The present invention relates to security for networks having source address updating, and more particularly to a programmable source address locking mechanism for secure networks.
In one typical network, such as a network based on the IEEE 802.3 standard (hereby incorporated by reference for all purposes), a data packet transmitted by one data terminal equipment (DTE), i.e., an end station, to another DTE passes through every repeater. Usually two or more end stations are connected to a repeater via the ports of the repeater. A repeater may also be connected to other repeaters.
A typical data packet includes a preamble, a start frame delimiter (SFD), a destination address field, a source address field, a type/length field, a data field, a frame check sequence (FCS) field, and an end transmission delimiter (ETD). Each DTE has an assigned individual, unique address referred to as a media access control (MAC) address. When a DTE transmits a data packet, the transmitted data packet contains the MAC address of the transmitting DTE in the source address field of the data packet and the MAC address of the DTE for which the data packet is intended in the destination address field of the data packet.
When a repeater receives a data packet on one of its ports from the DTE connected to that port, it retransmits the data packet unmodified to all the DTEs connected to the other ports. Usually, only the DTE whose MAC address is in the destination address field of the data packet reads the data packet, while the other DTEs simply ignore the data packet. However, the repeater's unmodified retransmission of the data packet to all the ports poses a threat to network security. Potentially, a non-targeted DTE having a MAC address that does not match the destination address contained in the destination address field could read a data packet intended only for the destination DTE.
Assuming that each port of the repeater is connected to one DTE (such as in a star topology network), it is possible for hardware within a management unit connected to the repeater to learn the MAC address of the DTE connected to each port. A repeater connected to such a management unit is referred to as a managed repeater having an address learn capability. The learned MAC address is stored within the management unit in a memory location ADR(x), where x is in the range of 1 to n, and x identifies the x port of n ports of the managed repeater.
With the exception of ports connected to multiple DTEs (i.e. stations on a coax cable, or another repeater), once the MAC address of the DTE connected to port x is known and stored in ADR(x), the value in ADR(x) never changes unless the network is reconfigured.
If the DTE at a managed repeater port does change, the management unit updates the stored MAC address for that port, in accordance with the IEEE 802.3 standard. Upon detecting a mismatch between a MAC address in the source address field of a data packet received at port x and a source address stored previously in ADR(x), the management unit updates the memory location ADR(x) by replacing the stored MAC address with the received source address included in the source address field of the received data packet.
Allowing updating of a learned MAC address exposes a network to a potentially serious breach in network security. For instance, an intruder could disconnect the DTE having a MAC address that was stored previously in ADR(x), and substitute a device by plugging it into port x. It is difficult in a secured network for an intruder attempting to use port x to know the MAC address previously stored in ADR(x), therefore the intruder most likely uses a different MAC address at port x. Once the intruder sends a data packet, and the managed repeater detects a different MAC address in the source address field of that data packet, the management unit replaces the previous learned MAC address with the intruder's MAC address. Thereafter, the intruder's address is stored in ADR(x), allowing the intruder access to the network. A more serious problem results from an intruder that causes ADR(x) to store a MAC address that corresponds to a different DTE on the network. The intruder will then receive data packets intended for the other DTE.
The prior art has dealt with this type of network security problem by setting an interrupt flag after a source address has been updated. The interrupt flags alerts a network administrator that a MAC address update occurred at the particular port. If the MAC address update is a result of an authorized DTE change, the administrator does not respond to the interrupt. If the change is not authorized, the administrator either shuts off the port or reprograms ADR(x) with the original learned MAC address before the next data packet arrives. An example of a managed repeater having an address learn capability that updates stored MAC addresses and sets an interrupt flag after updating to provide network security is the IMR+/HIMIB (P/N AM79C981 (IMR) and AM79C987 (HIMIB)), produced by Advanced Micro Devices of Sunnyvale, Calif. and described in the incorporated U.S. Pat. No. 5,353,353.
This type of network security system is sufficient provided the interrupt flag is timely serviced, but performance is not optimum in that the network security depends upon the speed of the microprocessor and efficient execution of complicated software in order to timely service the interrupt flag. Since thousands of data packets pass through the network every second, a security breach may be significant should data packets be transmitted to the intruder before the interrupt flag is serviced. Delays in servicing the interrupt allow the intruder, pretending to be another DTE, to eavesdrop on data packets destined for the DTE that it is mimicking. The prior art minimizes this type of security breach by using a very fast microprocessor and complicated software to service the high priority interrupt, but this solution is not desirable because the equipment is expensive.
In the prior art, a managed repeater having the learned address capability provided some degree of network security by corrupting the data packet transmitted to unauthorized ports and transmitting the uncorrupted data packet to the authorized port. That is, the managed repeater transmits the data packet unmodified on port x if the MAC address of the port x stored in ADR(x) matches the destination address of the received data packet. For all other ports with non-matching addresses, the managed repeater transmits a corrupted data packet on port x, thus preventing unauthorized DTEs from eavesdropping on a data packet destined for another DTE. An example of this kind of security system is described in the incorporated patent application Ser. No. 08/053,797. However, the prior art using destination address matching to corrupt data packets to unauthorized DTEs remains vulnerable to the security breach resulting from the source address updating scenario discussed earlier.