FR2717333A1 - Network access protection method e.g. for LAN - Google Patents

Abstract

The method involves reading a frame (TR) containing words transmitted between two terminals (STA,STB) following establishment of communication. A protection circuit authorises access between the terminals by reading allowed terminal interconnections from a list. On detection of an illegal communication, two disconnection frames (TRDA,TRDB) are transmitted respectively to the first and second terminals. The disconnection frames includes destination addresses corresponding to the first and second terminals.

Description

Protection of telecommunications networks
The present invention relates generally to the security of telecommunications networks, and in particular their protection against attacks, internal or external, which may constitute real threats to these networks. More particularly, the invention aims to provide a method of protecting a network against each communication established between two entities, or terminal stations, of the network and having an illegal character.

The invention is in particular intended to be implemented in a local network (LAN for Local Area
Network in Anglo-Saxon terminology). Such a local network can be subject to internal attacks, resulting from unforeseen or unauthorized behavior by a user of said network, and to external attacks when the local network is connected with an external telecommunications system.

The increase in interconnections established with the local network consequently increases the risks for network security. The possible attacks offered by the opening of a local network to the outside world are for example the clandestine connection, and the "disguise" of a malicious user as an authorized user.

 Many techniques exist to detect such internal and external attacks. Are notably known access authorization tables limiting the authorized accesses relative to each user or terminal station and authentication mechanisms of a communication aiming at verifying the real destination stations and at the origin of a communication.

The object of the present patent application does not lie in such an attack detection, interior or exterior, against a computer network, but resides in a step of disconnecting an established communication, in response to an attack detection . The term "attack" also assumes, in the following description, all the meanings given to it in the Standard.
French NF ISO 7498-2, September 1990, Annex A.

 According to the prior art, with reference to FIG. 1, two main methods are used for the implementation of protection of a network against illicit or falsified communication.

In this figure 1 are represented two local networks R1 and R2 interconnected through a public network RP. The network R1, respectively R2, comprises a predetermined number N1 = 4, respectively N2 = 4, of terminal stations S10 to
S13, respectively S20 to S23, and has a ring topology, respectively of bus type.

The interconnection of the two networks R1 and R2 through the public network RP is ensured respectively by two routers RO1 and R02. Each King router, R02 interfaces the respective one of the local networks R1 and R2 with the public network RP. The two routers RO1 and
R02 provide functions for converting low-layer protocols, typically PHYSICAL,
LINK and NETWORK, such as reallocation of stations, etc. If we assume that the two networks R1 and R2 respectively implement low layer protocols of type "TOKEN-RING" and "ETHERNET", the two routers RO1 and R02 then ensure in particular the conversion of NETWORK protocols
PUBLIC / TOKEN-RING and PUBLIC / ETHERNET NETWORK, respectively.

 The first known method for protecting a local network, such as the R1 network, according to the prior art consists in protecting said network only against external attacks, that is to say attacks coming from outside the network, for example from the R2 network. For this, in the router RO1 of the network R1 are provided attack detection means based on an access authorization table and / or communication authentication means.

 When establishing a communication between one of the stations, such as station S10, of network R1 and a station outside of network R1, such as station S20 of network R2, a message requesting establishment of connection, in the form of a frame, is routed from the calling station, here the station S20, to the called station, here the station S10, through the router RO1. The router, mounted "cut-off relative to the connection relating to the connection, lets broadcast the connection establishment message through the network R1 only in the case where the authentication means and the access authorization table authorize Otherwise, the connection establishment request message is stored or destroyed in the router RO1 without being broadcast in the network R1 including the destination station S10 of the message. establishment of a connection, the station S20 transmitting the connection establishment request message abandons its establishment request after an unanswered delay, succeeding to the transmission of the call establishment request message, this delay being greater than a predetermined duration, so the connection between station S20 and station S10 is never established.

This first method has the main disadvantage of requiring an organ, here King router,
RO2, placed "in cut" with respect to the link through which all the communications to be monitored pass. If numerous connection establishment request messages are received almost simultaneously by the router RO1, the processing of these messages significantly increases the connection times of the stations. Furthermore, such a method does not allow protection of the R1 network for internal communications established between stations of the R1 network.

 The second method of protecting a local telecommunications network known according to the prior art and overcoming the drawback of the first method mentioned above, consists in installing protection mechanisms of the access authorization and / or authentication table type. communication in one of the stations, such as station S11, of the local network R1 to be protected. According to this method, no call establishment request is rejected and only the network protection report is produced by the station S11. Such a protection report lists each detection of an attack, such as intrusion by an undesirable third party into the protected network, disguise, etc. Each of these detected attacks is for example displayed on a screen of the station S11 and / or stored in a computer file of the station.

 This second process is thus unable to break an established connection and declared to be falsified or illicit.

 The present invention aims to remedy the drawbacks relating to the two aforementioned methods according to the prior art, by providing a method and system for protecting a computer network that does not increase the connection waiting times for stations, a request for establishment never being rejected, and authorizing the termination of an established connection.

To this end, a method of protecting a network comprising a detection of illicit communication established between first and second stations, at least one of said first and second stations belonging to said network,
is characterized in that it includes,
in response to said step of detecting illicit communication, a transmission of first and second disconnection frames respectively, intended for said first and second stations, said first disconnection frame including a recipient address corresponding to the address of the first station and an origin address corresponding to the address of the second station, and said second disconnection frame including a recipient address corresponding to the address of the second station and an origin address corresponding to the address of the first station .

 Unlike the aforementioned first method according to the prior art, the step of detecting each illicit communication can be carried out relative to transmitted frames distinct from a connection request establishment frame between the two stations, although such detection puisee be made from connection request frames transmitted between the two stations.

 Typically, the step of detecting illicit communication results directly from failure to authenticate said illicit communication, or from the fact that said illicit communication is declared prohibited in an access authorization table.

 According to a first variant of the invention, the detection and transmission steps are implemented in a network switching means that does not belong to any of the stations of said network, such as a router.

 According to a second variant of the invention, the network is a broadcast network, such as a local area network, and the detection and transmission steps are implemented in a station, called a protection station, of the broadcast network.

Other characteristics and advantages of the present invention will appear more clearly on reading the following description of several preferred embodiments of the invention with reference to the corresponding appended drawings in which
- Figure 1, already discussed, is a block diagram of two local networks interconnected through a public network according to the prior art;
- Figure 2 schematically shows in layers a station of a local network connected to a communication medium forming the topology of the local network; and
- Figure 3 schematically shows a protection station together with steps for protecting a network according to the invention.

 The method according to the invention is described below for implantation in a terminal station of a local network. However, the method according to the invention can be implemented in a gateway or a router useful for the interconnection of two networks.

As shown in FIG. 2, a terminal station S of a local network is defined by telecommunications layers, PHYSICS, LINKS,
NETWORK, TRANSPORT, SESSION, and
PRESENTATION / APPLICATION substantially taking up the architecture and the functionalities defined in the OSI (Open System) reference model
Interconnection) of ISO (International
Standardization Organization). In practice, and depending on the nature of the network, the X25 protocol associated with the lower layers can be defined by way of example.
PHYSICAL, LINKED and NETWORK, the TCP and IP protocols respectively associated with the TRANSPORT and
NETWORK, or the FDDI protocol associated with the PHYSICAL and LINK low layers and the IN interface with the SU communication medium. The interface IN of the station S to the communication medium is provided by electrical or optical means, depending on the nature of the communication medium, cable or optical fiber.

The implementation of the method according to the invention is now described with reference to FIG. 3 showing a protection station S attached to the local network that it protects. In FIG. 3, the protection station S protects the network to which it belongs against an illicit communication established between two stations STA and STB. According to the representation of FIG. 1, the two stations STA and STB can belong to the local networks R1 and R2 respectively, or both belong to the network
R1, if it is assumed that station S belongs to this network.

According to a characteristic of the method of the invention and, unlike the first method of the prior art which was mentioned in the preamble to the description, the detection of an illicit communication is carried out by analyzing one or more of the frames transmitted during communication between the two stations STA and STB, and not necessarily by analyzing the connection establishment request frame. Thus each communication can be rejected or accepted during the establishment phase of this communication but also during the communication, after establishment of the connection. It should be noted that the term "frame" is associated with any information transfer unit. This term therefore covers, according to the protocols used, the concepts of PDU (Protcol Data
Unit), packet, message, ...

 The implementation of the method of the invention in a station of a network to be protected results from the broadcasting properties of this network. The notion attached to the term "broadcasting" means that each station on the network has potential access to each of the frames transmitted in the communication medium of the network forming the topology of the latter. In practice, all local networks, whatever the protocols and topology used, point-to-point, multipoint, ring or bus, have this broadcasting property. Thus, by way of example, in a local network of token-ring type, a given frame transmitted by a first station to a second station is destroyed by said first station after a complete revolution in the ring.

Only the second station, whose address coincides with the destination address provided in the frame, actually receives, by transmission from the layer
PHYSICAL at the APPLICATION layer, the given frame.

However, each station in the ring receives the given frame to compare its address with the destination address contained in the given frame.

 Thus returning to FIG. 3, the station S receives any frame transmitted or received by a station of the network to which it belongs.

 In a first step, identified by (A) in FIG. 3, the protection station S reads a frame TR conveyed in the communication medium SU and transmitted between the stations STA and STB. The detection of the established communication relating to the frame read, as illegal communication, results from mechanisms depending on the access authorization table, and of communication authentication established in the station S.

 The access authorization table mechanisms typically consist of a database explicitly prohibiting or authorizing certain connections between certain stations. Communication authentication aims to note that the stations assumed to be involved in a connection, in particular as a function of the addresses transmitted in the frames, are the stations actually concerned by the connection. Such a mechanism remedies attacks by disguise, or masquerade, where a given station simulates the characteristics of another station in order to benefit from its privileges.

 If the frame TR read by the station S is interpreted by the station S as relating to an illicit communication in that the frame read does not meet the criteria of authentication of communication and / or of authorization of access, then said communication is broken. The read frame TR comprises two data fields A and B relating respectively to the original address A of the station having sent the frame and to the recipient address B of the station to which the frame TR is intended.

 In response to detection of illicit communication by station S, the latter transmits to the two stations STA and STB at the origin and recipient of the read frame TR, respectively two disconnection frames TRDA and TRDB, as shown in step (B). It is understood that the term "disconnection frame relates to any unit or sequence of information transfer units causing the connection to be closed.

The disconnection frame TRDB transmitted to the station STB comprises as address of origin the address of the STA and as address of destination the address B of said station STB. Conversely, the TRDA disconnection frame transmitted to the station
STA includes as address of origin the address B of the station STB, and as address of recipient the address A of said station STA. The term "address" mentioned above covers the concepts of SAP (Service Access Point), Port, ..., or any grouping of these concepts according to the protocols used.

 Thus each station, STA and STB, appears to be freed from communication by the other station, STB and STA. The breakdown of the established communication seems "natural" to each station STA and STB and originate from the other station, STB and STA.

 The invention is not limited to the variant described above relating to the implementation of the method according to the invention in a station S connected to a network having the broadcasting property.

 Thus, a person skilled in the art will appreciate that the method of the invention can be implemented in a router RO1, R02, to protect a network against external attacks, originating from outside of said network. In this case, and contrary to the state of the art described in the preamble to the description, the establishment of a communication is always valid regardless of the illegal or lawful nature of this communication.

 The detection of a communication as an illicit communication can be carried out following the establishment of said communication, on the flow of frames transmitted during said communication, or from connection frames.

Thus, no delay in the establishment of communications is attributable to the protective processing according to the invention. A communication detected illegal during its existence is nevertheless broken by transmission, according to the invention, of two respective disconnection frames to the two stations concerned by said communication.

Claims (7)

CLAIM8  1 - Method for protecting a network (R1, R2) comprising a detection of illicit communication established between first and second stations (STA, STB), at least one of said first and second stations belonging to said network (R1, R2),  characterized in that it comprises,  in response to said detection of illegal communication, a transmission of first and second disconnection frames (TRDA, TRDB) respectively intended for said first and second stations (STA, STB), said first disconnection frame (TRDA) including a recipient address (A) corresponding to the address of the first station (STA) and an originating address (B) corresponding to the address of the second station (STB), and said second disconnection frame (TRDB) including an address of recipient (B) corresponding to the address of the second station (STB) and an originating address (A) corresponding to the address of the first station (STA).  2 - Method according to claim 1, characterized in that said detection of illicit communication is carried out relative to transmitted frames (TR) distinct from a connection request establishment frame between the two stations.  3 - Method according to claim 1 or 2, characterized in that said detection of illegal communication results directly from failure to authenticate said illegal communication or that said illegal communication is declared prohibited in an access authorization table .  4 - System for implementing the method according to any one of claims 1 to 3, in a telecommunications network (R1, R2), characterized in that said detection and transmission are implemented in a switching means (RO1, RO2) of said network (R1, R2) not belonging to any of the stations (S10-S13, S20-S23) in said network.  5 - System according to claim 4, characterized in that said switching means is a router (RO1, RO2) and in that said network is a local network.  6 - System for the implementation of the method according to any one of claims 1 to 3, according to which said network is a broadcast network, and in that said detection and transmission are implemented in one (S ) stations in the broadcast network.  7 - System for implementing the method according to claim 5, characterized in that said broadcast network is a local network (R1, R2).