Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-06-24
2001-02-06
Wright, Norman M. (Department: 2785)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S155000, C714S026000, C709S228000, C705S053000
Reexamination Certificate
active
06185689
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The invention relates to the field of computer network security, and in particular concerns an internet or intranet based technique by which operators, who need not have extensive knowledge of network TCP/IP subsystems, can assess the vulnerability of any or all of their network hosts (e.g., servers and workstations) to a variety of intrusion methods. A host or server operating the security system according to the invention uses communication techniques to confirm the identity of an operator who seeks an assessment, and may effect a credit or bank account transaction as a means of payment. A hypertext web page is generated on the security system server for starting the assessment, having a URL that is unique to the operator's request. The URL of the starting page is reported to the qualified operator by email. The operator selects a level of security assessment by selecting a number or class of network hosts to be analyzed and a level of intensity for the analysis. The security system server then launches a series of selected inquiries by TCP/IP communications, assesses points of vulnerability, and inserts hypertext links into the report page, naming vulnerabilities found and linking to hypertext pages explaining each vulnerability and directing the operator to potential fixes and further information. The assessment can be repeated as often as necessary during a limited time period, for example to test fixes made after earlier reports of vulnerability. After the limited time period, the report page and its URL are removed.
2. Prior Art
Standards have been developed for network communications among workstations and servers (collectively “hosts”), and are well documented. The same standards that apply to open network communications can also be used in communications among hosts on a local area network or a wide area network. Communications of this type generally fall into two categories, namely TCP and UDP.
In TCP (“transmission connection protocol”), a connection is made and held between the source of the data and an at-least intermediate destination. Delivery of data in TCP is more or less guaranteed once a connection is made.
In UDP (“user datagram protocol”), data packets are transmitted from a source to a destination, but no standing connection is made. In UDP, it is up to the programmer designing the software to guarantee reliability of the communication session.
Depending upon whether a host is configured to provide the services of a web server, a router, a workstation or the like, that host must be configured to respond to the appropriate inquiries needed to function. When the TCP/IP subsystem of the host is enabled to respond to these inquiries by the software that enables the host to operate as a server, router, etc., one of the numbered TCP ports is caused to respond to the appropriate inquiry.
Some services provide usernames and TCP/IP addresses, and a remote host can use the noted services to learn usernames and/or addresses and thereafter attempt to determine further information or use the information to mount an attack. With a knowledge of usernames, an iterative routine or a program having a dictionary file can attempt to determine passwords randomly or to guess passwords using common words, and attempt to log into a host as a given user. On some servers, particularly of Internet service providers, usernames are used to define the paths to the users' subdirectories. An authorized user can log in to their ISPs server, under their own username, then change directory up a level, and obtain the usernames of all subscribers by listing the username subdirectories. Depending on rights granted, this could enable subscribers to monitor shells, last login times, alter personal web page content and even read or insert pending email messages. It may or may not be appropriate for all such capabilities to be open to users, but in such instances it is appropriate for both the subscribers and the operator of the server to understand fully where the system is vulnerable to attack. For these and other reasons it can be difficult for systems administrators or others to determine the true identity of a person who obtains unauthorized access to information or services.
Networks that may be vulnerable to attack or contain confidential information may be protected by firewalls. Firewalls are intermediate computers that are coupled between a protected network server and the Internet. A firewall is basically a router having filters that pass certain forms of messages and block others. Of course a firewall does not address the possibility of an attack from a user within the network protected by the firewall.
A firewall can be more or less aggressive at blocking messages. Aggressive filtering means that fewer services can be made available in one direction or the other through the firewall. Insufficient filtering leaves the network open to attack. A proper balance is sought by system administrators in setting up the filtering that will be undertaken by the firewall, to provide the needed services and minimize dangers of unauthorized access and of damaging attack. Both innocent and malicious requests are blocked. Firewalls also may provide proxy or masquerading services which “hide” the presence of computers behind it.
One form of attack that is particularly troublesome is a “denial of service” attack. Networks providing information services that are critical for reasons of public safety or national defense need to be operational when called upon. A denial of service attack on a given host or TCP/IP address can result in that host (workstation or server) locking up (e.g., displaying the so-called “blue screen of death,” normally a general protection fault) requiring that the affected host be rebooted. A server lockup can disable useful operation of all users logged onto that server by precluding access to shared data. An attack on an individual host on the network at least can disable that host, and it is possible to mount a denial of service attack on all the hosts on a network simultaneously.
Several denial of service attacks are well known and documented, and software patches are available to deal with most of them. For example, the Windows NT service pack from Microsoft deals with certain vulnerabilities found in the Windows TCP/IP subsystem. An example is the Window OOB Bug (aka “WinNuke”). A program can send out of band (OOB) data to a TCP/IP address at which a Windows machine is coupled to the network, for example attacking NetBIOS (TCP port 139). The Windows machine is unable to handle the data and can lock up.
A program called SPING sends fragmented ICMP packets to a TCP address of a Windows machine, requesting an echo of the packet. The machine attempts to reassemble the packets but they cannot be reassembled. The machine's buffers overload and the machine locks up. Similarly, spoofed connection requests can be sent by TCP to a Windows host in a so-called Land Attack. SYN packets are sent to the host address as the destination and appear to have the same address as the source. That is, the packets have the same host and port numbers identifying the source and the destination. As it attempts to resolve the conflict of having information simultaneously being sent and received by the same host over the same port, the system slows down.
The Tear Drop and New Tear Drop (or Bonk) attack concern sending overlapping TCP/IP fragments or corrupted UDP fragments. These attacks fill the available memory buffer space and eventually crash the machine.
The foregoing attacks are exemplary. Additional attacks become possible periodically, as the implementation of the TCP/IP system is further understood. Additionally, public service organizations monitor reports of attacks and publish advisories containing strategies for dealing with attacks. The organizations include CERT, CIAC, ASSIST, and others.
In April 1995, a software package called Security Administrators Tool for Analyzing Networks (SATAN) was made publicly available to
Glahe Aaron C.
Pendleton Adam H.
Todd, Sr. Robert E.
Eckert Seamans Cherin & Mellott , LLC
Houser Kirk D.
Richard S. Carson & Assoc., Inc.
Wright Norman M.
LandOfFree
Method for network self security assessment does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for network self security assessment, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for network self security assessment will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2614152