Method of determining network penetration

US 7,971,244 B1
Filed: 11/19/2003
Issued: 06/28/2011
Est. Priority Date: 11/19/2003
Status: Active Grant

First Claim

Patent Images

1. A method of determining network penetration, the method comprising the computer-implemented steps of:

receiving first information that identifies a packet;

representing a possible travel of the packet in a network based on topology data and on security policy data;

wherein the step of representing comprises;

checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein checking the first information against the inbound ACL includes determining whether the inbound ACL permits ingress of the packet at the network device;

if the inbound ACL permits the ingress of the packet at the network device, checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device;

checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device;

repeating the checking steps for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces;

providing an output that specifies a possible penetration of the packet into the network, based on the step of representing, wherein the output comprises second information that specifies one or more of;

possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network;

wherein the steps of the method are performed by one or more computer systems.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of determining network penetration (which may be carried on a computer readable medium) and an apparatus for performing the method are disclosed. The method includes the computer-implemented step of simulating a packet traveling in a network based on topology data and on security policy data, and providing output related to results of the step of simulating.

Citations

67 Claims

1. A method of determining network penetration, the method comprising the computer-implemented steps of:
- receiving first information that identifies a packet;
  
  representing a possible travel of the packet in a network based on topology data and on security policy data;
  
  wherein the step of representing comprises;
  
  checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein checking the first information against the inbound ACL includes determining whether the inbound ACL permits ingress of the packet at the network device;
  
  if the inbound ACL permits the ingress of the packet at the network device, checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device;
  
  checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device;
  
  repeating the checking steps for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces;
  
  providing an output that specifies a possible penetration of the packet into the network, based on the step of representing, wherein the output comprises second information that specifies one or more of;
  
  possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network;
  
  wherein the steps of the method are performed by one or more computer systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the security policy data comprises one or more access control lists of one or more network devices in the network.
  - 3. The method of claim 1, wherein the first information comprises packet parameters.
  - 4. The method of claim 3, wherein the packet parameters comprise an identifier of the network entry point where the packet enters the network.
  - 5. The method of claim 3, wherein the packet parameters comprise a destination address.
  - 6. The method of claim 1, wherein the topology data is received as input related to a user interface.
  - 7. The method of claim 1, wherein the security policy data is based on access control lists associated with input received in a user interface.
  - 8. The method of claim 1, wherein the step of representing further comprises determining a maximum penetration point.
  - 9. The method of claim 1, wherein the step of representing comprises accessing the security policy data and the topology data related to a neighbor network device for which it has been determined that the packet could reach.
  - 10. The method of claim 1, wherein the step of representing comprises determining whether ingress is allowed to a neighbor network device for which it has been determined that could be reached by the packet.
  - 11. The method of claim 1, wherein the step of representing comprises determining whether there are any neighboring network devices to a neighbor network device for which it has been determined that the packet could reach.
  - 12. The method of claim 1, wherein the step of representing comprises determining whether there are any outbound interfaces that have not yet been checked for whether there is another network device connected thereto.
  - 13. The method of claim 12, wherein the step of representing comprises recursively applying the step of determining whether there are any outbound interfaces.
  - 14. The method of claim 1, further comprising receiving third information that specifies packet parameters corresponding to a plurality of different packets.
  - 15. The method of claim 1, wherein the step of representing comprises:
    - for a neighbor network device for which it is determined that the packet could reach, determining if a static routing table is present; and
      
      if the static routing table is present, thenaccessing the static routing table, anddetermining an outbound interface through which egress of the packet from the neighbor network device is permitted based on the static routing table.
  - 16. The method of claim 15, further comprising not considering any outbound interface through which egress of the packet is permitted by the static routing table but is not permitted by an access control list associated with the security policy data.
  - 17. The method of claim 1, wherein the step of representing comprises:
    - for a neighbor network device for which it is determined that the packet could reach, determining if a static routing table is present; and
      
      if the static routing table is not present, then for each outbound interface of the neighbor network device, representing an egress by the packet as part of the representing of the possible travel of the packet.
  - 18. The method of claim 1, wherein the step of receiving the first information further comprises receiving packet parameters that support transmission control protocol flags.
  - 19. The method of claim 1, wherein the output comprises a graphical display of at least the second information.
  - 20. The method of claim 18, wherein the graphical display also includes at least a mapping of the set of network devices and connections between the network devices in the set of network devices.

21. A method of determining potential penetration of packets into a network, the method comprising the computer-implemented steps of:
- receiving network topology data;
  
  receiving first information defining a packet flow comprising a source address;
  
  receiving second information defining a first network device, comprising a network address and an ingress interface identifier for an ingress interface of the first network device;
  
  determining whether the ingress interface of the first network device allows the packet flow to enter the first network device, based on checking the first information against a first access control list associated with the ingress interface;
  
  determining one or more egress interfaces of the first network device that allow egress of the packet flow from the first network device, based on checking the first information against one or more second access control lists associated with the one or more egress interfaces;
  
  based on the network topology data, determining one or more second network devices that are coupled to the one or more egress interfaces; and
  
  recursively performing the determining steps for each of the one or more second network devices;
  
  wherein the steps of the method are performed by one or more computer systems.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, further comprising the step of determining if a static routing table is present for the first network device, and wherein the step of determining the one or more egress interfaces further comprises checking the first information against the static routing table.
  - 23. The method of claim 22, further comprising not considering an egress interface through which egress of the packet flow is permitted by the static routing table but is not permitted by the one or more second access control lists.

24. A method of determining network penetration, the method comprising the computer-implemented steps of:
- representing a travel of a packet in a network based on topology data and on security policy data including at least the steps of;
  
  receiving first information that defines a packet by at least specifying a source address for the packet and an entry point that identifies a current network device in the network;
  
  starting a loop for the current network device;
  
  accessing access control lists (ACLs) in the security policy data stored in an ACL database and the topology data stored in a topology database;
  
  deciding whether an ingress interface of the current network device allows entry of the packet into the current network device by checking the first information against an inbound ACL, from the security policy data, that is associated with the ingress interface of the current network device, wherein;
  
  if the entry is not permitted, then terminating the loop for the current network device;
  
  if the entry is permitted, thenchecking the first information against one or more outbound ACLs, from the security policy data, for each outbound interface of the current network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the current network device;
  
  determining if a static routing table is present for the current network device, wherein;
  
  if the static routing table is present then determining from which outbound interface outbound traffic is permitted to exit the current network device; and
  
  if the static routing table is not present, then determining that the outbound traffic is allowed to exit through all outbound interfaces of the current network device;
  
  based on the topology data, determining if there are any neighboring network devices that are connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the current network device, wherein;
  
  if there are not any neighboring network devices, then returning an indication of the current network device as a maximum penetration point as at least part of results of the step of representing, and terminating the loop for the current network device;
  
  determining whether or not there are any remaining possible outbound interfaces for which results of a possible egress of the packet have not been determined, wherein;
  
  if there are no more remaining possible outbound interfaces, then terminating the loop for the current network device;
  
  if there are more remaining possible outbound interfaces, then setting the current network device to a neighboring network device that corresponds to one of the remaining possible outbound interfaces; and
  
  if the loop has not been terminated, then restarting the loop for the current network device;
  
  wherein the steps of the method are performed by one or more computer systems.

25. An apparatus for determining penetration into a network, the apparatus comprising:
- one or more processors;
  
  a topology database storing topology information about the network;
  
  an Access Control List (ACL) database storing ACLs related to the network;
  
  a non-transitory computer-readable storage medium storing one or more sequences of instructions that comprise instructions for displaying a penetration Graphical User Interface (GUI) including at least;
  
  input fields having at least;
  
  a source address input field for receiving at least a source address of a packet, andan entry point field for receiving at least one entry point to the network for the packet;
  
  output penetration information fields for a graphical output including;
  
  network devices of the network,connections between the network devices corresponding to the topology information,at least one entry point to the network,paths the packet is allowed to follow based on the topology information and the ACLs, andat least one maximum penetration point; and
  
  a penetration module configured to;
  
  access the topology database to retrieve the topology information;
  
  access the ACL database to retrieve the ACLs;
  
  receive input corresponding to the input fields;
  
  check the source address of the packet, specified in the source address input field, against an inbound ACL of an interface of a network device specified in the entry point field;
  
  if the inbound ACL permits ingress of the packet at the network device, check the source address of the packet against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device;
  
  check the topology information to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device;
  
  repeat the checks for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device; and
  
  produce the graphical output for display in the penetration GUI.

26. An apparatus for determining network penetration, the apparatus comprising:
- one or more processors, and a non-transitory computer-readable storage medium storing one or more sequences of instructions that comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
  
  receiving first information that identifies a packet;
  
  representing a possible travel of the packet in a network based on topology data and on security policy data;
  
  wherein the step of representing comprises;
  
  checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein checking the first information against the inbound ACL includes determining whether the inbound ACL permits ingress of the packet at the network device;
  
  if the inbound ACL permits the ingress of the packet at the network device, checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device;
  
  checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device;
  
  repeating the checking steps for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces;
  
  providing an output that specifies a possible penetration of the packet into the network, based on the step of representing, wherein the output comprises second information that specifies one or more of;
  
  possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 27. The apparatus of claim 26, wherein the security policy data comprises one or more access control lists stored on one or more network devices in the network.
  - 28. The apparatus of claim 26, wherein the first information comprises packet parameters.
  - 29. The apparatus of claim 28, wherein the packet parameters comprise an identifier of the network entry point where the packet enters the network.
  - 30. The apparatus of claim 28, wherein the packet parameters comprise a destination address.
  - 31. The apparatus of claim 26, wherein the topology data is based on input related to a user interface.
  - 32. The apparatus of claim 26, wherein the security policy data is based on access control lists associated with input related to a user interface.
  - 33. The apparatus of claim 26, wherein the instructions that cause the one or more processors to perform the step of representing further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining a maximum penetration point.
  - 34. The apparatus of claim 26, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of accessing the security policy data and the topology data related to a neighbor network device for which it has been determined that the packet could reach.
  - 35. The apparatus of claim 26, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining whether ingress is allowed to a neighbor network device for which it has been determined that the packet could reach.
  - 36. The apparatus of claim 26, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining whether there are any neighboring network devices to a neighbor network device for which it has been determined that the packet could reach.
  - 37. The apparatus of claim 26, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining whether there are any outbound interfaces that have not yet been checked for whether there is another network device connected thereto.
  - 38. The apparatus of claim 37, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of recursively applying the step of determining whether there are any outbound interfaces.
  - 39. The apparatus of claim 26, wherein the one or more sequences of instructions further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of receiving third information that specifies packet parameters corresponding to a plurality of different packets.
  - 40. The apparatus of claim 26, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - for a neighbor network device being represented as having been reached by the packet, determining if a static routing table is present; and
      
      if the static routing table is present, thenaccessing the static routing table, anddetermining an outbound interface through which egress of the packet from the neighbor network device is permitted based on the static routing table.
  - 41. The apparatus of claim 40, wherein the one or more sequences of instructions further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of not considering any outbound interface through which egress of the packet is permitted by the static routing table but is not permitted by an access control list associated with the security policy data.
  - 42. The apparatus of claim 26, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - for a neighbor network device for which it is determined that the packet could reach, determining if a static routing table is present; and
      
      if the static routing table is not present, then for each outbound interface of the neighbor network device, representing an egress by the packet as part of the representing of the possible travel of the packet.
  - 43. The apparatus of claim 26, wherein the instructions that cause the one or more processors to perform the step of receiving the first information further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of receiving packet parameters that support transmission control protocol flags.
  - 44. The apparatus of claim 26, wherein the output comprises a graphical display of at least the second information.
  - 45. The apparatus of claim 26, wherein the graphical display also includes at least a mapping of the set of network devices and connections between the network devices in the set of network devices.

46. A non-transitory computer-readable storage medium storing one or more sequences of instructions that comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
- receiving first information that identifies a packet;
  
  representing a possible travel of the packet in a network based on topology data and on security policy data;
  
  wherein the step of representing comprises;
  
  checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein checking the first information against the inbound ACL includes determining whether the inbound ACL permits ingress of the packet at the network device;
  
  if the inbound ACL permits the ingress of the packet at the network device, checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device;
  
  checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device;
  
  repeating the checking steps for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces;
  
  providing an output that specifies a possible penetration of the packet into the network, based on the step of representing, wherein the output comprises second information that specifies one or more of;
  
  possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
- - 47. The non-transitory computer-readable storage medium of claim 46, wherein the security policy data comprises one or more access control lists of one or more network devices in the network.
  - 48. The non-transitory computer-readable storage medium of claim 46, wherein the first information comprises packet parameters.
  - 49. The non-transitory computer-readable storage medium of claim 48, wherein the packet parameters comprise an identifier of the network entry point where the packet enters the network.
  - 50. The non-transitory computer-readable storage medium of claim 48, wherein the packet parameters comprise a destination address.
  - 51. The non-transitory computer-readable storage medium of claim 46, wherein the one or more sequences of instructions further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of reading the topology data from a topology database.
  - 52. The non-transitory computer-readable storage medium of claim 46, wherein the topology data is based on input related to a user interface.
  - 53. The non-transitory computer-readable storage medium of claim 46, wherein the security policy data is based on access control lists associated with input related to a user interface.
  - 54. The non-transitory computer-readable storage medium of claim 46, wherein the instructions that cause the one or more processors to perform the step of representing further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining a maximum penetration point.
  - 55. The non-transitory computer-readable storage medium of claim 46, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of accessing the security policy data and the topology data related to a neighbor network device for which it has been determined that the packet could reach.
  - 56. The non-transitory computer-readable storage medium of claim 46, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining whether ingress is allowed to a neighbor network device for which it has been determined that the packet could reach.
  - 57. The non-transitory computer-readable storage medium of claim 46, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining whether there are any neighboring network devices to a neighbor network device for which it has been determined that the packet could reach.
  - 58. The non-transitory computer-readable storage medium of claim 46, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining whether there are any possible outbound interfaces that have not yet been checked for whether there is another network device connected thereto.
  - 59. The non-transitory computer-readable storage medium of claim 58, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of recursively applying the step of determining whether there are any outbound interfaces.
  - 60. The non-transitory computer-readable storage medium of claim 46, wherein the one or more sequences of instructions further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of receiving third information that specifies packet parameters corresponding to a plurality of different packets.
  - 61. The non-transitory computer-readable storage medium of claim 46, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - for a neighbor network device that could be reached by the packet, determining if a static routing table is present; and
      
      if the static routing table is present, thenaccessing the static routing table, anddetermining an outbound interface through which egress of the packet from the neighbor network device is permitted based on the static routing table.
  - 62. The non-transitory computer-readable storage medium of claim 61, wherein the one or more sequences of instructions further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of not considering any outbound interface through which egress of the packet is permitted by the static routing table but is not permitted by an access control list associated with the security policy data.
  - 63. The non-transitory computer-readable storage medium of claim 46, wherein the instructions that cause the one or more processors to perform the step of representing comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - for a neighbor network device that could be reached by the packet, determining if a static routing table is present; and
      
      if the static routing table is not present, then for each outbound interface of the neighbor network device, representing an egress by the packet as part of the representing of the possible travel of the packet.
  - 64. The non-transitory computer-readable storage medium of claim 46, wherein the instructions that cause the one or more processors to perform the step of receiving the first information further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of receiving packet parameters that support transmission control protocol flags.
  - 65. The non-transitory computer-readable storage medium of claim 46, wherein the output comprises a graphical display of at least the second information.
  - 66. The non-transitory computer-readable storage medium of claim 46, wherein the graphical display also includes at least a mapping of the set of network devices and connections between the network devices in the set of network devices.

67. An apparatus for determining network penetration comprising:
- means for receiving first information that identifies a packet;
  
  means for representing a possible travel of the packet in a network based on topology data and on security policy data;
  
  wherein the means for representing comprise;
  
  means for checking the first information against an inbound access control list (ACL), included in the security policy data, of an interface of a network device comprising a network entry point for the packet, wherein the means for checking the first information against the inbound ACL include means for determining whether the inbound ACL permits ingress of the packet at the network device;
  
  means for checking the first information against one or more outbound ACLs for each outbound interface of the network device to determine one or more possible outbound interfaces on which egress of the packet is permitted from the network device when the inbound ACL permits the ingress of the packet at the network device;
  
  means for checking the topology data to determine one or more neighbor network devices that the packet could reach, wherein the one or more neighbor network devices are respectively connected to the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device;
  
  means for repeatedly invoking the means for checking the first information against the inbound ACL, the means for checking the first information against the one or more outbound ACLs, and the means for checking the topology data for each neighbor network device, of the one or more neighbor network devices, that is connected to each of the one or more possible outbound interfaces on which the egress of the packet is permitted from the network device;
  
  means for providing penetration output that specifies a possible penetration of the packet into the network, based on output from the means for representing, wherein the penetration output comprises second information that specifies one or more of;
  
  possible paths that the packet could take in the network, and a set of network devices that the packet could reach in the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Hebbani, Sandeep R., Kajekar, Preetham
Primary Examiner(s)
Chea; Philip J

Application Number

US10/718,175
Time in Patent Office

2,778 Days
Field of Search

709/224, 726/2, 726/22, 726/25, 726 27- 29
US Class Current

726/22
CPC Class Codes

H04L 63/101 Access control lists [ACL]

Method of determining network penetration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

67 Claims

Specification

Solutions

Use Cases

Quick Links

Method of determining network penetration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

67 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links