Method and system for analyzing the security of a network

US 7,849,497 B1
Filed: 12/14/2006
Issued: 12/07/2010
Est. Priority Date: 12/14/2006
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing security of a computer network, the method comprising:

collecting security configuration settings from each of a plurality of nodes of the computer network, for each node;

opening a communication session with the node;

querying the node using the communication session to determine the node'"'"'s security configurations settings; and

obtaining rules that each of the nodes uses to admit or deny network traffic;

graphically displaying topology of the network on a user interface by displaying a representation for each of the nodes on the network and displaying connections between the representations, the connections being representative of communication paths between each of the nodes;

receiving, from a user, a selection of a first representation of a first node of the plurality of nodes and a second representation of a second node of the plurality of nodes;

displaying a plurality of rules for each of the first and second nodes, the rules indicating a plurality of criteria by which each of the nodes admits or denies traffic on the network;

analyzing the security configuration settings;

generating a security path policy for along each of all possible communications paths between the first and second nodes based on the results of the analyzing step, the generating step further comprising;

determining an aggregate effect of the security settings of each of the devices along each of the possible communications paths between the first and second nodes;

expressing the generated security path policy in the form of a canonical ruleset language;

displaying a plurality of rules including all rules for all nodes comprising the aggregate effect of the generated security path policy, the rules indicating a plurality of criteria by which each of the nodes admits or denies traffic on the network; and

displaying the generated security path policy on the user interface.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are a method and system for analyzing the security of a computer network. According to various implementations, there is a device adapter associated with each device that has a significant impact on the security of the network (e.g., routers, switches, gateways, or “significant hosts”). The device adapter, which may be implemented as a piece of software executing remotely from the device, queries the device to determine what its security settings are (e.g., its firewall rules). The device adapter conducts the query using whichever form of communication the device requires (e.g., telnet, HTTP) and using whichever command set the device requires. Each type of device on the network has a software model associated with it. For example, there may be a router model, a switch model, a firewall model, and a gateway model. The model is made up of a series of rule sets. Each rule set includes rules that are derived from the configuration of the device (obtained by the device adapter). The rules are expressed in a canonical rule set language. A global view of the security policy of the network is generated based on the modeled behaviors of the security devices (i.e., devices that have an impact on security) of the network, and is displayed on a user interface.

68 Citations

View as Search Results

16 Claims

1. A method for analyzing security of a computer network, the method comprising:
- collecting security configuration settings from each of a plurality of nodes of the computer network, for each node;
  
  opening a communication session with the node;
  
  querying the node using the communication session to determine the node'"'"'s security configurations settings; and
  
  obtaining rules that each of the nodes uses to admit or deny network traffic;
  
  graphically displaying topology of the network on a user interface by displaying a representation for each of the nodes on the network and displaying connections between the representations, the connections being representative of communication paths between each of the nodes;
  
  receiving, from a user, a selection of a first representation of a first node of the plurality of nodes and a second representation of a second node of the plurality of nodes;
  
  displaying a plurality of rules for each of the first and second nodes, the rules indicating a plurality of criteria by which each of the nodes admits or denies traffic on the network;
  
  analyzing the security configuration settings;
  
  generating a security path policy for along each of all possible communications paths between the first and second nodes based on the results of the analyzing step, the generating step further comprising;
  
  determining an aggregate effect of the security settings of each of the devices along each of the possible communications paths between the first and second nodes;
  
  expressing the generated security path policy in the form of a canonical ruleset language;
  
  displaying a plurality of rules including all rules for all nodes comprising the aggregate effect of the generated security path policy, the rules indicating a plurality of criteria by which each of the nodes admits or denies traffic on the network; and
  
  displaying the generated security path policy on the user interface.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the communication session is opened using a protocol selected from a group consisting of telnet, secure shell (SSH), and Simple Network Management Protocol (SNMP).
  - 3. The method of claim 1, wherein at least one of the plurality of nodes acts as a network control device that is a firewall, router, layer 3 switch, or other network control device, and wherein the collecting step comprises:
    - executing a device adapter that corresponds to the manufacturer and model of the network control device;
      
      the device adapter opening the communication session with the network control device;
      
      the device adapter obtaining, from the network control device, the rules that the network control device uses to admit or deny network traffic; and
      
      converting the security configuration settings into a set of canonical rules, wherein the step of generating the security path policy utilizes the canonical rules.
  - 4. The method of claim 1, wherein the graphically displaying step comprises displaying an icon as the representation for each of the nodes on the network and displaying lines as the connections between the icons, the lines being representative of communication paths between the nodes.
  - 5. The method of claim 1, wherein the security path policy is an inter-node communication policy and comprises a set of multiple tuples, where each tuple comprises the following elements:
    - network protocol, source address, source port, destination address, and destination port.
  - 6. The method of claim 1, further comprising presenting the user with an element for node selection comprising entering a 1-to-1, 1-to-n, or n-to-1 node relationship for one or more source nodes and one or more destination nodes.

7. A method for analyzing security of a computer network, the method comprising:
- collecting security configuration settings from a plurality of nodes of the computer network, for each node;
  
  opening a communication session with the node;
  
  querying the node using the communication session to determine the node'"'"'s security configuration settings; and
  
  obtaining rules that each of the nodes uses to admit or deny network traffic;
  
  graphically displaying topology of the network on a user interface by displaying a representation for each of the nodes on the network and displaying connections between the representations, the connections being representative of communication paths between each of the nodes;
  
  receiving, from a user, a selection of a first representation of a first node of the plurality of nodes and a second representation of a second node of the plurality of nodes;
  
  analyzing the security configuration settings using a plurality of criteria;
  
  generating a security path policy for along each of all possible communication paths between the first and second nodes based on the results of the analyzing step, the generating step further comprising;
  
  determining an aggregate effect of the security settings of each of the devices along each of the possible communications paths between the first and second nodes;
  
  expressing the generated security path policy in terms of the plurality of criteria;
  
  displaying a plurality of rules including all rules for all nodes comprising the aggregate effect of the generated security path policy, the rules indicating a plurality of criteria by which each of the nodes admits or denies traffic on the network;
  
  graphically representing the generated security path policy as a hierarchy, wherein each of the plurality of criteria occupies a level in the hierarchy;
  
  receiving a user request to reorder the plurality of criteria within the hierarchy; and
  
  based on the user request, repeating the graphically representing step using the reordered plurality of criteria.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the plurality of criteria include a source address and a source port of the communication.
  - 9. The method of claim 7, wherein the plurality of criteria include a destination address and a destination port of the communication.
  - 10. The method of claim 7, wherein the plurality of criteria include a communications protocol.
  - 11. The method of claim 7, wherein:
    - the security path policy is an inter-node communication policy and comprises a set of multiple tuples, wherein each tuple comprises a plurality of elements;
      
      a number of levels in the hierarchical tree corresponds to a number of elements in a tuple;
      
      each tree element at a given level corresponds with a unique value of the element within the tuple; and
      
      a relationship between the hierarchical tree order and the tuple element order can be varied by the user;
      
      the graphically representing step comprises displaying the hierarchical tree as having branches that can be expanded or collapsed, the tree; and
      
      the receiving step comprises receiving a user selection of a criteria of the plurality that is to be promoted or demoted.

12. A system for analyzing security of a computer network, the system comprising:
- a plurality of devices communicatively linked to the computer network;
  
  a computer communicatively linked to the computer network for collecting security configuration settings from each of the plurality of devices, the computer comprising software in a non-transient medium comprising;
  
  a plurality of device adapters, each device adapter corresponding to a device of the plurality of devices, each device adapter performing steps comprising;
  
  opening a communication session with the device using a communication protocol that the device is configured for; and
  
  extracting security configuration information from the device by querying the device during the communication session, including information regarding which types of communication the device allows and which types of communication the device denies;
  
  a network simulator comprising software in a non-transient medium that performs steps comprising;
  
  defining models for the plurality of devices based on the extracted security configuration information;
  
  deriving a security path policy for communication between a first device and a second device of the plurality of devices based on the defined models, the security path policy being expressed as a set of criteria for admitting and denying communication between the first and second devices and based on an aggregate effect of the security settings of each of the plurality of devices along each possible communication path between the first and second devices;
  
  a user interface device that graphically displays a topology of the network on the user interface device by displaying a representation for each of the devices on the network and displaying connections between the representations, the connections being representative of communication paths between the devices, and that graphically displaying a plurality of rules including all rules for all nodes comprising the aggregate effect of the generated security path policy, the rules indicating a plurality of criteria by which each of the nodes admits or denies traffic on the network;
  
  wherein the user interface device comprises a user interface module that performs steps comprising;
  
  receiving a user'"'"'s selection of the first device and the second device;
  
  displaying, to the user, the derived security path policy in a form of a tree, the tree being structured based rank order of the criteria;
  
  receiving, from the user, a request to change the rank order of the criteria; and
  
  re-displaying the tree to the user based on the changed rank order.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, wherein the device includes a network control device that includes a firewall, a router, a layer 3 switch, or other network control element, and the extracted security configuration information includes the allow and deny rules for the network control device.
  - 14. The system of claim 12, wherein the criteria includes the source address, the source port, the destination address, the destination port, and the transport protocol used for the communication between the first device and the second device.
  - 15. The system of claim 12, wherein the user interface module performs further steps comprising:
    - receiving from the user an request to filter out elements of the security policy based on a specific value for a criteria of the set of criteria; and
      
      re-displaying the tree so that it only contains elements that meet the specified value for the criteria.
  - 16. The system of claim 12, wherein the communication session is conducted using a protocol selected from the group consisting of telnet, hypertext transport protocol, command line interface, and simple network management protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SolarWinds Worldwide LLC (SolarWinds Corp.)
Original Assignee
Athena Security, Inc. (SolarWinds Corp.)
Inventors
Hurst, David, Raghavan, Vijaya, Yerasi, Chandrasekhara Reddy
Primary Examiner(s)
GERGISO, TECHANE

Application Number

US11/639,875
Time in Patent Office

1,454 Days
Field of Search

726/1, 713/153
US Class Current

726/1
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1433   Vulnerability analysis

H04L 67/75   Indicating network or usage...

Method and system for analyzing the security of a network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Method and system for analyzing the security of a network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others