Citations

View as Search Results

37 Claims

1. A switching module comprising:
- a first port group comprising at least one source port, wherein each source port in the first port group is configured for;
  
  (i) testing if a data frame received at that source port includes a tag and, only if a tag is not included, modifying a data frame transmitted by a data source in communication with that source port by including in the data frame a tag comprising a unique port ID that is based on a source chip ID and a source port number, and (ii) routing the modified data frame to a destination port in a second port group, the destination port being adapted to communicate with a receiver, if a unique port number assigned to the destination port is associated with the tag in a routing table assigned to the source port; and
  
  a control unit for assigning a unique port ID comprising a source chip ID and a port number combination to each port in the first and second port groups, and for assigning to each port in the first port group a routing table including at least one tag and at least one destination port number associated with the at least one tag.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 2. The switching module of claim 1, wherein the data source comprises an IP camera.
  - 3. The switching module of claim 1, wherein the data source comprises an analog camera and a codec.
  - 4. The switching module of claim 1, wherein the data source comprises an encoder, wherein a device connected to the encoder can be selected from a group consisting of an IP camera, an analog camera, and an SDI camera.
  - 5. The switching module of claim 1, wherein the data source can be selected from a group consisting of an access-control reader and an alarm.
  - 6. The switching module of claim 1, wherein the receiver comprises means for viewing the data frames received through the connected port.
  - 7. The switching module of claim 1, wherein the receiver comprises means for storing the data frames received through the connected port.
  - 8. The switching module of claim 1, further comprising a third port group comprising at least one port, wherein each port in the third port group is configured for connecting with a private network of computing devices, and the control unit is configured for:
    - assigning a unique port ID comprising a source chip ID and a port number combination to each port in the third port group; and
      
      enabling communication of data frames, based on at least in part VIDs therein, between ports in the third group, a port in the third port group and a port in the first or second port groups, and between a port in the third group and the control unit.
  - 9. The switching module of claim 1, further comprising a fourth port group comprising at least one port, wherein each port in the fourth port group is configured for connecting with a public network of computing devices, and the control unit is configured for:
    - assigning a unique port ID comprising a source chip ID and a port number combination to each port in the fourth port group;
      
      enabling communication of data frames, based on at least in part VIDs therein, between ports in the fourth port group, and between a port in the fourth group and the control unit; and
      
      preventing communication of data frames between a port in the fourth port group and a port in the first or second port groups.
  - 25. The switching module of claim 1, wherein each source port in the first port group is further configured to include in the tag included in the corresponding data frames a unique port number assigned to that source port.
  - 26. The switching module of claim 1, wherein the destination port is adapted to:
    - remove the tag in the modified data frame; and
      
      transmit the data frame after removal of the tag therein to the receiver.
  - 27. The switching module of claim 1, wherein the destination port is adapted to:
    - preserve the tag in the modified data frame; and
      
      transmit the modified data frame including the tag to the receiver.
  - 28. The switching module of claim 27, wherein the receiver comprises at least one of a host computer and a second switching module.
  - 29. The switching module of claim 1, wherein the second port group comprises at least two destination ports, a first destination port being adapted to remove the tag in data frames received thereby, and a second destination port being adapted to preserve the tag in data frames received thereby.
  - 30. The switching module of claim 1, further comprising a fifth port group comprising at least one source port wherein each source port in the fifth port group is configured for:
    - (i) receiving from a source in communication with the source port a data frame comprising a tag comprising a layer independent virtual local area network ID (VID), and(ii) routing the received data frame to a destination port in the second port group if a unique port number assigned to the destination port is associated with the layer independent VID in a routing table assigned to the source port.
  - 31. The switching module of claim 30, wherein the source comprises at least one of a host computer and a second switching module.
  - 32. The switching module of claim 30, wherein at least one source port in the fifth group is configured for:
    - receiving from the source a first data frame comprising a first tag comprising a first VID; and
      
      receiving from the source a second data frame comprising a second tag comprising a second VID, different than the first VID.
  - 33. The switching module of claim 30, wherein:
    - a source in communication with at least one source port in the fifth group comprises a host computer; and
      
      the receiver in communication with a destination port in the second group of ports comprises the host computer.
  - 34. The switching module of claim 1, wherein:
    - each source port in the first port group is further configured to include in the tag included in a data frame received at that source port a unique port number assigned to that source port; and
      
      the receiver comprises a host computer configured at least one of to record and to ratify a combination of an ID associated with the source in communication with the source port, the ID being included in the received data frame, and the unique port number included in the tag.
  - 35. The switching module of claim 34, wherein the host computer is further configured at least one of to record and to ratify the VID included in the tag.

10. A video device comprising:
- a camera;
  
  a storage unit in communication with the camera for storing data frames recorded by the camera;
  
  a server for controlling the camera and the storage unit, and for accessing and transmitting the stored data frames; and
  
  a port unit configured for;
  
  (i) receiving a layer-independent virtual local area network ID (VID), and (ii) testing if a data frame received at that source port includes a tag and, only if a tag is not included, modifying a data frame to be transmitted by the camera by including in the data frame a tag comprising both the layer-independent VID and a unique port ID that is based on a source chip ID and a source port number.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The video device of claim 10, further comprising a switching module comprising:
    - a first port group comprising the port unit and a second port group, the switching module being configured to route the modified data frame to a destination port in the second port group if a unique port number assigned to the destination port is associated with the VID in a routing table assigned to the port unit.
  - 12. The video device of claim 11, wherein the switching module further comprises:
    - a control unit for assigning a unique port number to each port in the first and second port groups, and assigning to each port in the first port group a routing table including at least one VID and at least one destination port number associated with the at least one VID,wherein the camera is connected to the switching module using the port unit.
  - 13. The video device of claim 12, wherein the server receives control information via a port of at least one of the first port group and the second port group, and in response to the received control information controls the control unit.
  - 14. The video device of claim 11, wherein the first port group comprises at least one secondary port, and at least one data source is connected to the at least one secondary port.
  - 15. The video device of claim 14, wherein the at least one data source is a video camera.

16. A method for operating an IP network, comprising a switching module comprising a first port group comprising at least one port, a second port group comprising at least one port, and a control unit, the method comprising the steps of:
- assigning from the control unit a unique port number to each port in the first and second port groups;
  
  assigning from the control unit each port in the first port group a routing table including at least one layer independent virtual local area network ID (VID) and at least one destination port number associated with the at least one VID;
  
  storing at a first port of the first port group a security parameter corresponding to a data source in communication with the first port;
  
  locking down the stored security parameter at the first port;
  
  authorizing by the first port a data frame transmitted by the data source by comparing the locked and stored security parameter with a parameter subsequently received from the data source;
  
  modifying by the first port the authorized data frame by including therein a tag comprising a layer independent VID;
  
  routing the modified data frame to a destination port in the second port group, if a unique port number assigned to the destination port is associated with the layer independent VID in a routing table assigned to the first port; and
  
  transmitting by the destination port a data frame modified by at least one port in the first port group to a receiver in communication with the at least one port in the second port group;
  
  determining that an unauthorized device is in communication with the first port of the locked and stored security parameter and the subsequently received parameters mismatch; and
  
  disabling the first port from one or more port groups for a predetermined period to prevent data transmission from the unauthorized device in response to determining that an unauthorized device is in communication with the first port.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 36, 37)
- - 17. The method of claim 16, wherein both the locked and stored security parameter and the subsequently received security parameter are encrypted.
  - 18. The method of claim 16, further comprising the steps ofpreventing transmission of an unauthorized data frame;
    - andcommunicating the unique port number of the port receiving the unauthorized data frame to the control unit for blocking access through the port.
  - 19. The method of claim 16, wherein:
    - the security parameter corresponding to the data source in communication with the first port comprises a device source number of the data source;
      
      the unique port number of the at least one port in the first port group comprises a switch ID and port ID combination; and
      
      the unique port number of the at least one port in the second port group comprises a different switch ID and port ID combination.
  - 20. The method of claim 16, wherein the security parameter is a randomly generated key.
  - 21. The method of claim 16, wherein the security parameter is a pair comprising a number of packets ingressed and a number of packets egressed during a certain time period.
  - 22. The method of claim 16, further comprising reporting a violation in response to determining that an unauthorized device is in communication with the first port.
  - 23. The method of claim 22, wherein reporting comprises sending an alert to an administrator.
  - 24. The method of claim 22, wherein reporting comprises sending untrusted data frames to an administrator.
  - 36. The method of claim 16, further comprising removing by the destination port the tag from the modified data frame prior to transmitting the data frame to the receiver.
  - 37. The method of claim 16, further comprising:
    - receiving by a second port in the first port group a data frame comprising a tag comprising a layer independent VID; and
      
      routing the data frame to a destination port in the second port group, if a unique port number assigned to the destination port is associated with the layer independent VID in a routing table assigned to the second port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ad Group
Original Assignee
Ad Group
Inventors
Newton, Michael
Primary Examiner(s)
Kelley, Christopher S
Assistant Examiner(s)
PICON-FELICIANO, ANA J

Application Number

US13/097,645
Publication Number

US 20110292206A1
Time in Patent Office

1,698 Days
Field of Search

709/219, 348/143, 348/E07.085
US Class Current

1/1
CPC Class Codes

G06V 20/52   Surveillance or monitoring ...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 61/5014   using dynamic host configur...

H04N 7/18   Closed-circuit television [...

IP-closed circuit system and method

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

IP-closed circuit system and method

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links