KR20020027471A - Secure network switch - Google Patents

Abstract

The present invention relates to a secure network having means for controlling the flow of packets within the network. In one example, the network includes a plurality of network devices coupled together in a LAN switch. Each network device is physically connected to a port on the LAN. Each port receives at least a portion of the packets arriving at that port and determines whether the packet is authorized to pass through that port and sent to the destination address. The filters may use pattern matching or other technique to determine that the packets meet the accessible rules of access. Access rules are determined by the system administrator and downloaded to the LAN switch for execution by the filter. Each filter may perform a different set of access rules and the filters may be used by an administrator to set an access level for a selected network device and to isolate a particular device.

Description

Secure Network Switch {SECURE NETWORK SWITCH}

The rapid development of computer technology and the reduction of the cost of this technology have enabled the widespread use of computers and computer networks. Similarly, organizations are more dependent on communicating with computers outside their network. For example, organizations need access to the World Wide Web to conduct research, send e-mail, and transfer files between different locations. Similarly, web pages can be used to accomplish marketing activities, information distribution, or meetings between companies and potential customers. As such, more and more exposure of organization-owned networks to external computer systems and networks has made security a greater concern.

As security concerns have increased, it has become more common for companies to set up firewalls between their internal networks and other, external networks. In fact, firewalls are generally considered an essential part of any company's network that connects to the Internet. The firewall acts as a barrier between the network used by the company or the enterprise and the external network. The firewall acts as a checkpoint that all data must pass through before entering the internal network. When the data reaches the firewall, the data is checked to determine if it satisfies one or more rules as to whether access to the internal network may be allowed. These rules are programmed into the firewall by the system administrator. Firewalls are a convenient way to prevent numerous unauthorized accesses or attacks that could be attempted from outside your network. Firewalls are generally implemented on the only line of communication between the corporate network and the external network. Thus, a system administrator has a central point, where he or she can inspect incoming packets, enforce access rules, and monitor unauthorized activity.

Firewalls offer many security benefits, but they also have disadvantages. One such drawback is that once unauthorized access enters the system, nothing can be done by the firewall, and the damage that can result from that access is inevitable. Also, a firewall cannot simply prevent access that bypasses the firewall. For example, if a corporate network user is allowed to dial out of the network directly to an external system, the data passing through this connection will not be examined and will not comply with firewall access rules. In addition, firewalls are not powerful enough to prevent network users from getting virus-infected floppy disks from external sources and loading them onto the network. If a virus infects a computer on a network, the virus can spread to the rest of the network without passing through a firewall. Moreover, the firewall cannot prevent the damage that could be caused by hostile machines entering into the firewall.

FIELD OF THE INVENTION The present invention relates generally to computer networks, and more particularly to means for filtering data packets transmitted through a LAN switch in a network to control access between a personal computer and the rest of the network.

1 is a block diagram illustrating a computer network in one example of the present invention;

2 is a flow chart showing a path that a packet can traverse from a source computer to a destination computer;

3A is a functional block diagram of one port of a packet-filtering LAN switch in one example of the present invention;

3B is a functional block diagram of one port of a packet-filtering LAN switch in another embodiment of the present invention;

3C is a functional block diagram of one port of a packet-filtering LAN switch in another embodiment of the present invention;

3D is a block diagram of a plurality of ports of a CPU and a packet-filtering LAN switch in another embodiment of the present invention;

4 is a flowchart illustrating the operation of a LAN switch in an example of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will be described in detail. However, the drawings and detailed description are not intended to be limited to the specific forms of the invention, on the contrary, as such, all modifications falling within the spirit and scope of the invention, as defined by the appended claims, It is intended to include equivalents and modifications.

One or more of the problems described above may be solved by various embodiments of the present invention. The present invention implements means for controlling the flow of data packets within a network within an enterprise computer network. ("Enterprise" means here a network operating at a company or enterprise-this is intended to point to a reference point and not to point to any particular type of network.) It is done independently for firewalls that only control between corporate networks and external networks such as the Internet. Thus, even if an unauthorized packet defeats or to some extent bypasses the firewall, thanks to the present invention, unauthorized packets are prevented from affecting the device on the enterprise network.

In one example, several computers are coupled within a network by a local area network (LAN) switch. (Unless otherwise specified, the term "computer" as used herein in connection with a network, for example, is any device that can be connected to the network, such as a workstation, printer, file server, modem server, router, etc., and configured to transmit and / or receive packets. Likewise, the term "LAN switch" can be any type of interface device for devices on a network, such as switches, routers, and hubs.) A LAN switch has several physical ports and each The computer is connected to one of those ports. Packet filters are associated with each port. Packet filters define the types of packets that are allowed or disallowed to pass through a round-trip port for the computer involved. When a packet is received by one of the ports, an associated filter is used to determine (eg, by packet-matching) whether the packet should be sent to the destination computer or what other action should be taken. This other action could consist of dropping the packet, redirecting the packet to another port, or simply notifying the system administrator of the packet. In so doing, the ports can be used to physically control access to their respective lines and computers coupled thereto.

In one example, a packet filter scans a packet in parallel with regular processing of the packet (eg, addressing). This regular processing usually consists of determining a destination address for the packet. The filter may perform packet matching (compare a particular field of the packet with a predetermined pattern) to determine if the packet is applied. If it is determined that the packet is not authorized, the filter can signal the LAN switch to drop or resend the packet before it passes the LAN switch. By performing packet filtering in parallel with regular processing, the burden and delay of the network is minimized.

In one example, each packet filter is programmed by software running on a LAN switch. The network administrator can download the acknowledgment for each packet filter. By doing so, the network administrator can control access on each port in the same way as in a firewall. However, because packets are filtered independently at each port, the network administrator can configure access rules for each computer. By doing so, the network administrator can set up different classes of users or separate the personal computer from the rest of the network.

Other objects and advantages of the present invention will become apparent from the following detailed description and the accompanying drawings.

An example of the present invention is described in detail below. This embodiment is performed in an interconnected computer. Each computer is connected to the network via a LAN switch. ("LAN switch" as used herein refers to any device that forwards packets to computers in a network.) LAN switches have a number of ports to which computers are connected. When a packet is sent to a computer on the network, the packet is first sent to the LAN switch. The LAN switch processes the packet and, if it is sent regularly, decides where the packet should be sent next.

However, in addition to this regular delivery, the LAN switch needs to examine the packet to determine if the packet should be sent regularly. Thus, the LAN switch includes a filter at each port. The filter is applied to counter bits of a particular state in the packet. Certain states are allowed in packets destined for a particular computer or group of computers, while others are not. If the bit is allowed, the packet is sent to the destination computer in a regular way. If the bit is not allowed, the packet is not sent in the normal way. For example, it can simply be discarded or resent to another computer. As another example, the packet may be sent to a destination computer but a system administrator may be notified of the packet.

In one example, the LAN switch executes control software to control the filter. The system administrator uses the control software to configure a filter for each computer. The filters can be configured individually so that there are different access rules for different computers. By doing so, system administrators can set up groups of computers with different levels of access to network resources, regulate specific operations for specific computers, or separate individual computers to address issues specifically related to those computers. You can.

1 is a block diagram illustrating a computer network 10. Network 10 has several computers 12-14, each of which is coupled to a LAN switch 11. The computer is coupled to the LAN switch through ports 15-17. Network 10 also includes computers 22, 23, which are coupled to LAN switch 11 via second LAN switch 21 and associated ports 24-26. The network 10 is coupled to an external network through a LAN switch 11, a port 19 and a firewall 20. In many cases, the external network is the Internet. Many different types of network devices are known to those skilled in the art and such devices may be coupled to the network in addition to or in place of the computers 12-14, 22-23. Moreover, it should be considered that network 10 is a number of potential network configurations and that the present invention may be implemented in any of these potential configurations. The network 10 may itself include several networks. For example, FIG. 1 shows a network composed of two sub-networks, one of which is formed by the LAN switch 11 and the computer 12-14, and the other is the LAN switch 21 and the computer ( 22-23).

Computers 12-14 can communicate with each other and can communicate with computers on other networks using packet switching protocols. (As mentioned above, "computers" include various types of network devices.) The packet switching protocol requests that information sent between two computers be divided into packets. Then, these packets are sent between computers. This is contrary to the circuit switching protocol, which establishes a connection between computers where information can be transmitted without first being packetized. A network using a packet switching protocol can establish a virtual connection between two computers instead of a physical connection. Thus, packetization of information allows information to be transmitted over many intermediate networks without tying up the circuitry of the intermediate networks to prevent communication with other computers.

Because information sent between two computers is divided into packets, computers between the source and destination must have a way to determine where to send the packet. Thus, each packet has a destination address. In many networks, an Internet Protocol (IP) address or a Transport Control Protocol / Internet Protocol (TCP / IP) address is used. The IP address has four bytes separated by dots (for example, "012.123.234.001".) This address can specify a particular computer or a specific network, in which case the network can send packets to the correct network. It will provide a means for shipping the device correctly. The TCP protocol is at a slightly higher level than the IP protocol and provides a means to ensure that every byte of a message is received at the destination device. The TCP protocol lists the bytes as messages and provides for the retransmission of missing bytes.

2 shows a series of interconnected computers (or networks) that form a path from a source computer 40 to a destination computer 41. In the figure, the source computer and the destination computer are depicted as being connected to other computers via other devices 42 and 43. For the purposes of this discussion, assume that devices 42 and 43 are firewalls. In other embodiments, these devices may be different devices, such as LAN switches or computers. The dotted line represents the boundary of the source network 44 and the destination network 45. When source computer 40 sends a packet to another computer, the packet is sent by many intermediate computers 51-55. These intermediate computers are generally routers. (Although "router" is used to refer to a particular type of packet-forwarding device, the term used herein refers to any device that operates to send or forward packets between computers.) These routers are packets Examines the destination address of and determines the next router to which the packet will be sent. This process is repeated for each packet in the message. The process is generally performed independently for each packet so that packets corresponding to a single message are sent on a number of different paths from the source computer towards the destination computer. For example, one packet may be sent from the source network via 54 to 53 and 55 to the destination network, while another packet may be sent via 51 to 52 and 45 to 45. When packets reach the destination network, they go directly to the destination computer. At the destination computer, the packets are reassembled into the original message.

When a packet arrives at the destination network, the destination network employs a firewall in this case, which must pass through the firewall before it can be delivered to the destination computer. A firewall is generally a computer that does the work of inspecting packets arriving at that network, determining whether the packets will be authorized to be distributed within that network. Firewalls can be very effective at protecting a system against unwanted access, but this protection is not absolute and unauthorized packets can be introduced into the network. Once packets break the firewall, the firewall is completely useless to prevent the packet from being sent freely inside the network. In addition, the firewall cannot prevent a user inside the network from bypassing the firewall by dialing on a telephone line or using a portable medium (eg, floppy disk) to download an unauthorized file to the network. Thus, the present invention is performed in one or more LAN switches in this embodiment where all traffic inside the network is routed through.

After a packet passes through the firewall, it must be sent by the LAN switch to the appropriate computer on the network. When the LAN switch receives the packet, it must process the packet to determine the destination address in the same way as other routing devices. In addition to sending packets, the LAN switch performs a function similar to the firewall's function of rejecting or resending something and allowing others to pass through it. In doing so, the LAN switch controls the flow of packets inside the network. Since the computers on the network are connected to each other through the switch, the LAN switch can control the packet flow entering and leaving each computer to which it is connected. Thus, even if an unauthorized packet passes through the firewall (by bypassing the firewall or destroying it), the packet can only be sent from one device to another within the network after satisfying the access rules of the LAN switch.

3A is a functional block diagram of one port of a packet-filtering LAN switch. The LAN switch 30 has circuits 31 for processing packets and for determining their respective destinations on the network. The LAN switch 30 also includes a filter circuit 32 that checks the packet to determine if the packet will be authorized to be sent to its destination. Because of the tendency for filtering to be distributed (performed at each port of the LAN switch), the filter circuit 32 may perform simpler access rules than those performed at the firewall. In other words, since each filter controls access to a single computer, only the rules related to that computer need to be executed. This simplified access rule is, in many respects, as effective as the firewall's access rule, because a rule running on a single filter can be tailored to a single computer associated with that filter. In addition, the propensity to distribute filtering allows the network to be easily investigated. In other words, as computers are added to the network, corresponding filters are added to handle the filtering workload. The distribution of filtering among the ports of the LAN switch allows for a high amount of traffic inside the network to be filtered. (Performing a centralized, firewall-like system inside the network can reduce performance-the firewall is more suitable for filtering packets going into and out of the network, which is generally much more than inside the network. It consists of low traffic.)

As shown in FIG. 3A, packets arriving at one port of the LAN switch are delivered to both the address processing circuit 31 and the filtering circuit 32. As shown in FIG. (In other embodiments, it should be considered that only a portion of the packet (eg, packet header) can be delivered to the filtering circuit 32.) Although the diagram shows that packets are leaving port 30 towards the computers, The system can be applied to both outgoing and incoming packets. Packets can be filtered in parallel with regular address processing. As a result, the time required to perform filtering may overlap with the time required for normal address processing. Thus, the cost associated with filtering is reduced. (Filtering of packets can be performed in series with address processing, as shown in Figs. 3B and 3C, but this results in a high cost and is therefore not a preferred embodiment. Figs. Or any one of the following.)

The address processing circuit 31 provides an output to the switching circuit 33. If it is not the invention, the switching circuit 33 will deliver the packet to that destination using the destination address from the address processing circuit 31. However, the delivery of the packet is determined according to the output condition of the filtering circuit 32. The filtering circuit 32 applies the appropriate access rules to the packet and provides a signal to the switching circuit 33. When a packet is authorized to be delivered to its destination, a corresponding signal is input to the switching circuit 33 and the packet is forwarded to the destination in a regular manner. If no packet is applied, another signal is generated by the filtering circuit 32. When the switching circuit 33 receives this signal, several different measures are taken. This other action may be any appropriate action related to the presence of unauthorized packets and may include actions such as dropping the packet, resending the packet to another destination, and notifying the system administrator. The action taken for an unauthorized packet may vary depending on the particular destination of the packet, the type of packet, the application or other information associated with the packet.

Some complex operations can be delegated to the CPU in the LAN switch (see FIG. 3D) because the address and filtering circuits at each port are generally kept to a minimum to maximize throughput within a given time of the port. For example, filter circuits are generally sufficient to perform pattern matching, but performing more sophisticated filtering rules is beyond the capabilities of the filter circuit. If a filter circuit at port 30 receives a packet that it does not recognize or cannot properly filter, the filter circuit may send the packet to the CPU 35 for processing. The CPU 35 then sends an appropriate signal to the filter circuit or switching circuit at each port to process the packet. In addition, circuitry within a port may be limited in the operations it can perform in processing the packet (eg, forwarding or discarding the packet) and delegate more complex operations to the CPU.

4 is a flowchart illustrating the operation of a LAN switch. This figure summarizes the operation of the LAN switch as an example of the present invention. When a packet is received at one port of the LAN switch 60, the packet is processed 61 to determine the destination address while simultaneously filtering 62 to determine if it meets the port's access rules. If the packet is authorized to satisfy the access rule 63 and be forwarded, the LAN switch forwards the packet to the destination as if it were not filtered.

If the packet is not authorized because it does not satisfy the access rule 63, the packet is discarded (65). As another example, unauthorized packets may be processed in a variety of ways. For example, unauthorized packets may be resent to another destination or forwarded to a computer at the destination address but notifying the system administrator.

In one example, the filtering circuit in the LAN switch can be programmed. The network administrator decides which access rules should be applied to the filter and programs these rules into the filter. The filtering rule is based on the information in the header of the packet. Since this information can be used for normal forwarding of the packet, this information is used. The information may include an IP source and destination address, a summarized protocol (eg, TCP), a TCP / IP source and destination port, an Internet Control Message Protocol (ICMP) message type, and an entry and exit interface of the packet. Filtering rules can be of various types and implementations. For example, the rules may vary depending on the service (eg allow only incoming computers for FTP sessions) or be independent of the service (dropping packets with internal IP addresses, but it is external Appear on the port).

In one example, the filter can be executed using a Java programming language. Java was chosen for this execution because a Java virtual machine exists for many platforms, allowing Java applications to run on many platforms. Thus, Java-based filtering applications have some platform and / or vendor neutrality. (However, the filtering application may use any suitable programming language.) In this implementation, control software is executed in the filtering circuit 32. The control software is an application that provides a framework for performing system administrator rules. The system administrator decides what rules should be applied to packets entering the LAN switch and, in conjunction with the control software, configures a Java applet that performs these rules. (Applets are small Java applications.) Java applets are downloaded by system administrators to LAN switches from one of the computers on the network. The applet is then called by the control software when the packet should be filtered.

Various embodiments of the present invention may enable a user to overcome problems found in a network that does not embody the present invention. For example, as shown above, packets sent from a source computer to a destination computer will have to traverse several networks placed between the computers. Each time one of the packets arrives at one of these networks, the network (ie, the router inside that network) must read the address information of the packet and determine which intermediate device to send the packet to be forwarded further. Determining where the packet should be sent is based on information provided to the routing device by other computers. If one of these computers provides incorrect information to the routing device, the packet may be sent incorrectly.

It is not unusual to find a computer that has a specific address but broadcasts to another device that it has a different address. The router may rely on this information and may determine that the shortest route to the destination computer passes through the computer broadcasting the incorrect address. The router will then forward the packet to this computer using the incorrect address provided. However, the computer broadcasting the incorrect information will not recognize the address to which the packet was forwarded and will simply discard the packet. In this scenario, a computer that broadcasts incorrect address information actually creates a "black hole" in which deadlocks or packets simply disappear.

If the system administrator is aware of this problem, he or she will want to isolate the unpleasant computer from the rest of the network to avoid losing more packets. In one example of the present invention, a system administrator may configure a filter associated with the computer such that no access packets pass through its associated port of the LAN switch. By doing so, the system administrator prevents the computer from sending incorrect address information and also prevents packets from being delivered to the computer and lost. Also, this method of isolating an unpleasant computer has the benefit of not requiring physical access to the computer-isolation is achieved by reconfiguring the filter associated with the computer. In situations where a computer is in a locked room or building, this may be the only means of isolating the computer.

In another embodiment, many companies employ subcontractors to perform work on various projects. This may include software development, design analysis, or other tasks that require access to a computer on a company's network or use of a computer on that company's network. However, the company will not want these subcontractors to access applications or data that are not related to the work performed by the subcontractors. As an example of the present invention, a system administrator may configure filters associated with computers used by subcontractors to prevent access to restricted data or applications. For example, a filter associated with a computer having data that requires attention may be configured to discard packets received from the particular computer being used by the subcontractor. Similarly, the filter can be configured to prevent packets from being delivered to these computers. By properly configuring the filters on the LAN switch, the system administrator can establish various privilege levels for subcontractors, employees, executives, and other system users.

Although the present invention has been described with reference to specific embodiments, it is to be understood that the embodiments are illustrative only and the scope of the invention is not limited thereto. Changes, modifications, additions and improvements to the described embodiments are possible. These changes, modifications, additions and improvements will fall within the scope of the present invention as the embodiments within the appended claims.

Claims (20)

A network interface device having a plurality of ports; A plurality of network devices coupled to the port; And A plurality of filters, each said filter coupled to a corresponding one of said ports for receiving data packets arriving at one of said ports, Each filter is configured to examine the data packet and determine whether the data packet satisfies a set of access rules; Each filter is further configured to forward a signal to the network interface device indicating whether the data packet satisfies the access rule set; The network interface device is configured to take a predetermined action on each of the data packets when the signal indicates that each packet failed to satisfy the access rule set. The method of claim 1, And a firewall between the secure computer network and an external network. The method of claim 1, The network interface device performs processing on the packet, and the processing includes examining each of the packets to determine a corresponding destination address. The method of claim 3, Each said filter is configured to examine said data packet in parallel with said processing performed by said network interface device. The method of claim 4, wherein Each said filter is configured to determine if said data packet satisfies a set of access rules by performing packet matching on said packet. The method of claim 1, The predetermined action is to discard the packet; Resending the packet; And an action configured to report the packet. The method of claim 1, The network interface device is configured to execute control software, and wherein the access rule of the filter is set according to program code downloaded to the control software running on the network interface device. The method of claim 1, A first filter of the filters provides access to a first network device of the network devices according to a first set of access rules, and a second of the filters is a second network of network devices according to a second set of access rules Provide access to a device, the first set of access rules being different from the second access rule. The method of claim 1, The network interface device comprises a LAN switch. Each device in the computer network is coupled to a corresponding port of a LAN switch, and communication with the devices is accomplished by the transmission of information packets entering and leaving the devices, the method of controlling access between devices in the computer network. As Inspecting each packet when the packet arrives at one of the ports of the LAN switch; Determining that each packet meets one or more port access rules; If the packet satisfies the one or more port access rules, sending the packet to a destination address associated with each packet; And If each packet does not satisfy the one or more port access rules, taking a predetermined action. The method of claim 10, Determining shipment information for each packet in parallel with determining that each packet meets the one or more port access rules. The method of claim 11, The predetermined action is to discard each packet; Resending each packet; And an action consisting of reporting each packet. The method of claim 12, Determining whether each packet satisfies the one or more port access rules comprises: matching each packet with one or more predetermined bit patterns and determining if the pattern matches each packet. A method of controlling access between devices in a home. The method of claim 12, The port access rule includes a first port access rule set associated with a first of the devices and a second port access rule set associated with a second of the devices to control access between the devices in the computer network. Way. The method of claim 12, Inspecting at least one of said packets at a firewall and determining whether said at least one packet satisfies at least one firewall access rule. A plurality of ports configured to couple each port of the plurality of ports to a corresponding network device; And Each of the plurality of filters is coupled to a corresponding one of the plurality of ports, the plurality of filters configured to pass packets that satisfy one or more access rules and to prevent passage of packets that do not satisfy the one or more access rules LAN switch that controls the transmission of packets within a secure computer network including a filter. The method of claim 16, Each said filter may be programmed by a system administrator to perform a first set of access rules for a first subset of said plurality of ports and a second set of access rules for a second subset of said plurality of ports, And the first access rule set is different from the second access rule set to control the transmission of packets within a secure computer network. The method of claim 16, Each port of the plurality of ports Address processing circuitry configured to determine a destination address associated with the packet; And A switching circuit configured to send the packet, the LAN switch controlling transmission of packets within a secure computer network. The method of claim 18, Each said filter is configured to generate a signal indicative of whether said packet satisfies said access rule and provide said signal to said switching circuit of said corresponding port, The switching circuit is configured to send the packet to the destination address if the signal indicates that the access rule has been satisfied and to take other action if the signal indicates that the access rule has not been satisfied. LAN switch to control the transmission of packets within. The method of claim 19, The other action is to discard the packet; Sending the packet to another destination; And a LAN switch controlling the transmission of packets within a secure computer network selected from among the actions configured to send the notification of the packet.