Network host isolation tool

US 7,463,593 B2
Filed: 01/13/2005
Issued: 12/09/2008
Est. Priority Date: 01/13/2005
Status: Expired due to Fees

First Claim

Patent Images

1. An automated method for blocking a plurality of devices in a network, comprising:

detecting a software infection or vulnerability in one of the plurality of devices in the network;

determining a plurality of devices in the network that need to be blocked to prevent a spread of the software infection or vulnerability from the one device to other devices in the network;

providing a list of Internet Protocol (IP) addresses corresponding to the plurality of devices to be blocked in the network; and

for each IP address in the list;

determining a router in the network connected to the IP address;

determining a layer-2 Media Access Control (MAC) address associated with the IP address; and

applying a CAM filter to a core switch associated with the router to block communication from the device corresponding to the IP address, at the core switch;

wherein the blocking of the plurality of devices occurs automatically in response to the provision of the list of IP addresses.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method, system, and computer program product for quickly and automatically blocking a plurality of computer systems in response to detection of a widespread vulnerability or software infection. The method comprises: providing a list of Internet Protocol (IP) addresses corresponding to a plurality of devices to be blocked in a network; and for each IP address in the list: determining a router in the network connected to the IP address; determining a layer-2 Media Access Control (MAC) address associated with the IP address; and applying a CAM filter to a core switch associated with the router to block communication from the device corresponding to the IP address, at the core switch; wherein the blocking of the plurality of devices occurs automatically in response to the provision of the list of IP addresses.

19 Citations

View as Search Results

22 Claims

1. An automated method for blocking a plurality of devices in a network, comprising:
- detecting a software infection or vulnerability in one of the plurality of devices in the network;
  
  determining a plurality of devices in the network that need to be blocked to prevent a spread of the software infection or vulnerability from the one device to other devices in the network;
  
  providing a list of Internet Protocol (IP) addresses corresponding to the plurality of devices to be blocked in the network; and
  
  for each IP address in the list;
  
  determining a router in the network connected to the IP address;
  
  determining a layer-2 Media Access Control (MAC) address associated with the IP address; and
  
  applying a CAM filter to a core switch associated with the router to block communication from the device corresponding to the IP address, at the core switch;
  
  wherein the blocking of the plurality of devices occurs automatically in response to the provision of the list of IP addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The automated method of claim 1, further comprising:
    - for each IP address in the list;
      
      tracing the MAC address associated with the IP address through the network to determine a switch and port to which the device corresponding to the IP address is connected.
  - 3. The automated method of claim 2, further comprising:
    - logging an identity of the switch and port to which the device corresponding to the IP address is connected.
  - 4. The automated method of claim 1, wherein the list of IP addresses is input by a user, further comprising:
    - sending results of the blocking to the user who input the list of IP addresses.
  - 5. The automated method of claim 1, wherein the CAM filter isolates a device on a branch of the network from all devices on other branches of the network.
  - 6. The automated method of claim 5, wherein all devices on the branch of the network containing the isolated device can communicate with each other.
  - 7. The automated method of claim 5, wherein any non-isolated device on the branch of the network containing the isolated device can communicate with any other non-isolated device on the network.

8. A system for automatically blocking a plurality of devices in a network, comprising:
- a system for detecting a software infection or vulnerability in one of the plurality of devices in the network;
  
  a system for determining a plurality of devices in the network that need to be blocked to prevent a spread of the software infection or vulnerability from the one device to other devices in the network;
  
  a system for providing a list of Internet Protocol (IP) addresses corresponding to the plurality of devices to be blocked in the network; and
  
  a system for automatically blocking the plurality of devices in response to the provision of the list of IP addresses, wherein, for each IP address in the list, the system for automatically blocking is configured to;
  
  determine a router in the network connected to the IP address;
  
  determine a layer-2 Media Access Control (MAC) address associated with the IP address; and
  
  apply a CAM filter to a core switch associated with the router to block communication from the device corresponding to the IP address, at the core switch.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, further comprising:
    - a system for tracing the MAC address associated with each IP address through the network to determine a switch and port to which the device corresponding to the IP address is connected.
  - 10. The system of claim 9, further comprising:
    - a system for logging an identity of the switch and port to which the device corresponding to the IP address is connected.
  - 11. The system of claim 8, wherein the list of IP addresses is input by a user, further comprising:
    - sending results of the blocking to the user who input the list of IP addresses.
  - 12. The system of claim 8, wherein the CAM filter isolates a device on a branch of the network from all devices on other branches of the network.
  - 13. The system of claim 12, wherein all devices on the branch of the network containing the isolated device can communicate with each other.
  - 14. The system of claim 12, wherein any non-isolated device on the branch of the network containing the isolated device can communicate with any other non-isolated device on the network.

15. A program product stored on a recordable medium, which when executed, automatically blocks a plurality of devices in a network, the computer readable medium comprising program code for causing a computer system to:
- detect a software infection or vulnerability in one of the plurality of devices in the network;
  
  determine a plurality of devices in the network that need to be blocked to prevent a spread of the software infection or vulnerability from the one device to other devices in the network;
  
  provide a list of Internet Protocol (IP) addresses corresponding to the plurality of devices to be blocked in the network; and
  
  automatically block the plurality of devices in response to the provision of the list of IP addresses, wherein, for each IP address in the list, the blocking is configured to;
  
  determine a router in the network connected to the IP address;
  
  determine a layer-2 Media Access Control (MAC) address associated with the IP address; and
  
  apply a CAM filter to a core switch associated with the router to block communication from the device corresponding to the IP address, at the core switch.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The program product of claim 15, further comprising:
    - for each IP address in the list;
      
      tracing the MAC address associated with the IP address through the network to determine a switch and port to which the device corresponding to the IP address is connected.
  - 17. The program product of claim 16, further comprising:
    - logging an identity of the switch and port to which the device corresponding to the IP address is connected.
  - 18. The program product of claim 15, wherein the list of IP addresses is input by a user, further comprising:
    - sending results of the blocking to the user who input the list of IP addresses.
  - 19. The program product of claim 15, wherein the CAM filter isolates a device on a branch of the network from all devices on other branches of the network.
  - 20. The program product of claim 19, wherein all devices on the branch of the network containing the isolated device can communicate with each other.
  - 21. The program product of claim 19, wherein any non-isolated device on the branch of the network containing the isolated device can communicate with any other non-isolated device on the network.

22. A method for deploying an application for automatically blocking a plurality of devices in a network, comprising:
- providing a computer infrastructure being operable to;
  
  detect a software infection or vulnerability in one of the plurality of devices in the network;
  
  determine a plurality of devices in the network that need to be blocked to prevent a spread of the software infection or vulnerability from the one device to other devices in the network;
  
  provide a list of Internet Protocol (IP) addresses corresponding to the plurality of devices to be blocked in the network; and
  
  for each IP address in the list;
  
  determine a router in the network connected to the IP address;
  
  determine a layer-2 Media Access Control (MAC) address associated with the IP address; and
  
  apply a CAM filter to a core switch associated with the router to block communication from the device corresponding to the IP address, at the core switch;
  
  wherein the blocking of the plurality of devices occurs automatically in response to the provision of the list of IP addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Pohlabel, Christian A., Polard, III, James M.
Primary Examiner(s)
Pezzlo, John

Application Number

US11/034,901
Publication Number

US 20060153192A1
Time in Patent Office

1,426 Days
Field of Search

370/389, 370/337, 370/338, 370/400, 370/401, 370352-356, 370/252, 370/230, 709238-242, 709220-226, 713/201, 726/3
US Class Current

370/252
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/14   for detecting or protecting...

H04L 63/162   at the data link layer

Network host isolation tool

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Network host isolation tool

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others