Method of determining network penetration
First Claim
Patent Images
1. A method of determining network penetration, the method comprising the computer-implemented steps of:
- receiving first information that identifies a packet;
representing a possible travel of the packet in a network based on topology data and on security policy data;
wherein the step of representing comprises;
checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein checking the first information against the inbound ACL includes determining whether the inbound ACL permits ingress of the packet at the network device;
if the inbound ACL permits the ingress of the packet at the network device, checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device;
checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device;
repeating the checking steps for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces;
providing an output that specifies a possible penetration of the packet into the network, based on the step of representing, wherein the output comprises second information that specifies one or more of;
possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network;
wherein the steps of the method are performed by one or more computer systems.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of determining network penetration (which may be carried on a computer readable medium) and an apparatus for performing the method are disclosed. The method includes the computer-implemented step of simulating a packet traveling in a network based on topology data and on security policy data, and providing output related to results of the step of simulating.
-
Citations
67 Claims
-
1. A method of determining network penetration, the method comprising the computer-implemented steps of:
-
receiving first information that identifies a packet; representing a possible travel of the packet in a network based on topology data and on security policy data; wherein the step of representing comprises; checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein checking the first information against the inbound ACL includes determining whether the inbound ACL permits ingress of the packet at the network device; if the inbound ACL permits the ingress of the packet at the network device, checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device; checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device;
repeating the checking steps for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces;providing an output that specifies a possible penetration of the packet into the network, based on the step of representing, wherein the output comprises second information that specifies one or more of;
possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network;wherein the steps of the method are performed by one or more computer systems. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method of determining potential penetration of packets into a network, the method comprising the computer-implemented steps of:
-
receiving network topology data; receiving first information defining a packet flow comprising a source address; receiving second information defining a first network device, comprising a network address and an ingress interface identifier for an ingress interface of the first network device; determining whether the ingress interface of the first network device allows the packet flow to enter the first network device, based on checking the first information against a first access control list associated with the ingress interface; determining one or more egress interfaces of the first network device that allow egress of the packet flow from the first network device, based on checking the first information against one or more second access control lists associated with the one or more egress interfaces; based on the network topology data, determining one or more second network devices that are coupled to the one or more egress interfaces; and recursively performing the determining steps for each of the one or more second network devices; wherein the steps of the method are performed by one or more computer systems. - View Dependent Claims (22, 23)
-
-
24. A method of determining network penetration, the method comprising the computer-implemented steps of:
-
representing a travel of a packet in a network based on topology data and on security policy data including at least the steps of; receiving first information that defines a packet by at least specifying a source address for the packet and an entry point that identifies a current network device in the network; starting a loop for the current network device; accessing access control lists (ACLs) in the security policy data stored in an ACL database and the topology data stored in a topology database; deciding whether an ingress interface of the current network device allows entry of the packet into the current network device by checking the first information against an inbound ACL, from the security policy data, that is associated with the ingress interface of the current network device, wherein; if the entry is not permitted, then terminating the loop for the current network device; if the entry is permitted, then checking the first information against one or more outbound ACLs, from the security policy data, for each outbound interface of the current network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the current network device; determining if a static routing table is present for the current network device, wherein; if the static routing table is present then determining from which outbound interface outbound traffic is permitted to exit the current network device; and if the static routing table is not present, then determining that the outbound traffic is allowed to exit through all outbound interfaces of the current network device; based on the topology data, determining if there are any neighboring network devices that are connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the current network device, wherein; if there are not any neighboring network devices, then returning an indication of the current network device as a maximum penetration point as at least part of results of the step of representing, and terminating the loop for the current network device; determining whether or not there are any remaining possible outbound interfaces for which results of a possible egress of the packet have not been determined, wherein; if there are no more remaining possible outbound interfaces, then terminating the loop for the current network device; if there are more remaining possible outbound interfaces, then setting the current network device to a neighboring network device that corresponds to one of the remaining possible outbound interfaces; and if the loop has not been terminated, then restarting the loop for the current network device; wherein the steps of the method are performed by one or more computer systems.
-
-
25. An apparatus for determining penetration into a network, the apparatus comprising:
-
one or more processors; a topology database storing topology information about the network; an Access Control List (ACL) database storing ACLs related to the network; a non-transitory computer-readable storage medium storing one or more sequences of instructions that comprise instructions for displaying a penetration Graphical User Interface (GUI) including at least; input fields having at least; a source address input field for receiving at least a source address of a packet, and an entry point field for receiving at least one entry point to the network for the packet; output penetration information fields for a graphical output including; network devices of the network, connections between the network devices corresponding to the topology information, at least one entry point to the network, paths the packet is allowed to follow based on the topology information and the ACLs, and at least one maximum penetration point; and a penetration module configured to; access the topology database to retrieve the topology information; access the ACL database to retrieve the ACLs; receive input corresponding to the input fields; check the source address of the packet, specified in the source address input field, against an inbound ACL of an interface of a network device specified in the entry point field; if the inbound ACL permits ingress of the packet at the network device, check the source address of the packet against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device; check the topology information to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device; repeat the checks for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device; and produce the graphical output for display in the penetration GUI.
-
-
26. An apparatus for determining network penetration, the apparatus comprising:
one or more processors, and a non-transitory computer-readable storage medium storing one or more sequences of instructions that comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of; receiving first information that identifies a packet; representing a possible travel of the packet in a network based on topology data and on security policy data; wherein the step of representing comprises; checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein checking the first information against the inbound ACL includes determining whether the inbound ACL permits ingress of the packet at the network device; if the inbound ACL permits the ingress of the packet at the network device, checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device; checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device; repeating the checking steps for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces; providing an output that specifies a possible penetration of the packet into the network, based on the step of representing, wherein the output comprises second information that specifies one or more of;
possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network.- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
46. A non-transitory computer-readable storage medium storing one or more sequences of instructions that comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
-
receiving first information that identifies a packet; representing a possible travel of the packet in a network based on topology data and on security policy data; wherein the step of representing comprises; checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein checking the first information against the inbound ACL includes determining whether the inbound ACL permits ingress of the packet at the network device; if the inbound ACL permits the ingress of the packet at the network device, checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device; checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device; repeating the checking steps for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces; providing an output that specifies a possible penetration of the packet into the network, based on the step of representing, wherein the output comprises second information that specifies one or more of;
possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network. - View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
-
-
67. An apparatus for determining network penetration comprising:
-
means for receiving first information that identifies a packet; means for representing a possible travel of the packet in a network based on topology data and on security policy data; wherein the means for representing comprise; means for checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein the means for checking the first information against the inbound ACL include means for determining whether the inbound ACL permits ingress of the packet at the network device; means for checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device when the inbound ACL permits the ingress of the packet at the network device; means for checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device; means for repeatedly invoking the means for checking the first information against the inbound ACL, the means for checking the first information against the one or more outbound ACLs, and the means for checking the topology data for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device; means for providing penetration output that specifies a possible penetration of the packet into the network, based on output from the means for representing, wherein the penetration output comprises second information that specifies one or more of;
possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network.
-
Specification