1. Technical Field
The present invention relates to a method and system for data processing in general, and in particular to a method and system for providing security mechanism within a local-area network. Still more particularly, the present invention relates to a method and system for providing security mechanism to an Asynchronous Transfer Mode emulated local-area network.
2. Description of the Prior Art
For several years, the embedded base of many communication networks have been established according to the IEEE 802 Local-Area Network (LAN) standards, such as the IEEE 802.3 standard for Ethernet LANs and the IEEE 802.5 standard for Token-Ring LANs. These communication networks are considered to be "connectionless" because data packets can be exchanged within these networks without establishing a layer-2 connection under the seven-layer networking reference model established by the International Organization for Standardization (ISO). In addition, the applications within these communications networks typically reside on top of a layer-2 protocol and a layer-3 protocol, such as Medium Access Connection (MAC) and Internet Protocol (IP), respectively.
With the advent of Asynchronous Transfer Mode (ATM) technology, which offers the advantages of fixed-size cell switching, sealablility from a few megabits to hundreds of megabits, the ability to offer guaranteed quality of service on a per connection basis, etc., it is desirable to interconnect a LAN which is still under one of the IEEE 802 LAN standards (or so-called a Legacy LAN) with communication networks that are equipped with ATM capabilities. This type of interconnection has been achieved by a variety of methods, such as bridging-and-routing, that are well-known to those skilled in the art of communications network development. Generally speaking, all these methods provide acceptable results, but as a whole, there is ample room for improvement. For example, some of the methods are based on a broadcast principle that mimics shared-medium operations in which all data packets must be broadcast to all destinations. This method of packet broadcast ends up flooding the entire ATM network with broadcast traffic. Another problem associated with the broadcast principle is that it requires that a mesh of networks be established between all bridges and ATM hosts within a LAN and that all inter-LAN traffic pass through a router, which typically becomes the bottleneck of the LAN.
As a goal to provide a better ATM network solution, the ATM Forum has developed another bridging solution called LAN Emulation (LANE). LANE protocols allow ATM networks to provide the appearance of a LAN-like Ethernet or a LAN-like Token-Ring. A LANE architecture emulates traditional LAN technologies over a switched ATM network. Specifically, LANE relies on a LAN Emulation Server (LES) to perform ATM-to-MAC address translations, and a Broadcast and Unknown Server (BUS) to perform data broadcast. A more detailed description of the LANE technology can be found in LAN Emulation Over ATM Specifications, version 1.0, promulgated by the ATM Forum, the content of which is incorporated herein by reference.
One of the major issues in migrating Legacy LANs to ATM technology is system security. Legacy LANs offer intrinsic system security in the sense that a physical connection between two end systems implies that the two end systems are on the same LAN. With emulated LANs, any participating station is allowed to be assigned to an emulated LAN via an administrative procedure, which essentially decouples a physical end system and its connection from its membership in a particular emulated LAN. That means an end system may be physically moved but may still participate in the same emulated LAN. Thus, physical connectivity in emulated LANs no longer implies the same level of system security as in Legacy LANs. As a result, there is a risk of unauthorized computer systems connected to an emulated LAN and attempting to utilize services normally not authorized to these computer systems. In addition, since LE client usage of a LAN Emulation Configuration Server (LECS) is optional, reliance on the configuration protocol is not a viable security mechanism for an emulated LAN. Consequently, it would be desirable to provide a better security mechanism for an emulated LAN.