Search

US-12621264-B2 - Secured network switch and method for broadcast, multicast, and neighbor management

US12621264B2US 12621264 B2US12621264 B2US 12621264B2US-12621264-B2

Abstract

A secured network switch is configured to enforce security between devices on a home network to ensure vulnerable devices do not compromise assets on privileged devices. The secured switch operates at the data link layer and is configured to enforce security based on device management and enforcement. The switch is configured to only allow devices that have been classified to allow communication with each other to forward packets to each other. The switch is configured to use broadcast, multicast, and network neighbor management to control the device discovery through the switch. The secured switch will also gather device information by snooping various sources of device ‘broadcast’ information and present this information via a user interface to aid network administrators in classifying devices and creating device to device relationships.

Inventors

  • Nicholas John Kelsey
  • Richard Finbarr DUNPHY

Assignees

  • SILICONDUST USA INC.

Dates

Publication Date
20260505
Application Date
20231222

Claims (20)

  1. 1 . A method for operating a secured network switch, the method comprising: receiving a broadcast or multicast packet from a source device at a first port of a plurality of ports of the secured network switch; extracting address data for the source device from the broadcast or multicast packet using a processor of the secured network switch; determining whether the source device is banned based on the address data using the processor of the secured network switch; in response to the processor determining that the source device is banned, automatically dropping the broadcast or multicast packet before providing the broadcast or multicast packet to switch logic of the secured network switch using the processor of the secured network switch; in response to the processor determining that the source device is not banned, automatically determining whether there are any devices connected to a second port of the secured network switch that have a defined relationship with the source device using the processor of the secured network switch; in response to the processor determining that there is at least one device connected to the second port that have a defined relationship with the source device, automatically forwarding the broadcast or multicast packet to a network segment connected to the second port; and in response to the processor determining that there are no devices connected to the second port that have a defined relationship with the source device, automatically blocking transmission of the broadcast or multicast packet via the second port using the processor of the secured network switch.
  2. 2 . The method of claim 1 , further comprising: receiving a unicast packet at the second port from a first device in response to the broadcast or multicast packet; determining whether the first device has a defined relationship with the source device; in response to the processor determining that the first device does not have a defined relationship with the source device, dropping the unicast packet; and in response to the processor determining that the first device does have a defined relationship with the source device, forwarding the unicast packet to a network segment containing the source device.
  3. 3 . The method of claim 2 , wherein the broadcast or multicast packet from the source device is a first Address Resolution Protocol (ARP) request having a target Media Access Control (MAC) address, and wherein the method comprises: terminating a flow of the first ARP request from the source device to the target MAC address; generating a second ARP request that is from the secured network switch to the target MAC address; and forwarding the second ARP request to network segments connected to other ports of the secured network switch including the second port.
  4. 4 . The method of claim 3 , wherein the unicast packet is a first ARP response from the first device to the secured network switch, and wherein the method comprises: determining whether the first device has a defined relationship with the source device; in response to the processor determining that the first device not having a defined relationship with the source device, dropping the first ARP response; and in response to the processor determining that the first device having a defined relationship with the source device: generating a second ARP response that is from the first device to the source device; and forwarding the second ARP response to the network segment connected to the first port.
  5. 5 . The method of claim 2 , wherein the broadcast or multicast packet is a first Internet Control Message Protocol (ICMP) or ICMP version 6 (ICMPv6) message encapsulated in an Internet Protocol version 6 (IPv6) frame, the first ICMP or ICMPv6 message having a source MAC address set to the source device and a target MAC address set to a multicast group, and wherein the method comprises: terminating a flow of the first ICMP or ICMPv6 message to the target MAC address; generating a second ICMP or ICMPv6 message that includes a source MAC address set to the secured network switch and a target MAC address set to the multicast group; and forwarding the second ICMP or ICMPv6 message to the network segment connected to the second port.
  6. 6 . The method of claim 4 , wherein the unicast packet is a first ICMP or ICMPv6 response message from the first device having a source MAC address set to the first device and a target MAC address set to the secured network switch, and wherein the method comprises: determining whether the first device has a defined relationship with the source device; in response to the processor determining that the first device does not have a defined relationship with the source device, dropping the first ARP response; and in response to the processor determining that the first device does have a defined relationship with the source device: generating a second ICMP or ICMPv6 response message having a source MAC address set to the first device and a target MAC address set to the source device; and forwarding the second ICMP or ICMPv6 response message to the network segment connected to the first port.
  7. 7 . The method of claim 2 , wherein the broadcast or multicast packet is a multicast packet, and wherein the method comprises: determining whether any of devices connected to the secured network switch are subscribed for multicast; in response to the processor determining that there are no subscribed devices, dropping the multicast packet; and in response to the processor determining that there is a subscribed device connected to the secured network switch, forwarding the multicast packet to the subscribed device.
  8. 8 . The method of claim 2 , wherein the secured network switch is associated with a Wi-Fi Access Point, and wherein the method comprises: identifying peer devices of the source device which are connected to the secured network switch; and converting the broadcast or multicast packet to separate unicast packets which are transmitted only to the identified peer devices.
  9. 9 . The method of claim 7 , further comprising: receiving user input via a user interface of the secured network switch to designate one or more devices connected to the secured network switch as a multicast subscribed device.
  10. 10 . The method of claim 1 , further comprising: receiving user input via a user interface of the secured network switch designating one or more devices connected to the secured switch as a banned device; adding the one or more devices to a list of banned devices stored in a memory accessible by the secured network switch; and wherein determining whether the source device is banned comprises determining whether the source device is on the list of banned devices.
  11. 11 . A secured network switch for computer networks, the secured network switch comprising: a processor; and a memory in communication with the processor, the memory comprising executable instructions that, when executed by the processor alone or in combination with other processors, cause the secured network switch to perform functions of: receiving a broadcast or multicast packet from a source device at a first port of a plurality of ports of the secured network switch; extracting address data for the source device from the broadcast or multicast packet using the processor; determining whether the source device is banned based on the address data using the processor; in response to the source device being banned, automatically dropping the broadcast or multicast packet before providing the broadcast or multicast packet to switch logic of the secured network switch using the processor; in response to the source device not being banned, automatically determining whether there are any devices connected to a second port of the secured network switch that have a defined relationship with the source device using the processor; in response to determining that there is at least one device connected to the second port having a defined relationship with the source device, automatically forwarding the broadcast or multicast packet to a network segment connected to the second port using the processor; and in response to determining that there are no devices connected to the second port having a defined relationship with the source device, automatically blocking transmission of the broadcast or multicast packet via the second port.
  12. 12 . The secured network switch of claim 11 , further comprising: receiving a unicast packet at the second port from a first device in response to the broadcast or multicast packet; determining whether the first device has a defined relationship with the source device; in response to determining that the first device does not have a defined relationship with the source device, dropping the unicast packet; and in response to determining that the first device does have a defined relationship with the source device, forwarding the unicast packet to a network segment containing the source device.
  13. 13 . The secured network switch of claim 12 , wherein the broadcast or multicast packet from the source device is a first Address Resolution Protocol (ARP) request having a target Media Access Control (MAC) address, and wherein the functions further comprise: terminating a flow of the first ARP request from the source device to the target MAC address; generating a second ARP request that is from the secured network switch to the target MAC address; and forwarding the second ARP request to network segments connected to other ports of the secured network switch including the second port.
  14. 14 . The secured network switch of claim 13 , wherein the unicast packet is a first ARP response from first device to the secured network switch, and wherein the functions further comprise: determining whether the first device has a defined relationship with the source device; in response to determining that the first device does not have a defined relationship with the source device, dropping the first ARP response; and in response to determining that the first device does have a defined relationship with the source device: generating a second ARP response that is from the first device to the source device; and forwarding the second ARP response to the network segment connected to the first port.
  15. 15 . The secured network switch of claim 12 , wherein the broadcast or multicast packet is a first Internet Control Message Protocol (ICMP) or ICMP version 6 (ICMPv6) message encapsulated in an Internet Protocol version 6 (IPv6) frame, the first ICMP or ICMPv6 message having a source MAC address set to the source device and a target MAC address set to a multicast group, and wherein the functions further comprise: terminating a flow of the first ICMP or ICMPv6 message to the target MAC address; generating a second ICMP or ICMPv6 message that includes a source MAC address set to the secured network switch and a target MAC address set to the multicast group; and forwarding the second ICMP or ICMPv6 message to the network segment connected to the second port.
  16. 16 . The secured network switch of claim 14 , wherein the unicast packet is a first ICMP or ICMPv6 response message from the first device having a source MAC address set to the first device and a target MAC address set to the secured network switch, and wherein the functions further comprise: determining whether the first device has a defined relationship with the source device; in response to determining that the first device does not have a defined relationship with the source device, dropping the first ARP response; and in response to determining that the first device does have a defined relationship with the source device: generating a second ICMP or ICMPv6 response message having a source MAC address set to the first device and a target MAC address set to the source device; and forwarding the second ICMP or ICMPv6 response message to the network segment connected to the first port.
  17. 17 . The secured network switch of claim 12 , wherein the broadcast or multicast packet is a multicast packet, and wherein the functions further comprise: determining whether any of devices connected to the secured network switch are subscribed for multicast; in response to determining that there are no subscribed devices, dropping the multicast packet; and in response to determining that there is a subscribed device connected to the secured network switch, forwarding the multicast packet to the subscribed device.
  18. 18 . A non-transitory computer readable medium on which are stored instructions that, when executed, cause a programmable device to perform functions of: receiving a broadcast or multicast packet from a source device at a first port of a plurality of ports of a secured network switch; extracting address data for the source device from the broadcast or multicast packet using a processor of the secured network switch; determining whether the source device is banned based on the address data using the processor; in response to determining that the source device is banned, dropping the broadcast or multicast packet before providing the broadcast or multicast packet to switch logic of the secured network switch using the processor of the secured network switch; in response to determining that the source device is not banned, determining whether there are any devices connected to a second port of the secured network switch that have a defined relationship with the source device using the processor of the secured network switch; in response to determining that there are no devices connected to the second port that have a defined relationship with the source device, blocking transmission of the broadcast or multicast packet to the second port using the processor of the secured network switch; in response to determining that there are devices connected to the second port that have a defined relationship with the source device, forwarding the broadcast or multicast packet to a network segment connected to the second port using the processor of the secured network switch; receiving a unicast packet at the second port from a first device in response to the broadcast or multicast packet; determining whether the first device has a defined relationship with the source device using the processor of the secured network switch; in response to determining that the first device does not have a defined relationship with the source device, dropping the unicast packet using the processor of the secured network switch; and in response to determining that the first device does have a defined relationship with the source device, forwarding the unicast packet to a network segment containing the source device using the processor of the secured network switch.
  19. 19 . The non-transitory computer readable medium of claim 18 , wherein the broadcast or multicast packet from the source device is a first Address Resolution Protocol (ARP) request having a target Media Access Control (MAC) address, wherein the unicast packet is a first ARP response from first device to the secured network switch, and wherein the functions further comprise: terminating a flow of the first ARP request from the source device to the target MAC address; generating a second ARP request that is from the secured network switch to the target MAC address; forwarding the second ARP request to network segments connected to other ports of the secured network switch including the second port; determining whether the first device has a defined relationship with the source device; in response to determining that the first device does not have a defined relationship with the source device, dropping the first ARP response; and in response to determining that the first device does have a defined relationship with the source device: generating a second ARP response that is from the first device to the source device; and forwarding the second ARP response to the network segment connected to the first port.
  20. 20 . The non-transitory computer readable medium of claim 19 , wherein the broadcast or multicast packet is a first Internet Control Message Protocol (ICMP) or ICMP version 6 (ICMPv6) message encapsulated in an Internet Protocol version 6 (IPv6) frame, the first ICMP or ICMPv6 message having a source MAC address set to the source device and a target MAC address set to a multicast group, wherein the unicast packet is an ICMPv6 response message from the first device having a source MAC address set to the first device and a target MAC address set to the secured network switch, and wherein the functions further comprise: terminating a flow of the first ICMP or ICMPv6 message to the target MAC address; generating a second ICMP or ICMPv6 message that includes a source MAC address set to the secured network switch and a target MAC address set to the multicast group; and forwarding the second ICMP or ICMPv6 message to the network segment connected to the second port; determining whether the first device has a defined relationship with the source device; in response to determining that the first device does not have a defined relationship with the source device, dropping the first ARP response; and in response to determining that the first device does have a defined relationship with the source device: generating a second ICMP or ICMPv6 response message having a source MAC address set to the first device and a target MAC address set to the source device; and forwarding the second ICMP or ICMPv6 response message to the network segment connected to the first port.

Description

CROSS-REFERENCE TO RELATED APPLICATION This patent application is related to co-pending, commonly owned U.S. patent application Ser. No. 18/394,945 entitled “Secured Network Switch and Method for Secure and Configurable Filtering,” filed concurrently herewith, which is incorporated herein by reference in its entirety. TECHNICAL FIELD The disclosure relates generally to computer networking, and, in particular, to systems and methods for creating and maintaining a network of devices which are secured from each other. BACKGROUND Securing home networks is paramount to protect personal information from cybercriminals who could use it for fraudulent activities like identity theft. Additionally, securing home networks can prevent others from accessing the internet connection, which can slow down the user's network speed and cause other issues. Finally, securing a home network can help prevent devices from being compromised, which can lead to data loss, ransomware attacks, and other types of cybercrime. However, home networks are getting harder to manage as people connect more devices, use new applications, and rely on them for entertainment, communication, and work. In addition, home users may lack the technical expertise to manage their home network. Finding ways to improve security for and facilitate management of home networks is always a worthwhile endeavor. SUMMARY In one general aspect, the instant disclosure presents a method for operating a secured network switch. The method includes: receiving a broadcast or multicast packet from a source device at a first port of a plurality of ports of the secured network switch; determining whether the source device is banned; if the source device is banned, dropping the broadcast or multicast packet before providing the broadcast or multicast packet to switch logic of the secured network switch; if the source device is not banned, determining whether there are any devices connected to a second port of the secured network switch that have a defined relationship with the source device; if there are no devices connected to the second port that have a defined relationship with the source device, blocking transmission of the broadcast or multicast packet to the second port; and if there are any devices connected to the second port that have a defined relationship with the source device, forwarding the broadcast or multicast packet to a network segment connected to the second port. In one general aspect, the instant disclosure presents a secured network switch having a processor and a memory in communication with the processor wherein the memory stores executable instructions that, when executed by the processor alone or in combination with other processors, cause the secured network switch to perform multiple functions. The function may include receiving a broadcast or multicast packet from a source device at a first port of a plurality of ports of the secured network switch; determining whether the source device is banned; if the source device is banned, dropping the broadcast or multicast packet before providing the broadcast or multicast packet to switch logic of the secured network switch; if the source device is not banned, determining whether there are any devices connected to a second port of the secured network switch that have a defined relationship with the source device; if there are no devices connected to the second port that have a defined relationship with the source device, blocking transmission of the broadcast or multicast packet to the second port; and if there are any devices connected to the second port that have a defined relationship with the source device, forwarding the broadcast or multicast packet to a network segment connected to the second port. In a further general aspect, the instant application describes a non-transitory computer readable medium on which are stored instructions that when executed cause a programmable device to perform functions of receiving a broadcast or multicast packet from a source device at a first port of a plurality of ports of the secured network switch; determining whether the source device is banned; if the source device is banned, dropping the broadcast or multicast packet before providing the broadcast or multicast packet to switch logic of the secured network switch; if the source device is not banned, determining whether there are any devices connected to a second port of the secured network switch that have a defined relationship with the source device; if there are no devices connected to the second port that have a defined relationship with the source device, blocking transmission of the broadcast or multicast packet to the second port; if there are any devices connected to the second port that have a defined relationship with the source device, forwarding the broadcast or multicast packet to a network segment connected to the second port; receiving a unicast packet at the second port from a first device in