Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2002-01-31
2004-06-01
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S160000, C713S161000, C713S168000, C713S152000
Reexamination Certificate
active
06745333
ABSTRACT:
TECHNICAL FIELD
The present invention generally pertains to the field of networked computers. More particularly, the present invention is related to a method for enhancing network security by detecting that a network has been accessed by an entity not authorized to be in such access.
BACKGROUND ART
Modern computing networks allow great benefits by sharing information and computing resources. However, such networking presents several security issues. One such security issue is detecting that the security of a network has been potentially compromised by unauthorized access. Detection of such potential security compromise requires the detection of access to the computing network by entities lacking authorization to have such access.
Related to this issue of unauthorized access is a second security issue, which is preventing an unauthorized device, e.g., a computing and/or communications device wielded by an unauthorized entity, from actually getting into the network, Also, related to this second security issue is preventing such an unauthorized device that does penetrate the network from learning about the existence of network resources.
Further, related to the foregoing security issues is another: if an unauthorized device is detected, e.g., that its access to a network has not been prevented, the portion of the network to which it has access must at least be restricted. This can delimit the mischief the unauthorized device can cause.
Conventionally, two principal methods moderate access to a network. The first of these methods requires some type of identity authentication process for the entity attempting to access the network, effectively restricting network access to authorized persons. An example of this first method is the IEEE 802.1×Protocol, discussed in more detail below, wherein a satisfactory authentication interaction is required prior to any exposure of the network to the entity attempting to access it.
The second such method is the deployment of techniques to detect intrusion. An example of this second method is an Intrusion Detection System (IDS). An IDS employs software that detects unauthorized entrance to a network and/or to computer system components thereof. A network IDS (NIDS) supports multiple hosts. Typically, an IDS looks for signatures of known attempts to breach security as a signal of a possible security violation. An IDS may also look for deviations of normal routines as indications of a possible intrusion or other network security violation.
Referring to
FIG. 1
, most networks
120
have firewalls
135
to prevent unauthorized users to directly access the network
120
from outside the network
120
(e.g., from the Internet
140
). The firewall
135
may implemented in software on a computer, in a router, in a stand-alone firewall box, etc. The network
120
may also have a Virtual Private Network (VPN) gateway
130
. Virtual Private Networks enjoy the security of a private network via access control and encryption. All traffic from the Internet
140
goes through either the firewall
135
or the VPN gateway
130
. Thus, a certain measure of protection is provided for those paths.
However, the firewall
135
and VPN gateway
130
will not detect or prevent unauthorized access from within the network
120
. For example, with a typical Ethernet network anyone that has physical access to a hardware port
128
on the network can attach a laptop computer
125
to gain access to the network
120
, e.g., by using a Network Interface Card (NIC).
Unauthorized access can also be gained by attaching to a wireless Local Area Network (LAN) Point
127
attached to the network
120
. Also, the firewall
135
may be avoided if a remote device connects to the network
120
using dial-up (RAS)
132
or even the Virtual Private Network gateway
130
, thus achieving direct access the network
120
. For example, an employee having a username and a password may use a dial-up connection to obtain access to a corporate network.
Furthermore, with a typical Ethernet network, any device connected to the network
120
can communicate with any other device on that segment of the network
120
. A router or switch may be programmed block packets originating at a given device from leaving the segment. However, this conventional method will not prevent the unauthorized device from communicating with devices on its own segment.
One conventional method for providing security for a network is described in the IEEE 802.1×specification. Therein is described a hardware block technique as illustrated in FIG.
2
. When a client device
126
first connects to the network, the client device
126
is only allowed to communicate with the authentication server
121
. A hardware switch
131
prevents the client device
126
from accessing the full network
141
. After the client device
126
authenticates with the authentication server
121
, the hardware switch
131
allows the client device
126
to have access to the network
141
.
Another conventional method for promoting network security also involves a degree of server control. In this scheme, a network is constituted by a centralized server and peripheral entities, interconnected via their individual NICs. A peripheral entity intercommunicates with the centralized server via its NIC. The centralized server promulgates intercommunication policies to the NIC, instructing its entity as to whether intercommunication between that entity and certain Internet Protocol (IP) addresses is permissible or forbidden.
The intercommunication policies promulgated by the centralized server may also instruct an entity to permit or to prohibit certain intercommunication related events. Examples of such events include allowing its NIC to go into a promiscuous mode, and allowing the generation of fake responses or other signals to polling and other network queries, in order to keep a session active and prevent termination, such as by timeouts.
The foregoing conventional methods of moderating network access are problematic for at least two major reasons. In the first place, requiring authentication procedure compliance to gain network access is not fool proof. “Spoofing,” e.g., faking the sending address of a data transmission in order to “authenticate without authorization,” if successful, may expose even a seemingly secure network to intrusion. Spoofing will be discussed in somewhat greater detail below.
Further, the “seemingly secure” nature of the network in such an instance weaves an obviously false sense of security. This false sense of security has its own risks, because great amounts of mischief may occur under its camouflage. Such mischief may perhaps occur in a manner and on an order unlikely in a patently unsecure system, wherein network participants would more probably know to take appropriate precautions.
Secondly, conventional methods of detecting intrusion into secured networks typically seek effects there caused by the presence of and/or actions there taken by unauthorized entities who have gained access thereto. In many cases, this amounts to nothing more than internal damage assessment. It thus provides no ability to prevent the intrusion or resultant damage, or even to detect such intrusion in real time or near real time.
Another difficulty with conventional network security lies in how to detect unauthorized entry into certain network areas by an entity authorized to access other areas, and to prevent such unauthorized access. Once an entity has access to a portion of a network to which it is authorized for such access, problems may occur when that entity spoofs to gain access to other network areas normally off limits, e.g., restricted to it. However, it has proven difficult to establish conventional networking regimes that effectuate segregation of a network into areas differentially accessible to various entities.
On an exemplary corporate LAN for instance, an entity authorized for access to engineering may lack authority to access accounting, legal, personnel, marketing, and executive areas. Another entity thereon may be au
3Com Corporation
Peeso Thomas R.
LandOfFree
Method for detecting unauthorized network access by having a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for detecting unauthorized network access by having a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for detecting unauthorized network access by having a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3364441