Method of securing access to IP LANs
First Claim
1. A system for internal and Internet communication comprising:
- an intranet with a connection through a firewall to the internet;
a plurality of databases requiring differing user security authorization levels to access their contents on the intranet;
an intranet security database listing of clearance levels for intranet users having a user ID and active codeword along with their assigned port locations identified by their MAC and IP addresses;
a plurality of LANs within the intranet each having a separate security system response to a user ID and codeword in the intranet security database to any intranet user to assign a LAN port location to the any user and to provide periodic comparisons of the any user'"'"'s MAC and IP address while on-line against the any user'"'"'s assigned port location MAC and IP addresses at a rate that a periodic comparison precedes any request of the any user for data in order to detect switching of ports by the any user prior to the accessing of any data by the any user wherein during the periodic comparisons the LAN security system compares data in its listings of LAN port locations in present use with the data for assigned LAN port locations of present users for disparities in assigned and on-line address locations of the any user; and
at least one computerized component configured to perform the following;
have the LAN security system assign a security ratings to port sites;
check the user ID and password of a prospective user of a particular port site to determine whether the user is an approved LAN user;
check the security level of the prospective user against the assigned security rating of the particular port site;
assign use of the particular port site to the prospective user in the case that the prospective user is an approved LAN user and has the appropriate security level at least matching the security level of the particular port site;
direct the prospective user to use a proper port site with a lower security rating in the case that the prospective user is an approved LAN user but does not have the appropriate security level to access the particular port site;
record IP and MAC of the particular port assigned to the prospective user;
use the recorded data to periodically compare an on-line port location of the prospective user against the user'"'"'s assigned particular port site at a rate that assures the check proceeds the prospective users request for data;
shut down the prospective user'"'"'s assigned port and used port location to prevent the transfer of data when the on-line port location is not the assigned port location of the prospective user; and
provide access when the on-line port location of the prospective user is the same as the location assigned the prospective user.
2 Assignments
0 Petitions
Accused Products
Abstract
Protection against spoofing is provided in a LAN having at least two service classes, where one service class includes allows access to the LAN, the internet, and the intranet containing the LAN and a more limited service class which allows access to the LAN and the internet but not the intranet databases. A user gains access to the LAN using his or her ID which identifies the user'"'"'s access level. To prevent limited access users from gaining access to the intranet by changing addresses, the system continuously performs periodic checks for address changes. If there is an address change, the port assigned to, or used by the user, is disabled throwing the user off the LAN prior to his or her obtaining the requested data.
-
Citations
17 Claims
-
1. A system for internal and Internet communication comprising:
-
an intranet with a connection through a firewall to the internet; a plurality of databases requiring differing user security authorization levels to access their contents on the intranet; an intranet security database listing of clearance levels for intranet users having a user ID and active codeword along with their assigned port locations identified by their MAC and IP addresses; a plurality of LANs within the intranet each having a separate security system response to a user ID and codeword in the intranet security database to any intranet user to assign a LAN port location to the any user and to provide periodic comparisons of the any user'"'"'s MAC and IP address while on-line against the any user'"'"'s assigned port location MAC and IP addresses at a rate that a periodic comparison precedes any request of the any user for data in order to detect switching of ports by the any user prior to the accessing of any data by the any user wherein during the periodic comparisons the LAN security system compares data in its listings of LAN port locations in present use with the data for assigned LAN port locations of present users for disparities in assigned and on-line address locations of the any user; and at least one computerized component configured to perform the following; have the LAN security system assign a security ratings to port sites; check the user ID and password of a prospective user of a particular port site to determine whether the user is an approved LAN user; check the security level of the prospective user against the assigned security rating of the particular port site; assign use of the particular port site to the prospective user in the case that the prospective user is an approved LAN user and has the appropriate security level at least matching the security level of the particular port site; direct the prospective user to use a proper port site with a lower security rating in the case that the prospective user is an approved LAN user but does not have the appropriate security level to access the particular port site; record IP and MAC of the particular port assigned to the prospective user; use the recorded data to periodically compare an on-line port location of the prospective user against the user'"'"'s assigned particular port site at a rate that assures the check proceeds the prospective users request for data; shut down the prospective user'"'"'s assigned port and used port location to prevent the transfer of data when the on-line port location is not the assigned port location of the prospective user; and provide access when the on-line port location of the prospective user is the same as the location assigned the prospective user. - View Dependent Claims (2, 3, 4, 12, 13)
-
-
5. A method for maintaining security in intranet and internet communication comprising:
-
providing a plurality of databases requiring differing user security levels to access their contents on the intranet; an intranet security data base listing clearance levels for intranet users with a user ID and an active codeword along with a listing of approved LAN users with their port locations by their MAC and IP addresses; a LAN within the intranet having a security system responsive to a user ID and a codeword in the intranet security database to assign a port location of the LAN to the users; using the security system to continuously provide periodic comparisons of MAC and IP addresses of active users currently accessing the LAN against the assigned port locations of the active users to detect any active user switching ports from the active user'"'"'s assigned port location to a port location with a less restrictive clearance level; responding to the periodic comparisons of the LAN security system by disabling one or more ports when a comparison does not show identity of data of the any active users presently used and assigned port locations; having the LAN security system assign security ratings to port sites; checking the user ID and password of a prospective user of a particular port site to determine whether the user is an approved LAN user; checking the security level of the prospective user against the assigned security rating of the particular port site; assigning use of the particular port site to the prospective user in the case that the prospective user is an approved LAN user and has the appropriate security level at least matching the security level of the particular port site; directing the prospective user to use a proper port site with a lower security rating in the case that the prospective user is an approved LAN user but does not have the appropriate security level to access the particular port site; recording IP and MAC of the particular port assigned to the prospective user; using the recorded data to periodically compare an on-line port location of the prospective user against the user'"'"'s assigned particular port site at a rate that assures the check proceeds the prospective users request for data; shutting down the prospective user'"'"'s assigned port and used port location to prevent the transfer of data when the on-line port location is not the assigned port location of the prospective user; and providing access when the on-line port location of the prospective user is the same as the location assigned the prospective user. - View Dependent Claims (6, 7, 14, 15, 16, 17)
-
-
8. A computer program product on at least one non-transitory computer medium for intranet and internet communication, the program product executing on a processing system and comprising:
-
computer code for a plurality of databases requiring differing security clearance levels to be accessed by users on the intranet; an intranet security database listing clearance levels for intranet users, having a user ID and an active codeword, with their assigned port locations identified by their MAC and IP addresses; computer code for LANs within the intranet, each LAN having a separate security system response to user IDs and codewords in the intranet security database to assign LAN port locations to users; computer code to provide continuous periodic comparisons of MAC and IP port addresses currently active on the LANs against the assigned port locations of the users on the LANs to detect any of the users switching ports to prevent unauthorized access by any of the users of one or more of the databases; computer code to perform the following; have the LAN security system assign security ratings to port sites; check the user ID and password of a prospective user of a particular port site to determine whether the user is an approved LAN user; check the security level of the prospective user against the assigned security rating of the particular port site; assign use of the particular port site to the prospective user in the case that the prospective user is an approved LAN user and has the appropriate security level at least matching the security level of the particular port site; direct the prospective user to use a proper port site with a lower security rating in the case that the prospective user is an approved LAN user but does not have the appropriate security level to access the particular port site; record IP and MAC of the particular port assigned to the prospective user; use the recorded data to periodically compare an on-line port location of the prospective user against the user'"'"'s assigned particular port site at a rate that assures the check proceeds the prospective users request for data; shut down the prospective user'"'"'s assigned port and used port location to prevent the transfer of data when the on-line port location is not the assigned port location of the prospective user; and provide access when the on-line port location of the prospective user is the same as the location assigned the prospective user. - View Dependent Claims (9, 10, 11)
-
Specification