Not applicable.
Not applicable.
1. Field of the Invention
The present invention generally relates to network architecture. More particularly, the invention relates to an architecture that facilitates isolating security intrusions. Still more particularly, the invention relates to a computer architecture in which each node in the architecture can communicate with and be programmed by only certain other predetermined nodes.
2. Background of the Invention
Computer networks generally comprise a plurality of computers or terminals coupled together to form a cohesive group of machines that can easily communicate with one another. Generally, each computer in a network can communicate directly with each of the other computers in the network. In the context of publicly available networks such as the Internet, any computer linked to the Internet generally can access all other computers linked to the Internet.
Individuals or companies that operate computer networks often employ system administrators to manage the network. The system administrator generally has unique privileges, not available to the general population of users of the network, to permit effective administration of the network. For example, the system administrator will be able to add or delete user accounts to control who should have access to the network. The administrator will also be able to specify what privileges or access rights each user will have. Certain sensitive information can be protected by only permitting those users with a need to such information to be able to access such information. The administrator can configure all other users to prevent them accessing the sensitive information. Often, there are multiple administrators of a computer network. More than one administrator may be necessary particularly to keep up with network administration needs of larger networks and companies.
With the ease of information access in a computer network, security may be a problem. A company may have highly sensitive information for which security is extremely important. A few examples of sensitive information include payroll data, personnel data, and customer specific confidential information. Breaches in network security can arise from at least two sourcesxe2x80x94infiltration from an unauthorized outside person (e.g., a non-employee) or a corrupt or dishonest employee internal to the company. Once having access to the network, either person may be able to copy, print or email sensitive information, erase accessible data to sabotage the system or other undesirable actions. A dishonest system administrator can cause even more harm than a user. For example, an administrator can erase or reformat a hard drive, prevent authorized users from accessing certain files and directories, and other actions.
Quickly and effectively responding to a security breach is extremely important. The response to a security breach includes two basic tasks. First, the security breach must be detected. That is, the system or security administrator must be able to detect that someone or some entity is attempting to infiltrate the network. Second, the system administrator must minimize the potential harm the security breach may cause. To date, however, there have not been consistently quick and accurate methods to isolate a security breach and minimize the harm to the system.
Accordingly, it would be extremely desirable to have a computer network that can quickly, accurately and consistently isolate a security breach thereby preventing the unauthorized entity or person from causing additional harm to the rest of the computer network. Despite the desire for improved network security, to date the field still lacks adequate security measures.
The problems noted above are solved in large part by a communication network implementing a xe2x80x9cresistance cell architecture.xe2x80x9d Each cell in the architecture comprises communication equipment such as a cell communication device coupled to one or more computers or terminals. Each cell is only permitted to communicate directly with certain predetermined other cells in the architecture. If a cell has a communication to be transmitted to a cell to which it does not directly communicate, the communication will be sent from one cell to another until the communication reaches the intended recipient.
A security breach in the network can quickly, easily and effectively be isolated using the resistance cell architecture. For example, once the security intrusion (e.g., an unauthorized entity attempting to gain access the network) is detected, the cell through which the security intrusion is detected can be deactivated. Once deactivated, no transmissions from that infected cell or branch of the resistance cell architecture can reach other parts of the network. Alternatively, the infected cell or branch of the network can be ordered to self-destruct thereby providing additional security and assurance that the security breach is effectively eliminated.
Many cells in the resistance cell architecture can act as xe2x80x9cmastersxe2x80x9d to other cells (called xe2x80x9csubordinatexe2x80x9d cells). Master cells control many functions and the communication behavior of their subordinate cells. A set of commands, including controls and sub-controls, permits the master cells to initiate subordinate cells into the resistance cell architecture, alter the operating characteristics of the architecture, respond to detected security breaches and problems, and permit administrators of master and subordinate cells to configure the administrator""s cell.