1. Field of the Invention
The present invention relates generally to data security systems and more particularly, to a security system and a method for providing receiving port security for a star-configured local area network.
2. Description of the Related Art
Local area networks have been developed for interconnecting various data terminal equipment (DTE) such as computers, work stations and the like. Of course, in such networks it is often important to provide for at least some level of security in transmission of data from one DTE to another DTE.
Description of CSMA/CD
One common type of local area network utilizes a shared communication channel, with access to the common channel being coordinated by the DTE themselves. This form of access control is known as Carrier Sense Multiple Access with Collision Detection (CSMA/CD). CSMA/CD access control is described in a number of publications including, for example, Tanenbaum, A. S., Computer Networks, second edition, Prentice-Hall, Inc., 1988 at pages 128-130 and also at Meijer, A., and Peeters, P., Computer Network Architectures, Computer Science Press, 1983 at pages 280-283.
In general, CSMA/CD may be described as follows:
A DTE wishing to transmit on the common channel first monitors the channel to determine whether another DTE is using the channel. If the channel is busy, as indicated by the presence of a carrier on the channel, the DTE wishing to transmit will deter transmission. This may be thought of as the carrier sense portion of the protocol. If the channel is not busy, the DTE will transmit a data packet over the channel, with the packet containing an address of the intended recipient. If a DTE detects the channel is busy or if the DTE detects that a collision has occurred on the channel, the DTE will back-off for a period of time and then again sense the channel to determine if the channel is busy.
Assuming physical access to the communication media can be accomplished, an unauthorized DTE could be coupled with the media to transmit messages onto the network. This type of security risk may be referred to as "intrusion". Such an intrusion could result in the extraction of confidential information residing on another DTE in the network or could cause the introduction of a "virus" into the network ( a "virus" is often destructive programming code that secretly attaches itself to a DTE and can destroy the data in the DTE). This presents a serious drawback if security and protection of data in the network is important.
Besides the security risk, intrusion has a second negative effect of transmitting unnecessary and unwanted messages onto the network. This could have an adverse effect on overall network performance.
It is important to state here that in processing and forwarding information in a commercializable network employing the CSMA/CD protocol, it is important that devices follow standards set for such networks. Standards followed by most commercially available CSMA/CD network products are set by the IEEE 802.3 standards. Many well-known commercial networks have implemented a version of the CSMA/CD protocol which has become popularly known as Ethernet.
Primary object of the present invention
It is, thus, a primary object of the present invention to provide for increased security in a networked system.
It is a second object of the present invention to provide for increased security in a networked system in order to prevent or minimize intrusion on the network.
It is a third object of the present invention to filter out undesired network traffic resulting from an intrusion into the network.
Description of typical network equipment
It is noted that the above-description relates to networks in which each DTE has its own interface to the common communications channel, although the present invention is not limited to such a network. This type of a network is further illustrated with reference to FIG. 1. FIG. 1 illustrates a DTE 101 which includes an interface board (not shown) coupled through a transceiver cable 102 to a transceiver 104 which is coupled with a central communications cable 105. Thus, it is readily apparent that an alternate DTE with the appropriate interface board and transceiver cable may be coupled to the central communications cable 105. The above-described components of networks, e.g., central communications cables, transceivers, transceiver cables, interface boards and data terminal equipment are all well-known in the art. A further description of typical components of a CSMA/CD-based network may be found, for example, with reference to Tanenbaum, cited above, at pages 141-144.
Concentrator
More recently concentrators (also termed intelligent hubs) have been provided in networks in order to provide for increased connectivity, internetworking, and network management. An example of such a concentrator is the LattisNet System 2000.TM. intelligent hub available from SynOptics Communications, Inc. of Santa Clara, Calif. In a system utilizing a concentrator, each DTE is coupled to one of a plurality of host modules defined within the concentrator and the concentrator provides a common communication channel, or backplane, allowing for communication between the various DTEs. This type of network, when depicted graphically, can represent a star-like image and, thus, is often referred to as a star configured network.
FIG. 2 illustrates a network as may be configured utilizing a concentrator. As illustrated by FIG. 2, a network may comprise a plurality of concentrators, such as concentrators 201 and 202. Each concentrators may have a plurality of data terminals coupled with the concentrators, such as data terminals 221-223 which are coupled with concentrators 201 and data terminals 231-233 which are coupled with concentrators 202.
The data terminals are coupled with the concentrator through ports defined by one or more host modules which are housed in the concentrator. For example, data terminals 221 and 222 are each coupled with host module 241, respectively, while data terminal 223 is coupled with host module 242.
The host modules are each coupled with a backplane bus (not shown) in the concentrator to allow communication with a repeater module, for example, repeater module 214. The repeater module is responsible for receiving and repeating messages between data terminals coupled with a single concentrator. For example, DTE 221 may transmit a message. Repeater 214 will receive the message after it is transmitted on the backplane of concentrator 201 by host module 241. The repeater will then retransmit the message back onto the backplane so that it may be received by each of data terminals 222 and 223. Data terminals 222 and 223 will then examine the packet to determine if the destination address of the message indicates the message is to be processed.
In addition, the concentrator may comprise a bridge or router module such as module 211 of concentrator 201. The bridge or router module allows communication of messages between the plurality of concentrators which may exist in the network. As can be seen with reference to FIG. 2, concentrator 201 and concentrator 202 are coupled in communication through bridge/router 211 which is coupled with bridge/router module 212 on concentrator 202 to allow messages to be communicated from data terminals 221-223 coupled with concentrator 201 to data terminals 231-233 coupled with concentrator 202.
Some Terminology and discussion of certain objects of the preferred embodiment of the invention
Before continuing further, it may be useful to define some basic terminology used in the field of networking. Such terminology is defined in APPENDIX I: DEFINITIONS. From these definitions, it may be useful to understand the definitions of a concentrator, a host module, a bridge, a router, and a repeater.
It will be seen that the preferred embodiment advantageously provides for the incorporation of its security arrangement primarily at the concentrator level. This offers certain advantages over certain alternate embodiments which, while they may incorporate inventive aspects of the preferred embodiment, provide for security aspects at other locations in the network.
For example, it is possible to consider incorporating security arrangements in a host module, a router, in a repeater, or in a bridge. In fact, while the reference is not considered by the Applicant to represent prior art to the present invention, it is worthwhile noting a system described in European Patent Application Publication No. 0 431 751 which was published on Jun. 12, 1991 (the '751 reference). This reference describes a security arrangement in which a multi-port repeater for a local area network has means for storing access rules for items of equipment which may be attached to it. The repeater reads a portion of each frame it receives and compares that information with the stored access rules to determine if the frame is permitted or not. If the frame is not permitted, it corrupts the frame before retransmission. The system is also described as being capable of reporting the source address, destination address and reason for deciding to corrupt the frame to a network controller.
However, one drawback to such an embodiment is that the circuitry for storing the necessary access rules and other circuitry for implementing the security protocols may grow at least linearly with the expansion of the number of ports of the multi-port repeater. In addition, there is likely to be physical limitations imposed on the number of ports supportable by any single multi-port repeater. This may lead to to security complications in an embodiment such as described in the '751 reference.
By incorporating the security technology primarily at the concentrator level, the preferred embodiment of the present invention accomplishes one object of the invention in that it allows for incorporation of the security technology to any number of ports supportable by the network.
Other exemplary security arrangements
Of course, a number of other options may be available to provide varying levels of security in a networked system. For example, data encryption and decryption techniques may be employed in which the data is encrypted by a transmitting DTE and the data may then be decrypted by an intended receiving DTE which has the necessary decryption algorithm. Physical security is also possible, such as by locking up or otherwise preventing access to the data terminal equipment and the common network medium. However, each of these alternatives offers various tradeoffs in expense of implementation, complexity, convenience and standards conformance.
Therefore, it is a object of the present invention to provide improved data security in a data network at minimal cost and complexity.
There are several other well-known techniques for providing data security in local area networks. One such technique is described with reference to U.S. Pat. No. 2,901,348 Nichols, et al. which describes a security arrangement which attempts to maintain secure data transmissions between a plurality of data transmitting and receiving devices each of which share common transmission and reception facilities. The security arrangement described in the '348 patent provides security against "eavesdropping" that may result from the sharing of common communication transmission and reception facilities. However, as is understood, the device described by the '348 patent requires, at least in certain cases, buffering of message information such that a delay of greater than the length of the address portion of a packet is introduced into transmission of the such data packets. Introduction of such a delay is not acceptable in commercial networks following at least certain accepted standards. In addition, it is worth mentioning that the '348 patent describes a bus configured system, not a star-configured system as described by the present invention.
Thus, it is an object of the present invention to provide improved security in a network by providing source address (SA) filtering of messages such that ports receiving messages sent by unauthorized users are partitioned so that the unauthorized user's access is terminated. This allows protection against "intrusion".
These and other objects of the present invention will be better understood with reference to the below Detailed Description and the accompanying figures.