METHOD AND PROCEDURE TO AUTOMATICALLY DETECT ROUTER SECURITY CONFIGURATION CHANGES AND OPTIONALLY APPLY CORRECTIONS BASED ON A TARGET CONFIGURATION

US 20090217382A1
Filed: 02/25/2008
Published: 08/27/2009
Est. Priority Date: 02/25/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method of maintaining router security configuration files, comprising:

generating a target-delta file having commands needed to make identified data blocks of a baseline file functionally equivalent to corresponding data blocks of a target file, wherein said identified data blocks are functionally different from said corresponding data blocks of said target file; and

changing a router security configuration field file by applying said target-delta file thereto.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for maintaining router security configuration files, a method for detecting unauthorized changes to router security configurations and a network controller. In one embodiment, the method for maintaining includes: (1) generating a target-delta file having commands needed to make identified data blocks of a baseline file functionally equivalent to corresponding data blocks of a target file, wherein the identified data blocks are functionally different from the corresponding data blocks of the target file and (2) changing a router security configuration field file by applying the target-delta file thereto.

19 Citations

View as Search Results

21 Claims

1. A method of maintaining router security configuration files, comprising:
- generating a target-delta file having commands needed to make identified data blocks of a baseline file functionally equivalent to corresponding data blocks of a target file, wherein said identified data blocks are functionally different from said corresponding data blocks of said target file; and
  
  changing a router security configuration field file by applying said target-delta file thereto.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1 further comprising generating a field-delta file having commands needed to make identified data blocks of said field file functionally equivalent to corresponding data blocks of said baseline file, wherein said identified data blocks of said field file are functionally different from said corresponding data blocks of said baseline file.
  - 3. The method as recited in claim 2 further comprising determining if there are any conflicts between said target-delta file and said field-delta file.
  - 4. The method as recited in claim 3 further comprising generating an alarm if there is a conflict between identified data blocks of said target-delta file and said field-delta file.
  - 5. The method as recited in claim 4 further comprising examining said conflict.
  - 6. The method as recited in claim 5 wherein said examining includes determining if said identified data blocks are within a protected block.
  - 7. The method as recited in claim 1 further comprising archiving said field file as said baseline file.
  - 8. The method as recited in claim 1 wherein said commands address changes to said identified data blocks at a block level.
  - 9. The method as recited in claim 1 wherein said baseline file is stored in a first table and said target file is stored in a second table, wherein each of said first and second tables are organized according to data block numbers.
  - 10. The method as recited in claim 9 wherein said generating includes excluding a data block number from said target-delta file when said data block number is in table one but is not in table two.
  - 11. The method as recited in claim 9 wherein said generating includes copying data associated with a data block number from table two to said target-delta file when said data block number is in table two but is not in table one.
  - 12. The method as recited in claim 9 wherein said generating includes excluding a data block number from said target-delta file when said data block number is found in both table one and table two and all fields in said data block of table one and table two are equivalent.
  - 13. The method as recited in claim 9 wherein said generating includes copying data from table two to said target-delta file when a data block number is found in both table one and table two and all fields in said data block of table one and table two are not equivalent.

14. For use in a network having routers, a method of detecting unauthorized changes to router security configurations, comprising:
- (a) generating a delta file having identified data blocks of a router security configuration field file, wherein said identified data blocks of said field file are functionally different from corresponding data blocks of a router security configuration baseline file; and
  
  (b) generating an alarm based on said identified data blocks in said delta file.
- View Dependent Claims (15, 16, 17)
- - 15. The method as recited in claim 14 wherein said steps (a) to (b) are performed periodically.
  - 16. The method as recited in claim 14 further comprising determining if said identified data blocks are within a protected block.
  - 17. The method as recited in claim 16 further comprising generating said alarm based on if said identified data blocks are within said protected block.

18. A network controller, comprising:
- a configuration guardian, including;
  
  an intelligent delta tool operable to compare data blocks of a field configuration file with corresponding data blocks of a target configuration file and generate a target-delta file that represents functional differences between said data blocks; and
  
  a configuration monitor operable to modify said field configuration file based on said target-delta file to make said field configuration file functionally equivalent to said target configuration file.
- View Dependent Claims (19, 20, 21)
- - 19. The network controller of claim 18 wherein said intelligent delta tool is further operable to compare data blocks of an original configuration file with corresponding data blocks of said field configuration file and generate a field-delta file that represents functional differences therebetween.
  - 20. The network controller of claim 19 wherein said configuration monitor directs said intelligent delta tool to compare said original and field configurations files periodically.
  - 21. The network controller as recited in claim 18 wherein said field configuration file is a security configuration file of a router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Lecheler, Paul A.

Application Number

US12/036,959
Publication Number

US 20090217382A1
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

METHOD AND PROCEDURE TO AUTOMATICALLY DETECT ROUTER SECURITY CONFIGURATION CHANGES AND OPTIONALLY APPLY CORRECTIONS BASED ON A TARGET CONFIGURATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND PROCEDURE TO AUTOMATICALLY DETECT ROUTER SECURITY CONFIGURATION CHANGES AND OPTIONALLY APPLY CORRECTIONS BASED ON A TARGET CONFIGURATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links