Method and apparatus for host probing

US 7,299,489 B1
Filed: 05/25/2000
Issued: 11/20/2007
Est. Priority Date: 05/25/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A communications network security method for ascertaining the integrity of a first communications network and identifying potential security risks across a perimeter of the first communications network, the method comprising:

identifying a plurality of routes that define the first communications network;

identifying a plurality of hosts associated with the first communications network as a function of the plurality of routes;

receiving a census of the first communications network as a function of the plurality of hosts to determine a topology of the first communications network;

probing at least one first host of the plurality hosts of the first communications network by generating and transmitting a packet to the first host, the first host being selected from the census results and the packet having at least a source address of a second host which is associated with a second communications network, wherein the source address is selected independent of any request from the second host to the first host; and

determining a security characteristic of the probed first host as a function of a response by the probed first host in receiving the packet, the security characteristic being a measure of connectivity between the first communications network and the second communications network, the measure of connectivity being an indication of connectivity between the first communications network and the second communications network.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for analyzing the perimeter security of communications networks. More particularly, information is identified which defines a particular communications network, e.g., an intranet, and identifying the connected hosts thereto. Utilizing such information, a determination is made with respect to identifying the routes that define the network. Utilizing the routing information, the connectivity of the hosts within the network, e.g., an intranet, is probed to ascertain the integrity of the network and thereby identifying potential security risks across the perimeter defense of the network.

48 Citations

View as Search Results

23 Claims

1. A communications network security method for ascertaining the integrity of a first communications network and identifying potential security risks across a perimeter of the first communications network, the method comprising:
- identifying a plurality of routes that define the first communications network;
  
  identifying a plurality of hosts associated with the first communications network as a function of the plurality of routes;
  
  receiving a census of the first communications network as a function of the plurality of hosts to determine a topology of the first communications network;
  
  probing at least one first host of the plurality hosts of the first communications network by generating and transmitting a packet to the first host, the first host being selected from the census results and the packet having at least a source address of a second host which is associated with a second communications network, wherein the source address is selected independent of any request from the second host to the first host; and
  
  determining a security characteristic of the probed first host as a function of a response by the probed first host in receiving the packet, the security characteristic being a measure of connectivity between the first communications network and the second communications network, the measure of connectivity being an indication of connectivity between the first communications network and the second communications network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the source address of the second host is a return IP address external to the first communications network.
  - 3. The method of claim 2 wherein the response of the probed first host to the receipt of the packet includes transmitting a second packet, the second packet being derived using at least a portion of information from the received packet.
  - 4. The method of claim 2 wherein the measure of connectivity is determined by the further operation of:
    - monitoring the probed first host to determine the response, and if the response includes a transmission of a second packet from the probed first host to the second host at the return IP address, generating a security alert message identifying the probed first host as a security risk.
  - 5. The method of claim 3 wherein the first communications network and the second communications network have different security levels.
  - 6. The method of claim 3 wherein the transmitted packet is a TCP packet which returns a TCP packet in response thereto.
  - 7. The method of claim 3 wherein the second packet is a UDP packet or an ICMP packet, which returns either a UDP packet or ICMP packet in response thereto.

8. A method for analyzing network security across a perimeter of a first communications network utilizing a security host, the method comprising:
- receiving a census of the first communications network;
  
  generating and transmitting, from the security host, a packet associated with a host of a second communications network to a particular one host of a plurality of hosts internal to the first communications network, the internal host being selected from the census, and the packet having an IP source address associated with the host of the second communications network, wherein the IP source address is selected independent of any request from the host of the second communications network to the internal host of the first communications network; and
  
  determining a security characteristic of the particular one internal host of the first communications network as a function of a response by the internal host to the receipt of the packet, the security characteristic being a measure of connectivity between the first communications network and the second communications network, the measure of connectivity being an indication of connectivity between the first communications network and the second communications network.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8 wherein the measure of connectivity is a function of whether the internal host of the first communications network communicates with the host of the second communications network, and the measure of connectivity being determined by the further operation of:
    - monitoring the internal host to determine the response, and if the response includes a transmission of a second packet, utilizing the IP source address, from the internal host to the host of the second communications network, generating a security alert message identifying the internal host as a security risk.
  - 10. The method of claim 9 wherein the second packet is derived using at least a portion of information from the transmitted packet.
  - 11. The method of claim 10 wherein the internal host is a dual-homed host.
  - 12. The method of claim 9 wherein the security characteristic includes an indication that the internal host is outside any security measures provided by a firewall associated with the first communications network.

13. A communications system for ascertaining the integrity of a first communications network and identifying potential security risks across a perimeter of the first communications network, the communications system comprising:
- a first plurality of computers associated with the first communications network;
  
  a second plurality of computers associated with a second communications network; and
  
  a security host computer which determines a security characteristic of a first computer from the first plurality of computers, the security characteristic being a measure of connectivity between the first communications network and the second communications network by probing the first computer by generating and transmitting a packet to the first computer, the first computer being selected from a census of the first communications network and the packet being generated as a function of both an IP source address associated with a second computer of the second plurality of computers, wherein said IP source address is selected independent of any request from the second computer to the first computer, and an IP address associated with the first computer, and determining the measure of connectivity as a function of a response of the first computer to receiving the packet, the measure of connectivity being an indication of connectivity between the first communications network and the second communications network.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The communications system of claim 13 wherein the security host computer is associated with the first communications network.
  - 15. The communications system of claim 14 wherein the response of the first computer to the receipt of the packet includes transmitting a second packet, the second packet being derived using at least a portion of information from the received packet.
  - 16. The communications system of claim 15 wherein the security host computer determines the measure of connectivity by monitoring the probed first computer to determine the response, and if the response includes the transmission of the second packet from the probed host, generating a security alert message identifying the first computer as a security risk.
  - 17. The communications system of claim 14 wherein the first communications network is an intranet and the second communications network is an Internet, and the first communications network and the second communications network have different security levels.

18. A security host computer for ascertaining the integrity of a first communications network and identifying potential security risks across a perimeter of the first communications network, the security host computer comprising:
- means for performing a census of the first communications network and determining a topology of the first communications network, the topology being defined by at least one computer,means for probing the at least one computer by generating and transmitting a packet to the computer, the computer being selected from the census results and the packet being generated as a function of (i) the topology, (ii) an IP source address associated with a particular host computer associated with a second communications network, wherein the IP source address is selected independent of any request from the second computer to the first computer, and (iii) an IP address associated with the computer, die second communications network being separate from the first communications network; and
  
  a monitor for determining a security level of the computer as a function of a response by the computer to the receipt of the packet, and the security level being a measure of connectivity between the first communications network and the second communications network, the measure of connectivity being an indication of connectivity between the first communications network and the second communications network.
- View Dependent Claims (19, 20)
- - 19. The security host computer of claim 18 wherein the measure of connectivity is determined by monitoring the computer'"'"'s response, and if the response includes a transmission of a second packet, utilizing the IP source address, from the computer, a security alert message identifying the computer as a security risk is generated.
  - 20. The security host computer of claim 19 wherein the first communications network and the second communications network have different security levels.

21. A machine-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions that, when executed by a machine, cause the machine to perform of a method for analyzing a first communications network'"'"'s integrity and identifying potential security risks across a perimeter of the first communications network by receiving a census of the first communications network;
- probing a first host of the first communications network by generating and transmitting a packet to the first host, the host being selected from the census results and the packet being derived as a function of a topology of the first communications network and the packet having a source address which is associated with a second host of a second communications network, wherein the source address is selected independent of any request from the second host to the first host; and
  
  determining the first communications network'"'"'s integrity as a function of a response by the probed host in receiving the packet wherein the response indicates a measure of connectivity between the first communications network communicates and the second communications network, and the measure of connectivity being an indication of connectivity between the first communications network and the second communications network.
- View Dependent Claims (22, 23)
- - 22. The machine-readable medium of claim 21 wherein the response of the probed first host to the receipt of the packet includes transmitting a second packet, the second packet being derived using at least a portion of information from the received packet.
  - 23. The machine-readable medium of claim 22 wherein the first communications network is an intranet, and the second communications network is an Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Cheswick, William R., Burch, Hal Joseph, Branigan, Steven
Primary Examiner(s)
ZIA, SYED

Application Number

US09/578,633
Time in Patent Office

2,735 Days
Field of Search

713/201
US Class Current

726/2
CPC Class Codes

H04L 41/12 Discovery or management of ...

H04L 63/1433 Vulnerability analysis

Method and apparatus for host probing

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for host probing

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links