NETWORK SERVICE ZONE LOCKING
7 Assignments
0 Petitions
Accused Products
Abstract
A zone locking system detects unauthorized network usage internal to a firewall. The system determines unauthorized network usage by classifying internal hosts inside a firewall into zones. Certain specified zones are unauthorized to initiate client communications with other selected zones. However, zone override services can be designated for each associated internal zone, and thus, authorizing selected network services. An alarm or other appropriate action is taken upon the detection of unauthorized network
-
Citations
89 Claims
-
1-20. -20. (canceled)
-
21. In a computer network wherein packets are communicated between devices on to the network, a method for providing an alarm signal indicating unauthorized network usage by a device on the network, comprising the steps of:
-
providing a configuration file that includes data reflecting the prior assignment of a plurality of devices into a plurality of zones where devices assigned to a first zone are not authorized to communicate with devices assigned to a second zone, a zone comprising a plurality of devices that are authorized to communicate; (i) with other devices in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) not with other devices in the same physical network that are in different zones; the configuration file further including unauthorized zone data specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone; monitoring network communications of the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones; capturing packet header information from monitored network communications; in response to captured packet header information from a device on the computer network, accessing the configuration file to determine whether said device is authorized communicate packets with another device in the computer network; determining unauthorized network usage based upon the unauthorized zone data in the configuration file and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and upon detection of unauthorized network usage, generating an alarm for use by external equipment.
-
-
36. In a computer network wherein packets are communicated between devices connected to the network in a client/server relationship, a method for generating an alarm signal indicating unauthorized network usage by a device on the network, comprising the steps of:
-
providing a configuration file that includes data reflecting the prior assignment of a plurality of devices including clients and servers into a plurality of zones where devices assigned to a first zone are not authorized to communicate with devices assigned to a second zone, a zone comprising a plurality of devices that are selected without regard to which physical network the devices are associated with and without regard to whether the devices in the same zone are in the same physical network or in another physical network, wherein devices as servers in a zone are authorized to communicate; (i) with other devices as clients in the same zone that are on the same physical network, and (ii) with other devices as clients in the same zone that are on different physical networks isolated by a network device, but (iii) not with other devices as clients in the same physical network that are in different zones; passively monitoring network communications internal to the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones; capturing packet header information from the monitored network communications; determining the zones participating in the monitored network communications based on information in the configuration file; determining unauthorized network usage based upon the information in the configuration file and captured packet header information indicating that a client in a first zone is attempting to communicate with a server in a second but unauthorized zone; and generating an alarm signal for use by external equipment upon detection of unauthorized network usage.
-
-
50. In a data communication network wherein packets are communicated between devices on the network, a system for providing an alarm signal indicating unauthorized network usage by a device on the network, comprising:
-
a computer system including a processor and a memory storing a configuration file that includes data reflecting the prior assignment of a plurality of devices connected to the network into a plurality of zones, a zone comprising a sub-grouping of devices, wherein devices in a given zone are authorized to communicate; (i) with other devices in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) not with other devices in the same physical network that are in different zones; the configuration file further including unauthorized zone data specifying unauthorized zones for which devices in a particular zone are not authorized to communicate with devices in designated unauthorized zones; the computer system operative to; monitor network communications by capturing packet header information from packets communicated between devices that have been assigned to the zones; determine the zones participating in the monitored zone communications based upon the unauthorized zone data in the configuration file; determine unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and provide an alarm signal upon detection of unauthorized network usage.
-
-
63. In a data communication network wherein packets are communicated between devices on the network, a system for providing an alarm signal indicating unauthorized network usage by a device on the network, comprising:
-
a computer system including a processor and a memory storing a configuration file that includes data reflecting the prior assignment of a plurality of devices connected to the network into a plurality of zones, a zone comprising a plurality of devices that are authorized to communicate; (i) with other devices that are in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) not with other devices that are on the same physical network but in different zones; the configuration file further including unauthorized zone data specifying unauthorized zones for which devices in a particular zone are not authorized to communicate with devices in other unauthorized zones; the computer system operative to; receive override service data specifying particular network services for which devices in designated zones are authorized to communicate with devices in other unauthorized zones notwithstanding the unauthorized zone data; monitor network communications by capturing packet header information from packets communicated between devices; determine which devices are participating in the monitored network communications based on captured packet header information; determine the zones participating in the monitored zone communications based upon the unauthorized zone data; determine unauthorized network usage based upon the unauthorized zone data, the override service data, and captured packet header information indicating that a device as a client in a first zone is attempting to communicate with a device as a server in a second but unauthorized zone and has not been overridden by the override service data; and provide an alarm upon detection of unauthorized network usage.
-
-
76. In a data communication network wherein packets are communicated between devices on the network, a method for providing an alarm signal indicating unauthorized network usage by a device on the network, comprising the steps of:
-
providing a configuration file that includes data reflecting the prior assignment of a plurality of devices on the network to a plurality of communication zones, a zone comprising a sub-grouping of devices on the network that are allowed to communicate with each other, wherein devices in each respective zone are authorized to communicate; (i) with other devices that are in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) not with other devices that are on the same physical network but in different zones; determining from the configuration file allowed network services that are allowed to be provided by a device as host in one zone to devices in different communication zones and storing the allowed network services as zone data; passively monitoring the communications between the plurality of communication zones within the data communication network by capturing packet header information from packets communicated between devices that have been assigned to the zones; determining unauthorized network usage based upon the zone data and captured packet header information indicating that a device in a first zone is either (i) attempting to communicate with a device in a second zone for which communication is not authorized or (ii) attempting to utilize a service of a host in a second zone that is not allowed; and generating an alarm upon the detection of unauthorized network usage.
-
-
89. A computer program product that includes a computer readable medium that is executable by a processor, the medium having stored thereon a sequence of instructions that when executed by the processor causes the processor to execute the steps of:
-
accessing a configuration file that includes data reflecting the prior assignment of a plurality of data communication devices into a plurality of zones where devices assigned to a first zone are not authorized to communicate with devices assigned to a second zone, a zone comprising a plurality of devices that are authorized to communicate; (i) with other devices in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) not with other devices in the same physical network that are in different zones; the configuration file further including unauthorized zone data specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone; monitoring network communications of the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones; capturing packet header information from monitored network communications; in response to captured packet header information from a device on the computer network, accessing the configuration file to determine whether said device is authorized communicate packets with another device in the computer network; determining unauthorized network usage based upon the unauthorized zone data in the configuration file and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and upon detection of unauthorized network usage, generating an alarm for use by external equipment.
-
Specification