Browse Prior Art Database

Security Feature for Local Area Network Switches

IP.com Disclosure Number: IPCOM000118104D
Original Publication Date: 1996-Sep-01
Included in the Prior Art Database: 2005-Mar-31
Document File: 8 page(s) / 272K

Publishing Venue

IBM

Related People

Prorock, TJ: AUTHOR

Abstract

Disclosed is a method for automatically applying security features to Ethernet and Token Ring Local Area Network (LAN) switches. The security features are applied by interrogating the traffic flows between the ports in the switch and then configuring virtual switches (broadcast domains) and address filers based on these traffic flows. This results in two levels of security within the LAN switch. First, secure traffic flows are restricted to those ports that are configured in the virtual switch. The second level of security is that address filters are applied to ports within each configured virtual switch. The address filters provide an additional level of security by restricting station conversations to specific ports within the configured virtual switch.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 17% of the total text.

Security Feature for Local Area Network Switches

      Disclosed is a method for automatically applying security
features to Ethernet and Token Ring Local Area Network (LAN)
switches.  The security features are applied by interrogating the
traffic flows between the ports in the switch and then configuring
virtual switches (broadcast domains) and address filers based on
these traffic flows.  This results in two levels of security within
the LAN switch.  First, secure traffic flows are restricted to those
ports that are configured in the virtual switch.  The second level of
security is that address filters are applied to ports within each
configured virtual switch.  The address filters provide an additional
level of security by restricting station conversations to specific
ports within the configured virtual switch.

      Switched LANs are now widely deployed in customers networks to
solve bandwidth problems.  Many of the LAN switches, such as the IBM*
8271 Ethernet Switch or the IBM 8272 Token Ring Switch, are connected
to an enterprise backbone to solve the bandwidth problems.  When
connecting to the enterprise backbone a security exposure exists in
protecting sensitive information and intellectual property from
departmental work groups.  This disclosure addresses the problem of
security within the 8271 and 8272 LAN switches and provides a
solution to the two largest security threats: eavesdropping and
intrusion.

      By adding function to the operational code that runs in the
8271 & 8272, this disclosure provides two levels of security that can
be applied automatically within the 8271 and 8272 LAN switches.
  1.  Secure Workgroup
        This level of security is accomplished by dynamically
       determining which ports are communicating with other ports
       on the switch and creating a virtual switch (broadcast
       domain) for these ports.  This ensures, that other ports
       (outside of the virtual switch) cannot have access to the
       frames that are flowing through the ports in the virtual
       switch.
  2.  Secure Station
        This function provides an additional level of security
       to the ports within a Secure Workgroup.  This level of
       security is accomplished by applying address filters to
       ports within a secure workgroup (broadcast domain).  This
       provides a level of access control where stations in a
       secure workgroup can be dynamically given access to to
       other stations within the secure workgroup.

      The 8271 and 8272 LAN switches contain management information
about traffic flows between ports.  The switches also maintain a port
station table which is a list of MAC addresses (up to 1700 per port)
and a port of exit indicator for each MAC address.  This traffic flow
information can be utilized with the switches ability to create
virtual switches and to a...