Intrusion control in repeater based networks

US 5,850,515 A
Filed: 04/10/1997
Issued: 12/15/1998
Est. Priority Date: 03/17/1995
Status: Expired due to Term

First Claim

Patent Images

1. A method for securing a local area network, the local area network having a plurality of nodes, a plurality of end stations, each end station having an end station address, and a repeater, the repeater having a plurality of ports, the method comprising:

(a) receiving a data packet, the data packet including a source address;

(b) utilizing a plurality of intruder control circuits, with one intruder control circuit per port of the repeater, for comparing the source address to at least one of the plurality of end station addresses; and

(c) disabling, on an individual basis via the plurality of intruder control circuits, each of the plurality of ports on the repeater based on the comparison between the source address and at least one of the plurality of end station addresses.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for securing a network from access by unauthorized end stations. A port in a multiport repeater can be disabled automatically upon detection of an unknown source address in a data packet. In addition, an interrupt signal is provided to the indicate the detection of an intruder. Further, the disabling of the port can be done substantially immediately to interrupt the re-transmission of a single packet. Alternatively, the disabling of a port can be done programmably after a predetermined number of intruder packets have been detected, or after the verification of packet integrity.

61 Citations

View as Search Results

32 Claims

1. A method for securing a local area network, the local area network having a plurality of nodes, a plurality of end stations, each end station having an end station address, and a repeater, the repeater having a plurality of ports, the method comprising:
- (a) receiving a data packet, the data packet including a source address;
  
  (b) utilizing a plurality of intruder control circuits, with one intruder control circuit per port of the repeater, for comparing the source address to at least one of the plurality of end station addresses; and
  
  (c) disabling, on an individual basis via the plurality of intruder control circuits, each of the plurality of ports on the repeater based on the comparison between the source address and at least one of the plurality of end station addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1 in which the disabling step (c) further comprises the step (c1) disabling the port to disable reception of the data packet at the port when the source address does not match the at least one end station address.
  - 3. The method as recited in claim 2 in which the disabling step (c) further comprises the step of (c2) disabling the re-transmission of the data packet from any other ports when the source address does not match the at least one end station address.
  - 4. The method as recited in claim 3 in which the disabling step (c) further comprises the step (C3) of corrupting the re-transmission of the data packet from any other ports when the source address does not match the at least one end station address.
  - 5. A method as recited in claim 1 wherein the disabling step (c) further comprises the step of determining if the data packet is uncorrupted.
  - 6. A method as recited in claim 5 in which the disabling step (c) further comprises the step of disabling the port when the source address does not match the at least one end station address after reception of a predetermined number of data packets if the data packet is uncorrupted.
  - 7. A method as recited in claim 6 wherein the predetermined number of data packets is one.
  - 8. A method as recited in claim 1 further comprising the step of providing an interrupt signal when the port is disabled.

9. An apparatus for securing a local area network having a plurality of nodes and end stations, each end station having an end station address, the apparatus comprising:
- a controller means;
  
  a memory comparison means coupled to the controller means for storing the end station addresses and performing a comparison on at least one of the stored end station addresses and a source address of a data packet; and
  
  a plurality of intrusion control means coupled to the memory comparison means and the controller means, each one of the plurality of intrusion control means coupled to one of a plurality of ports for disabling each port on a port-by-port basis based upon a comparison between the source address and the stored end station addresses.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. An apparatus as recited in claim 9 in which the intrusion control means further determines if a data packet is uncorrupted.
  - 11. An apparatus as recited in claim 10 wherein the memory comparison means comprises a memory comparator circuit CAM.
  - 12. An apparatus as recited in claim 10 wherein the intrusion control means disables a port after reception of a predetermined number of data packets if the data packet is uncorrupted.
  - 13. An apparatus as recited in claim 12 in which the predetermined number is one.
  - 14. An apparatus as recited in claim 9 wherein the intrusion control means further comprises an address control means.
  - 15. An apparatus as recited in claim 14 wherein the address control means latches a signal for each end station address into the intrusion control means.
  - 16. An apparatus as recited in claim 15 wherein the latched signal indicates whether intrusion control is enabled for each end station address.
  - 17. An apparatus as recited in claim 9 wherein the intrusion control means further outputs an interrupt signal.
  - 18. An apparatus as recited in claim 9 wherein the intrusion control means disables reception of the data packet by the port when the source address does not match at least one of the end station addresses.
  - 19. The apparatus as recited in claim 18 wherein the intrusion control means corrupts re-transmission of the data product from any other port.
  - 20. The apparatus as recited in claim 18 wherein the intrusion control means disables re-transmission of the data packet from any other port when the source address does not match at least one of the end station addresses.

21. A system for securing a local area network having a plurality of nodes and a plurality of end stations, each end station having an end station address, the system comprising:
- a memory comparator means for storing a plurality of end station addresses and comparing the end station addresses to a source address of a data packet, the memory comparator means having a preferred source address register means and a last source address register means; and
  
  a plurality of intrusion control means coupled to the memory comparator means, each one of the plurality of intrusion control means coupled to one of a plurality of ports for disabling each port on a port-by-port basis when the source address does not match the stored end station addresses.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. A system as recited in claim 21 in which the preferred source address register means and last source address register means each store an end station address for each node in the network.
  - 23. A system as recited in claim 22 wherein the source address of an intruder data packet is stored in the last source address register means.
  - 24. A system as recited in claim 23 in which the preferred source address register means stores a predetermined end station address.
  - 25. A system as recited in claim 22 in which the memory comparator means stores a plurality of preferred source addresses for each node in the network.
  - 26. A system as recited in claim 21 further comprising means for re-enabling the port.

27. An intrusion control system for a secure repeater, the repeater having a plurality of ports and used in a network to route data packets between end stations, each data packet having a destination address and a source address, the system comprising:
- means for storing one or more preferred source addresses for the plurality of ports in the repeater;
  
  means for comparing a source address of an incoming data packet received at a first port of the plurality of ports to the stored preferred source addresses;
  
  means for indicating detection of a predetermined number of mismatches between the stored preferred source addresses and the incoming source address;
  
  means for individually disabling the reception by the first port after detection of the predetermined number of mismatches; and
  
  means for storing the incoming source address causing the predetermined number of mismatches.
- View Dependent Claims (28, 29)
- - 28. The system of claim 27 in which the predetermined number of mismatches is one.
  - 29. The system of claim 27 in which the re-transmitted data from the plurality of ports is corrupted.

30. A system for securing a local area network having a plurality of nodes and a plurality of end stations, each end station having an end station address, the system comprising:
- a memory comparator means for storing a plurality of end station addresses and comparing the end station addresses to a source address of a data packet, the memory comparator means having a preferred source address register means and a last source address register means, the preferred source address register means and last source address register means being programmable; and
  
  a plurality of intrusion control means coupled to the memory comparator means, each one of the plurality of intrusion control means coupled to one of a plurality of ports for disabling each port on a port-by-port basis when the source address does not match the stored end station addresses.
- View Dependent Claims (31, 32)
- - 31. The system of claim 30 in which the re-transmitted data to the plurality of nodes is corrupted.
  - 32. The system of claim 30 in which each of the plurality of intrusion control means further comprises:
    - a plurality of input latches with at least two latches for receiving an input signal from the memory comparator means indicative of a result of the comparison;
      
      a plurality of logic gates coupled to the input latches for logically combining data from the input latches; and
      
      an output latch coupled to the logic gates for outputting a signal to disable a port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GlobalFoundries, Inc.
Original Assignee
Advanced Micro Devices, Inc.
Inventors
Lo, William, Crayford, Ian S.
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Wright, Norman M.

Application Number

US08/827,675
Time in Patent Office

614 Days
Field of Search

395/185.02, 395/185.01, 395/183.19, 395/183.01, 395/182.02, 395/182.01
US Class Current

714/43
CPC Class Codes

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 9/40   Network security protocols

Intrusion control in repeater based networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion control in repeater based networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links