Detecting unauthorized network communication
First Claim
1. A method for use with devices that are coupled by a communication medium to form an internal packet network, at least one of the devices not being an authorized conduit for communication with external devices that are not part of the internal packet network, the method comprisingobserving packets passing on the medium,based on the observation, detecting packets that pass between the internal packet network and one of the external devices via one of the devices that is part of the internal network, andfor detected packets associated with communication with the external device, determining if the one device via which the packets pass is an authorized conduit for communication with external devices.
4 Assignments
0 Petitions
Accused Products
Abstract
Back door packet communication between a workstation on a network and a device outside the network is identified by detecting packets that are associated with communication involving devices outside the network, and identifying packets, among those detected packets, that are being sent or received by a device that is not authorized for communication with devices outside the network.
-
Citations
19 Claims
-
1. A method for use with devices that are coupled by a communication medium to form an internal packet network, at least one of the devices not being an authorized conduit for communication with external devices that are not part of the internal packet network, the method comprising
observing packets passing on the medium, based on the observation, detecting packets that pass between the internal packet network and one of the external devices via one of the devices that is part of the internal network, and for detected packets associated with communication with the external device, determining if the one device via which the packets pass is an authorized conduit for communication with external devices.
-
13. A method for reducing back door packet communication between a device on a network that is not an authorized conduit for communication with external devices that are outside of the network and a device outside the network comprising
detecting packets that pass between the network and the device outside the network via the device on the network, and identifying packets among the detected packets that are sent or received by the device on the network that is not authorized for communication with devices outside the network.
-
14. Apparatus for use in reducing packet communication between a device on a network that is not an authorized conduit for communication with devices outside the network and a device outside the network comprising
a scanner connected to observe packets passing on the network, and an analyzer that determines if one of the packets includes address information indicating that communication is occurring with the device that is not an authorized conduit for communication with devices outside the network and the external device.
-
15. A method for use with devices that are coupled by a communication medium to form an internal packet network, none of the devices being an authorized conduit for communication with external devices that are not part of the internal packet network, the method comprising
observing network address information in packets passing on the medium, based on the observed network address information, detecting packets intended to pass from the internal packet network to the external device via one of the devices that is part of the internal packet network, and raising an alarm with respect to packets intended for communication with an external device.
-
18. A method for use with devices that are coupled by a communication medium to form an internal message network, at least one of the devices not being an authorized conduit for communication with external devices that are not part of the internal message network, the method comprising
observing messages passing on the medium, based on the observation, detecting messages that pass between the internal packet network and one of the external devices via one of the devices that is part of the internal packet network, and for detected messages associated with communication with the external device, determining if the one device via which the packets pass is an authorized conduit for communication with external devices.
-
19. A method for use with devices that are coupled by a communication medium to form an internal packet network, at least one of the devices not being an authorized conduit for communication with external devices that are not part of the internal packet network, the method comprising
observing packets passing on the medium, based on the observation, detecting packets that pass between the internal packet network and one of the external devices via one of the devices that is part of the internal network by comparing the IP addresses of the packets with the IP addresses of devices on the internal packet network, for detected packets associated with communication with the external device, determining if the one device via which the packets pass is an authorized conduit for communication with external devices by comparing the hardware addresses of the packets with hardware addresses that correspond to devices that are authorized conduits, and for packets whose hardware addresses do not correspond to devices that are authorized conduits, reporting information about the non-authorized communication.
Specification