Network service zone locking

US 7,644,151 B2
Filed: 03/25/2002
Issued: 01/05/2010
Est. Priority Date: 01/31/2002
Status: Expired due to Fees

First Claim

Patent Images

1. In a computer network wherein packets are communicated between devices, a method for a network device to determine and block unauthorized network usage, comprising the steps within the network device of:

reading the network device a configuration file that includes data selectively assigning a plurality of devices into a plurality of zones where devices in a first zone are not authorized to communicate with devices in a second zone, a zone comprising a plurality of devices that are authorized to communicate;

(i) with other devices in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices in the same physical network that are in different zones;

receiving unauthorized zone data from the configuration file specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone;

passively monitoring network communications of the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones;

capturing packet header information from monitored network communications;

determining which devices are participating in the monitored network communications based on captured packet header information;

determining the zones participating in the monitored zone communications based upon the unauthorized zone data;

determining unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and

generating an alarm upon detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A zone locking system detects unauthorized network usage internal to a firewall. The system determines unauthorized network usage by classifying internal hosts inside a firewall into zones. Certain specified zones are unauthorized to initiate client communications with other selected zones. However, zone override services can be designated for each associated internal zone, and thus, authorizing selected network services. An alarm or other appropriate action is taken upon the detection of unauthorized network usage.

319 Citations

32 Claims

1. In a computer network wherein packets are communicated between devices, a method for a network device to determine and block unauthorized network usage, comprising the steps within the network device of:
- reading the network device a configuration file that includes data selectively assigning a plurality of devices into a plurality of zones where devices in a first zone are not authorized to communicate with devices in a second zone, a zone comprising a plurality of devices that are authorized to communicate;
  
  (i) with other devices in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices in the same physical network that are in different zones;
  
  receiving unauthorized zone data from the configuration file specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone;
  
  passively monitoring network communications of the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones;
  
  capturing packet header information from monitored network communications;
  
  determining which devices are participating in the monitored network communications based on captured packet header information;
  
  determining the zones participating in the monitored zone communications based upon the unauthorized zone data;
  
  determining unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and
  
  generating an alarm upon detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the zones are classified by user functions.
  - 3. The method of claim 1, wherein the zones are classified by subnet.
  - 4. The method of claim 1, wherein the zone data includes an additional zone for outside devices.
  - 5. The method of claim 1, wherein the devices operate behind a firewall.
  - 6. The method of claim 1, further comprising the step of:
    - receiving override service data specifying particular network services for which devices in designated zones are authorized to communicate with devices in other unauthorized zones notwithstanding the zone data.
  - 7. The method of claim 6, wherein the particular network services are based upon the client network services utilized by the devices assigned to an unauthorized zone.

8. In a computer network wherein packets are communicated between devices, a method for a network device to determine and block unauthorized network usage, comprising the steps within the network device of:
- reading with the network device a configuration file that includes data assigning a plurality of devices including clients and servers into a plurality of zones where devices in each respective zone are not authorized to communicate with devices in other zones, a zone comprising a grouping of devices that are selectively chosen from amongst a plurality of physical networks without regard to which physical networks the devices are chosen from and without regard to whether other devices in those physical networks are also chosen;
  
  receiving unauthorized zone data from the configuration file specifying designated zones for which devices as servers in a particular zone are authorized to communicate;
  
  (i) with other devices as clients in the same zone that are on the same physical network, and(ii) with other devices as clients in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices as clients in the same physical network that are in different zones;
  
  passively monitoring network communications internal to the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones;
  
  capturing packet header information from monitored network communications;
  
  determining the zones participating in the monitored zone communications based upon the unauthorized zone data;
  
  determining unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a client in a first zone is attempting to communicate with a server in a second but unauthorized zone; and
  
  generating an alarm upon detection of unauthorized network usage, wherein the step of generating an alarm includes adding a MAC address to a filtering table to block the unauthorized network usage.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the zones are classified by user functions.
  - 10. The method of claim 8, wherein the zones are classified by subnet.
  - 11. The method of claim 8, wherein the devices operate behind a firewall.
  - 12. The method of claim 8, further comprising the step of receiving override service data specifying particular network services for which devices in designated zones are authorized to communicate with devices in unauthorized zone acting as a client notwithstanding the zone data.
  - 13. The method of claim 12, wherein the particular network services are based upon the client network services utilized by the devices assigned to an unauthorized zone.

14. In a data communication network wherein packets are communicated between devices, a system for determining and blocking unauthorized network usage, comprising:
- a computer system that receives zone data corresponding to the assigning of a plurality of devices including servers and clients coupled to the network into a plurality of zones, a zone comprising a sub-grouping of devices on a physical network such that the physical network includes more than one zone, wherein devices in each respective zone are authorized to communicate;
  
  (i) with other devices in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices in the same physical network that are in different zones;
  
  receives unauthorized zone data specifying unauthorized zones for which devices as clients in a particular zone are not authorized to initiate client communications to devices as servers in designated unauthorized zones;
  
  monitors network communications by capturing packet header information from packets communicated between devices that have been assigned to the zones;
  
  determines the zones participating in the monitored zone communications based upon the unauthorized zone data;
  
  determines unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a device as a client in a first zone is attempting to communicate with a device as a server in a second but unauthorized zone; and
  
  provides an alarm upon detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the zones are classified by user functions.
  - 16. The system of claim 14, wherein the zones are classified by subnet.
  - 17. The system of claim 14, wherein the zone data includes an additional zone for outside devices.
  - 18. The system of claim 14, wherein the devices operate behind a firewall.
  - 19. The system of claim 14, wherein the computer receives override service data specifying particular network services for which devices in designated zones are authorized to communicate with devices in unauthorized zones notwithstanding the zone data.
  - 20. The system of claim 19, wherein the particular network services are based upon the client network services utilized by the devices assigned to an unauthorized zone.

21. In a data communication network wherein packets are communicated between devices, a system for determining and blocking unauthorized network usage, comprising:
- a computer system that receives zone data corresponding to the classification of a plurality of devices including servers and clients coupled to the network into a plurality of zones, a zone comprising a plurality of devices that are authorized to communicate;
  
  (i) with other devices that are in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) are not authorized to communicate with other devices that are on the same physical network but in different zones;
  
  receives unauthorized zone data specifying unauthorized zones for which devices in a particular zone are not authorized to communicate with devices in other unauthorized zones;
  
  receives override service data specifying particular network services for which devices in designated zones are authorized to communicate with devices in other unauthorized zones acting as a client notwithstanding the unauthorized zone data;
  
  monitors network communications by capturing packet header information from packets communicated between devices;
  
  determines which devices are participating in the monitored network communications based on captured packet header information;
  
  determines the zones participating in the monitored zone communications based upon the unauthorized zone data;
  
  determines unauthorized network usage based upon the unauthorized zone data, the override service data, and captured packet header information indicating that a device as a client in a first zone is attempting to communicate with a device as a server in a second but unauthorized zone and has not been overridden by the override service data; and
  
  provides an alarm upon detection of unauthorized network usage and an address to a filtering table to block the unauthorized network usage.
- View Dependent Claims (22, 23, 24)
- - 22. The system of claim 21, wherein the zones are classified by user functions.
  - 23. The system of claim 21, wherein the zones are classified by subnets.
  - 24. The system of claim 21, wherein the devices operate behind a firewall.

25. In a data communication network wherein packets are communicated between devices, a method for a network device to detect and block unauthorized network usage, comprising the steps within the network device of:
- reading with the network device a configuration file that includes data respectively assigning a plurality of devices that are coupled to the network to a plurality of communication zones, a zone comprising a sub-grouping of devices on a physical network within the data communication network such that the physical network includes more than one zone, wherein devices in each respective zone are authorized to communicate;
  
  (i) with other devices that are in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) are not authorized to communicate with other devices that are on the same physical network but in different zones;
  
  determining from the configuration file allowed network services that are allowed to be provided by a device as host in one zone to devices in differing communication zones and storing the allowed network services as zone data;
  
  passively monitoring the communications between the plurality of communication zones within the data communication network by capturing packet header information from packets communicated between devices that have been assigned to the zones;
  
  determining unauthorized network usage based upon the zone data and captured packet header information indicating that a device in a first zone is either (i) attempting to communicate with a device in a second zone for which communication is not authorized or (ii) attempting to utilize a service of a host in a second zone that is not allowed; and
  
  generating an alarm upon the detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage.
- View Dependent Claims (26, 28)
- - 26. The method of claim 25, further comprising the step of determining override, service data specifying particular network services in which devices in designated communication zones are authorized to communicate with devices in unauthorized communication zones notwithstanding the zone data.
  - 28. The computer program product of claim 26, further comprising the step of determining override service data specifying particular network services in which devices in designated communication zones are authorized to communicate with devices in unauthorized communication zones notwithstanding the zone data.

27. A computer program product that includes a computer readable medium that is executable by a processor, the medium having stored thereon a sequence of instructions that when executed by the processor causes the processor to execute the steps of:
- reading a configuration file that includes data respectively assigning a plurality of devices that are coupled to a data communication network to a plurality of zones,a zone comprising a sub-grouping of devices on a physical network within the data communication network such that the physical network includes more than one zone, wherein devices in each respective zone are authorized to communicate;
  
  (i) with other devices that are in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) are not authorized to communicate with other devices that are on the same physical network but in different zones;
  
  determining from the configuration file allowed network services that are allowed to be provided by a device as a server in one zone to devices in differing zones and storing the allowed network services as zone data;
  
  passively monitoring the communications between the plurality of zones within the communication network by capturing packet header information from packets communicated between devices that have been assigned to the zones;
  
  determining unauthorized network usage based upon the zone data and captured packet header information indicating that a device in a first zone is either (i) attempting to communicate with a device in a second zone for which communication is not authorized or (ii) attempting to utilize a service of a device as a server in a second zone that is not allowed; and
  
  generating an alarm upon the detection of unauthorized network usage, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage.
- View Dependent Claims (29, 30)
- - 29. The computer program product of claim 27, wherein the communication zones are classified by defined user functions.
  - 30. The computer program product of claim 27, wherein the communication zones are classified by subnet.

31. A method for a network device to determine unauthorized network usage between computers within a data communication network wherein packets are communicated between computers, comprising the steps within the network device of:
- reading with the network device a configuration file that includes data selectively assigning computers on the network into one of a plurality of zones, each computer in each zone having an identifier, a zone comprising a plurality of devices that are authorized to communicate with other devices in the same zone that are on the same physical network and with other devices in the same zone that are on different physical networks isolated by a network device, but wherein devices on the same physical network but in different zones are not authorized to communicate with each other;
  
  for each zone of the plurality of zones, storing zone data specifying which other zones of the plurality of zones for which communications between computers in such other zones shall be considered unauthorized and comprise unauthorized zones;
  
  monitoring the packet headers of packets communicated between computers within the data communication network that have been assigned to the zones;
  
  based on the identifiers within a packet header of a data packet from an originating computer on the network in a first zone to a destination computer on the network in a second zone, accessing the stored zone data and determining whether the destination computer is in an unauthorized zone; and
  
  generating an alarm upon determination that the data packet from the originating computer was intended for a destination computer in an unauthorized zone, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage.
- View Dependent Claims (32)
- - 32. The method of claim 31, wherein the zone data comprises, for each zone, data items identifying one or more other zones for which communications are unauthorized, and further comprising the step of:
    - for at least one zone data item, storing override data identifying one or more services for which communications between computers in such zones for such one or more services is nonetheless authorized notwithstanding the zone data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Lancope, Inc. (Cisco Systems, Inc.)
Inventors
Jerrim, John, Copeland, John A.
Primary Examiner(s)
Etienne; Ario
Assistant Examiner(s)
Burgess; Barbara N

Application Number

US10/106,298
Publication Number

US 20040088571A1
Time in Patent Office

2,843 Days
Field of Search

709/223, 709/224, 709/227, 709/212, 713/154, 725/25, 726/22, 726/23, 726/25
US Class Current

709/224
CPC Class Codes

G06F 21/1012   to domains

G06F 21/552   involving long-term monitor...

H04L 2101/663   Transport layer addresses, ...

H04L 43/026   using flow identification

H04L 63/02   for separating internal fro...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

Network service zone locking

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

319 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Network service zone locking

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

319 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links