Network service zone locking
First Claim
Patent Images
1. In a computer network wherein packets are communicated between devices, a method for a network device to determine and block unauthorized network usage, comprising the steps within the network device of:
- reading the network device a configuration file that includes data selectively assigning a plurality of devices into a plurality of zones where devices in a first zone are not authorized to communicate with devices in a second zone, a zone comprising a plurality of devices that are authorized to communicate;
(i) with other devices in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices in the same physical network that are in different zones;
receiving unauthorized zone data from the configuration file specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone;
passively monitoring network communications of the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones;
capturing packet header information from monitored network communications;
determining which devices are participating in the monitored network communications based on captured packet header information;
determining the zones participating in the monitored zone communications based upon the unauthorized zone data;
determining unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and
generating an alarm upon detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage.
13 Assignments
0 Petitions
Accused Products
Abstract
A zone locking system detects unauthorized network usage internal to a firewall. The system determines unauthorized network usage by classifying internal hosts inside a firewall into zones. Certain specified zones are unauthorized to initiate client communications with other selected zones. However, zone override services can be designated for each associated internal zone, and thus, authorizing selected network services. An alarm or other appropriate action is taken upon the detection of unauthorized network usage.
319 Citations
32 Claims
-
1. In a computer network wherein packets are communicated between devices, a method for a network device to determine and block unauthorized network usage, comprising the steps within the network device of:
-
reading the network device a configuration file that includes data selectively assigning a plurality of devices into a plurality of zones where devices in a first zone are not authorized to communicate with devices in a second zone, a zone comprising a plurality of devices that are authorized to communicate; (i) with other devices in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) not with other devices in the same physical network that are in different zones; receiving unauthorized zone data from the configuration file specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone; passively monitoring network communications of the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones; capturing packet header information from monitored network communications; determining which devices are participating in the monitored network communications based on captured packet header information; determining the zones participating in the monitored zone communications based upon the unauthorized zone data; determining unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and generating an alarm upon detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. In a computer network wherein packets are communicated between devices, a method for a network device to determine and block unauthorized network usage, comprising the steps within the network device of:
-
reading with the network device a configuration file that includes data assigning a plurality of devices including clients and servers into a plurality of zones where devices in each respective zone are not authorized to communicate with devices in other zones, a zone comprising a grouping of devices that are selectively chosen from amongst a plurality of physical networks without regard to which physical networks the devices are chosen from and without regard to whether other devices in those physical networks are also chosen; receiving unauthorized zone data from the configuration file specifying designated zones for which devices as servers in a particular zone are authorized to communicate; (i) with other devices as clients in the same zone that are on the same physical network, and (ii) with other devices as clients in the same zone that are on different physical networks isolated by a network device, but (iii) not with other devices as clients in the same physical network that are in different zones; passively monitoring network communications internal to the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones; capturing packet header information from monitored network communications; determining the zones participating in the monitored zone communications based upon the unauthorized zone data; determining unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a client in a first zone is attempting to communicate with a server in a second but unauthorized zone; and generating an alarm upon detection of unauthorized network usage, wherein the step of generating an alarm includes adding a MAC address to a filtering table to block the unauthorized network usage. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. In a data communication network wherein packets are communicated between devices, a system for determining and blocking unauthorized network usage, comprising:
-
a computer system that receives zone data corresponding to the assigning of a plurality of devices including servers and clients coupled to the network into a plurality of zones, a zone comprising a sub-grouping of devices on a physical network such that the physical network includes more than one zone, wherein devices in each respective zone are authorized to communicate; (i) with other devices in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) not with other devices in the same physical network that are in different zones; receives unauthorized zone data specifying unauthorized zones for which devices as clients in a particular zone are not authorized to initiate client communications to devices as servers in designated unauthorized zones; monitors network communications by capturing packet header information from packets communicated between devices that have been assigned to the zones; determines the zones participating in the monitored zone communications based upon the unauthorized zone data; determines unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a device as a client in a first zone is attempting to communicate with a device as a server in a second but unauthorized zone; and provides an alarm upon detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. In a data communication network wherein packets are communicated between devices, a system for determining and blocking unauthorized network usage, comprising:
-
a computer system that receives zone data corresponding to the classification of a plurality of devices including servers and clients coupled to the network into a plurality of zones, a zone comprising a plurality of devices that are authorized to communicate; (i) with other devices that are in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) are not authorized to communicate with other devices that are on the same physical network but in different zones; receives unauthorized zone data specifying unauthorized zones for which devices in a particular zone are not authorized to communicate with devices in other unauthorized zones; receives override service data specifying particular network services for which devices in designated zones are authorized to communicate with devices in other unauthorized zones acting as a client notwithstanding the unauthorized zone data; monitors network communications by capturing packet header information from packets communicated between devices; determines which devices are participating in the monitored network communications based on captured packet header information; determines the zones participating in the monitored zone communications based upon the unauthorized zone data; determines unauthorized network usage based upon the unauthorized zone data, the override service data, and captured packet header information indicating that a device as a client in a first zone is attempting to communicate with a device as a server in a second but unauthorized zone and has not been overridden by the override service data; and provides an alarm upon detection of unauthorized network usage and an address to a filtering table to block the unauthorized network usage. - View Dependent Claims (22, 23, 24)
-
-
25. In a data communication network wherein packets are communicated between devices, a method for a network device to detect and block unauthorized network usage, comprising the steps within the network device of:
-
reading with the network device a configuration file that includes data respectively assigning a plurality of devices that are coupled to the network to a plurality of communication zones, a zone comprising a sub-grouping of devices on a physical network within the data communication network such that the physical network includes more than one zone, wherein devices in each respective zone are authorized to communicate; (i) with other devices that are in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) are not authorized to communicate with other devices that are on the same physical network but in different zones; determining from the configuration file allowed network services that are allowed to be provided by a device as host in one zone to devices in differing communication zones and storing the allowed network services as zone data; passively monitoring the communications between the plurality of communication zones within the data communication network by capturing packet header information from packets communicated between devices that have been assigned to the zones; determining unauthorized network usage based upon the zone data and captured packet header information indicating that a device in a first zone is either (i) attempting to communicate with a device in a second zone for which communication is not authorized or (ii) attempting to utilize a service of a host in a second zone that is not allowed; and generating an alarm upon the detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage. - View Dependent Claims (26, 28)
-
-
27. A computer program product that includes a computer readable medium that is executable by a processor, the medium having stored thereon a sequence of instructions that when executed by the processor causes the processor to execute the steps of:
-
reading a configuration file that includes data respectively assigning a plurality of devices that are coupled to a data communication network to a plurality of zones, a zone comprising a sub-grouping of devices on a physical network within the data communication network such that the physical network includes more than one zone, wherein devices in each respective zone are authorized to communicate; (i) with other devices that are in the same zone that are on the same physical network, and (ii) with other devices in the same zone that are on different physical networks isolated by a network device, but (iii) are not authorized to communicate with other devices that are on the same physical network but in different zones; determining from the configuration file allowed network services that are allowed to be provided by a device as a server in one zone to devices in differing zones and storing the allowed network services as zone data; passively monitoring the communications between the plurality of zones within the communication network by capturing packet header information from packets communicated between devices that have been assigned to the zones; determining unauthorized network usage based upon the zone data and captured packet header information indicating that a device in a first zone is either (i) attempting to communicate with a device in a second zone for which communication is not authorized or (ii) attempting to utilize a service of a device as a server in a second zone that is not allowed; and generating an alarm upon the detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage. - View Dependent Claims (29, 30)
-
-
31. A method for a network device to determine unauthorized network usage between computers within a data communication network wherein packets are communicated between computers, comprising the steps within the network device of:
-
reading with the network device a configuration file that includes data selectively assigning computers on the network into one of a plurality of zones, each computer in each zone having an identifier, a zone comprising a plurality of devices that are authorized to communicate with other devices in the same zone that are on the same physical network and with other devices in the same zone that are on different physical networks isolated by a network device, but wherein devices on the same physical network but in different zones are not authorized to communicate with each other; for each zone of the plurality of zones, storing zone data specifying which other zones of the plurality of zones for which communications between computers in such other zones shall be considered unauthorized and comprise unauthorized zones; monitoring the packet headers of packets communicated between computers within the data communication network that have been assigned to the zones; based on the identifiers within a packet header of a data packet from an originating computer on the network in a first zone to a destination computer on the network in a second zone, accessing the stored zone data and determining whether the destination computer is in an unauthorized zone; and generating an alarm upon determination that the data packet from the originating computer was intended for a destination computer in an unauthorized zone, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage. - View Dependent Claims (32)
-
Specification