Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1998-11-30
2002-07-02
Ngo, Ricky (Department: 2664)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S401000, C705S021000, C709S249000
Reexamination Certificate
active
06414958
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to switches used in local and wide area networks, and network systems including such switches.
BACKGROUND OF THE INVENTION
Because of their convenience, speed, and all-hour availability, automated teller machines (“ATMs,” also called “automatic teller machines”) are fast becoming an ubiquitous sight in many places other than banks. Aside from the traditional services available at ATMs, such as withdrawing and depositing cash, requesting balances, making loan payments, and transferring funds, ATMs can also be used for providing postage stamps and dispensing discount coupons. Other future convenient uses are being planned. This expansion of services, coupled with the ability of ATM owners to charge users fees, will result in increasing numbers of ATMs being installed at retail locations remote from any bank.
Many retail stores in which ATMs may be located already have communications networks installed because of credit card processing requirements or because the retail stores are part of communications links to other stores in a retail chain. For stores that are part of a retail chain, such an existing network promotes, for example, uniform pricing strategies and ordering procedures and monitoring of the chain's inventories, whether held at a central warehouse or at other stores in the chain.
Because ATM data traffic contains sensitive information, there are security considerations involved in installing ATMs in remote locations. One way to keep data traffic from an ATM secure is to use a dedicated network connection.
FIG. 1A
shows retail location
100
in which a connection from customer local area network (“LAN”)
110
to customer network data center
130
already exists through router
120
. Customer LAN
110
may include cash registers, credit card terminals, and other store-based machines connected to a customer network. Router
120
manages communications between customer LAN
110
and customer network data center
130
. A dedicated ATM connection requires connecting ATM LAN
140
to ATM network data center
160
via additional router
150
and other equipment not shown. ATM LAN
140
is depicted in
FIG. 1A
as a single ATM but could include one or more ATMs. An example of ATM network data center
160
is a data center operated by Electronic Data Systems Corporation, assignee of the present invention.
A dedicated ATM network connection in retail location
100
which already has a customer LAN in place would be secure, but it would require a duplication of the equipment and facilities used for the network already in place. This duplication could easily cost a proprietor as much as $15,000 or more, and would be more than double the cost of the existing installation. In addition, there would be twice as much equipment to control and monitor.
Because adding a separate data network connection for an ATM would not be cost-effective for a proprietor, an alternative is to share existing resources between the two LANs. This can be done by combining the ATM LAN traffic and customer LAN traffic onto a single wide area network (“WAN”) connection, and from there communicating with the customer network and the ATM network data centers. A conventional way of combining data traffic is by using a shared Ethernet hub, as pictured in FIG.
1
B. In that figure, ATM LAN
140
and customer LAN
110
are connected to shared Ethernet LAN
170
, which is connected to shared hub
180
. Shared hub
180
is connected to WAN
190
via router
120
, and WAN
190
is connected to customer network data center
130
and ATM network data center
160
. WAN
190
may also be a frame relay network or a satellite network. Using an Ethernet LAN allows any device attached to the LAN to receive all data flowing on the LAN. In order to control this traffic, each data packet header contains the address of the destination machine. Ethernet protocols send data packet information to all the machines on the same network, and each machine receives the information destined for it based on the destination address.
In exchange for the small expense of adding a shared hub and an Ethernet LAN, this network combination has only one router and one connection to a network. The system of
FIG. 1B
is much less expensive than the separate networks of
FIG. 1A
, and its installation and management are simplified.
This system, however, is not secure. Even though only the machine having the address matching the address of the packet header is supposed to accept the packet, it is possible in this system for a machine operating in “promiscuous” mode to accept all packets regardless of the address in the packet header. It is fairly easy for anyone to observe the data traffic flowing over this Ethernet, and programs to accomplish this are easily available on the Internet, for instance. Also freely available throughout the Internet are other methods of attacking an ATM LAN, such as wiretapping the phone line over which the ATM LAN operates. Wiretapping monitors data traffic over a phone line and can make a standalone ATM vulnerable by placing a tap anywhere between the ATM and the host computer.
Therefore, to have an ATM LAN share facilities with a customer LAN is problematic—the customer can interact with the ATM and can see and intercept ATM data. Within a retail location, the risk is great that a disgruntled employee or thief will attempt to exploit an installed ATM LAN with a minimal risk of being caught. Anyone with a laptop computer can easily obtain access to the ATM LAN. In addition, once the Ethernet LAN is compromised, the WAN too is compromised because an intruder will have easy access to the wider network. The goodwill of the ATM network administrator will eventually suffer.
Because of this lack of security and broadcast control, it is not acceptable to use a shared Ethernet LAN. One solution to these security problems is to use an Ethernet switch with virtual LAN (“VLAN”) capabilities. A virtual (or logical) LAN is a local area network that maps workstations connected to it on a basis other than by geographic location, such as, for example, by department, type of user, or primary application. The VLAN controller is able to reconfigure the connections in order to manage load balancing and bandwidth allocation more easily than by using a physical picture of the LAN. Network management software keeps track of relating the virtual picture of the local area network with the actual physical arrangement.
A VLAN may encompass one or more switch ports and it may operate between any port or ports. This ensures that stations connected to ports that are not members of the VLAN do not receive broadcasts, and data traffic produced by a station in one VLAN is delivered only to stations within that same VLAN. Implementing secure VLANs makes network administration more efficient and secure.
Setting up VLANs in such circumstances solves the problem of isolating the ATM LAN data and preventing unauthorized access to ATM LAN data. However, other issues arise with respect to administering ATM LANs in locations remote from the network administration center. Two features of network administration that are used to adequately manage, maintain, and monitor a network are Simple Network Management Protocol (“SNMP”) and Remote Network Monitoring Specification (“RMON”).
SNMP is a simple request and response Internet protocol used for governing network management. Among other things, SNMP is used for alert and alarm notification. For instance, if a remote ATM is replaced by another device, SNMP will detect an error and report back to the network administrator that the port to which the ATM was connected has been closed and that the device connected to that port is reporting a media access control (“MAC”) address that does not match the ATM's MAC address. SNMP will also detect if there is loss of connectivity to the ATM. Other examples are: determining whether a machine needs service if it resets; and detecting an event that is unusual or improper based on the circumstances, such as a device being
Baker & Botts LLP
Electronic Data Systems Corporation
Ngo Ricky
LandOfFree
Four-port secure ethernet VLAN switch supporting SNMP and RMON does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Four-port secure ethernet VLAN switch supporting SNMP and RMON, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Four-port secure ethernet VLAN switch supporting SNMP and RMON will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2840019