Method and system for evaluating network security

US 6,895,436 B1
Filed: 06/29/2000
Issued: 05/17/2005
Est. Priority Date: 07/01/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method for evaluating network security comprising the steps of:

(a) initializing a list of passwords;

(b) reading network tables stored in network components managed by a network management station and generating a list of network addresses in response thereto;

(c) accessing a network component corresponding to a network address of said list of network addresses, using a password of said list of passwords, and reading one or more additional network addresses from said network component; and

(d) updating said list of network addresses in response to said reading of one or more additional network addresses.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for automatically identifying from an ordinary station connected to a TCP/IP network, the network components managed by a network management station for which it is possible to read or write over the confidential network data they store. Starting from the list of the default passwords protecting the network data and the IP addresses of the network components communicating with the ordinary station, the method allows by repeating the IP address discovery process, to discover step by step the passwords used in all the network components managed by the network management station and try to use them in reading or writing network information.

The method allows detecting the lack of protection by password which usually occurs in campus networks and thus auditing such networks against intrusion from one of the stations of the network.

32 Citations

View as Search Results

30 Claims

1. A method for evaluating network security comprising the steps of:
- (a) initializing a list of passwords;
  
  (b) reading network tables stored in network components managed by a network management station and generating a list of network addresses in response thereto;
  
  (c) accessing a network component corresponding to a network address of said list of network addresses, using a password of said list of passwords, and reading one or more additional network addresses from said network component; and
  
  (d) updating said list of network addresses in response to said reading of one or more additional network addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1 wherein the tables accessed in step (b) are the broadcast addresses and the Address Resolution Protocol tables.
  - 3. The method according to claim 1 wherein the tables read in step (b) are the address translation table and the routing table.
  - 4. The method of claim 1 further comprising the steps of:
    - (e) identifying additional passwords included in network management variables stored on said network management and updating said list of passwords with said additional passwords; and
      
      (f) identifying if said network component is accessible in write mode.
  - 5. The method according to claim 4 wherein step (f) further comprises the steps of:
    - reading a standard “
      
      rewriteable”
      
      network variable stored by said network component; and
      
      establishing that said network component is accessible in write mode if said variable can be rewritten.
  - 6. The method according to claim 5 wherein said standard “
    - rewriteable”
      
      network variable is sysName.
  - 7. The method according to claim 4 wherein said network management station is an SNMP network management station, and the passwords are Community Names.
  - 8. The method of claim 1 wherein said list of passwords is initialized with the password default values specified at generation of said managed network components.
  - 9. The method of claim 4 wherein step (e) further comprises the steps of:
    - retrieving a type of private Management Information Base (MIB) supported by said network component;
      
      retrieving a list of private MIB variables containing Community Names;
      
      for each MIB variable of said list of private MIB variables, extracting a corresponding MIB variable content; and
      
      if the Community Name is not known, adding the Community Name to a list of Community Names.
  - 10. The method of claim 4 further comprising the step of, for each password of said list of passwords, repeating said steps (c)-(f).

11. A computer program product embodied in a tangible storage medium, the program product including a program of instructions for performing the steps of:
- (a) initializing a list of passwords;
  
  (b) reading network tables stored in network components managed by a network management station and generating a list of network addresses in response thereto;
  
  (c) accessing a network component corresponding to a network address of said list of network addresses, using a password of said list of passwords, and reading one or more additional network addresses from said network component; and
  
  (d) updating said list of network addresses in response to said reading of one or more additional network addresses.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The program product of claim 11 wherein the tables read in step (b) are the broadcast addresses and the Address Resolution Protocol tables.
  - 13. The program product of claim 11 wherein the tables read in step(b) are the address translation table and the routing table.
  - 14. The program product of claim 11 further comprising the steps of:
    - (e) identifying additional passwords included in network management variables stored on said network management and updating said list of passwords with said additional passwords; and
      
      (f) identifying if said network component is accessible in write mode.
  - 15. The program product according to claim 14 wherein step (f) further comprises the steps of:
    - reading a standard “
      
      rewriteable”
      
      network variable stored by said network component; and
      
      establishing that said network component is accessible in write mode if said variable can be rewritten.
  - 16. The program product according to claim 15 wherein said standard “
    - rewriteable”
      
      network variable is sysName.
  - 17. The program product according to claim 14 wherein said network management station is an SNMP network management station, and the passwords are Community Names.
  - 18. The program product of claim 11 wherein said list of passwords is initialized with the password default values specified at generation of said managed network components.
  - 19. The program product of claim 14 wherein step (e) further comprises the steps of:
    - retrieving a type of private Management Information Base (MIB) supported by said network component;
      
      retrieving a list of private MIB variables containing Community Names;
      
      for each MIB variable of said list of private MIB variables, extracting a corresponding MIB variable content; and
      
      if the Community Name is not known, adding the Community Name to a list of Community Names.
  - 20. The program product of claim 14 further comprising the step of, for each password of said list of passwords, repeating said steps (c)-(f).

21. A data processing system for evaluating network security comprising:
- (a) circuitry operable for initializing a list of passwords;
  
  (b) circuitry operable for reading network tables stored in network components managed by a network management station and generating a list of network addresses in response thereto;
  
  (c) circuitry operable for accessing a network component corresponding to a network address of said list of network addresses, using a password of said list of passwords, and reading one or more additional network addresses from said network component; and
  
  (d) circuitry operable for updating said list of network addresses in response to said reading of one or more additional network addresses.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The data processing system according to claim 21 wherein the tables accessed in (b) are the broadcast addresses and the Address Resolution Protocol tables.
  - 23. The data processing system according to claim 21 wherein the tables read in (b) are the address translation table and the routing table.
  - 24. The data processing system of claim 21 further comprising:
    - (e) circuitry operable for identifying additional passwords included in network management variables stored on said network management and updating said list of passwords with said additional passwords; and
      
      (f) circuitry operable for identifying if said network component is accessible in write mode.
  - 25. The data processing system according to claim 24 wherein (f) further comprises:
    - circuitry operable for reading a standard “
      
      rewriteable”
      
      network variable stored by said network component; and
      
      circuitry operable for establishing that said network component is accessible in write mode if said variable can be rewritten.
  - 26. The data processing system according to claim 25 wherein said standard “
    - rewriteable”
      
      network variable is sysName.
  - 27. The data processing system according to claim 24 wherein said network management station is an SNMP network management station, and the passwords are Community Names.
  - 28. The data processing system of claim 21 wherein said list of passwords is initialized with the password default values specified at generation of said managed network components.
  - 29. The data processing system of claim 24 wherein (e) further comprises:
    - circuitry operable for retrieving a type of private Management Information Base (MIB) supported by said network component;
      
      circuitry operable for retrieving a list of private MIB variables containing Community Names;
      
      circuitry operable for each MIB variable of said list of private MIB variables, extracting a corresponding MIB variable content; and
      
      circuitry operable for, if the Community Name is not known, adding the Community Name to a list of Community Names.
  - 30. The data processing system of claim 24 further comprising circuitry operable for, for each password of said list of passwords, repeating an operation of (c)-(f).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Caillau, Olivier, Daude, Olivier
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
El-chanti, Hussein A

Application Number

US09/607,088
Time in Patent Office

1,783 Days
Field of Search

709223-225, 709218-221, 709/226, 709/250, 709/200, 709/201, 709/213
US Class Current

709/224
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 41/0213   Standardised network manage...

H04L 41/046   comprising network manageme...

H04L 63/1433   Vulnerability analysis

Method and system for evaluating network security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for evaluating network security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links