Method and apparatus for internet protocol (IP) logical wire security

US 9,094,331 B2
Filed: 01/07/2013
Issued: 07/28/2015
Est. Priority Date: 01/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a processor, a logical configuration of a network comprising a plurality of links connecting a plurality of nodes;

determining, by the processor, a physical path corresponding to one of the links, the physical path including a plurality of network switches of the network, wherein the processor is configured to determine whether data sent on one of the nodes to another one of the nodes via the one link is received at the other node;

receiving an error detection value computed by one of the network switches using either data stored in one or more routing tables of the one network switch, a configuration type of the one network switch, or a combination thereof; and

validating, by the processor, the one network switch as secured from one or more exploits of the network by determining that the error detection value is identical to a value inaccessible to the one network switch.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for improved approaches for detection of exploits and drift in a network is described. The method includes: determining, by a processor, a logical configuration of a network comprising a plurality of links connecting a plurality of nodes; determining, by the processor, a physical path corresponding to one of the links, the physical path including a plurality of switches of the network, wherein the processor is configured to determine whether data sent on one of the nodes to another one of the nodes by the one link is received at the other node; receiving an error detection value computed by one of the switches; and determining, by the processor, whether the error detection value corresponds with a value inaccessible to the one switch.

7 Citations

22 Claims

1. A method comprising:
- determining, by a processor, a logical configuration of a network comprising a plurality of links connecting a plurality of nodes;
  
  determining, by the processor, a physical path corresponding to one of the links, the physical path including a plurality of network switches of the network, wherein the processor is configured to determine whether data sent on one of the nodes to another one of the nodes via the one link is received at the other node;
  
  receiving an error detection value computed by one of the network switches using either data stored in one or more routing tables of the one network switch, a configuration type of the one network switch, or a combination thereof; and
  
  validating, by the processor, the one network switch as secured from one or more exploits of the network by determining that the error detection value is identical to a value inaccessible to the one network switch.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 21, 22)
- - 2. The method according to claim 1, comprising:
    - receiving another error detection value computed by another one of the network switches;
      
      determining, by the processor, whether the other error detection value corresponds with another value, the other value being inaccessible to the one network switch and the other network switch;
      
      subsequently validating, by the processor, the other network switch as secured from the one or more exploits by determining that the other error detection value is identical to the other value;
      
      receiving a first and second geolocation from the one network switch and the other network switch switches, respectively; and
      
      determining, by the processor, a physical path of network traffic forwarded by the one network switch, other network switch, or a combination thereof based on the received first and second geolocations when the one network switch and the other network switch are validated.
  - 3. The method according to claim 2, comprising:
    - determining, by the processor, an indication of a physical location associated with the network traffic; and
      
      comparing the indication of the physical location with the determined physical path.
  - 4. The method according to claim 3, comprising:
    - determining a source and/or destination address of a datagram of the network traffic; and
      
      determining the indication of the physical location according to the source and/or destination address.
  - 5. The method according to claim 4, further comprising:
    - determining whether the first network switch connects an end device associated with the destination or source address to the network switches of the network; and
      
      determining the indication of the physical location as the first geolocation based on whether the first network switch connects the end device to the network switches.
  - 6. The method according to claim 3, wherein the indication of the physical location is an automatic number identification (ANI) of the network traffic, andwherein the error detection value includes a checksum.
  - 7. The method according to claim 3, comprising:
    - determining a media access control (MAC) address of an endpoint device connected to the network via the first network switch, the endpoint device being an endpoint of the network traffic;
      
      determining a type of device according to the MAC address; and
      
      determining the indication of the physical location based on the type of device.
  - 8. The method according to claim 1, wherein the value is stored in a datastore inaccessible to the processor and/or calculated by another processor, and the data is a datagram, the method further comprising:
    - when the error detection value does not match with the value inaccessible to the one network switch, initiating a stateful inspection of the network to determine the one or more exploits of the network that cause the mismatch.
  - 21. The method according to claim 1, wherein the one or more exploits of the network include spoofing of one or more internet protocol addresses, spoofing of one or more media access control addresses, spoofing of one or more automatic number identifications, or a combination thereof, associated with the physical path.
  - 22. The method according to claim 1, further comprising:
    - when the error detection value does not match with the value inaccessible to the one network switch, determining the one or more exploits of the network that cause the mismatch by auditing the one network switch, the physical path, a logical route corresponding to the physical path, a portion of the network including the physical path, or a combination thereof.

9. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code for one or more programs,the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following,determine a logical configuration of a network comprising a plurality of links connecting a plurality of nodes;
  
  determine a physical path corresponding to one of the links, the physical path including a plurality of network switches of the network, wherein the processor is configured to determine whether data sent on one of the nodes to another one of the nodes via the one link is received at the other node;
  
  receive an error detection value computed by a first network switch of the network switches using either data stored in one or more routing tables of the first network switch, a configuration type of the first network switch, or a combination thereof; and
  
  validate the first network switch as secured from one or more exploits of the network by determining that the error detection value is identical to a value inaccessible to the first network switch.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus according to claim 9, wherein the apparatus is further caused to:
    - receive a second error detection value computed by a second network switch of the network switches;
      
      compare, the second error detection value with a second value, the first and second values being inaccessible to the first and second network switches;
      
      subsequently validate the second switch as secured from the one or more exploits by determining that the second error detection value is identical to the second value;
      
      receive a first and second geolocation from the first and second network switches, respectively; and
      
      determine a physical path of network traffic forwarded by the first network switch, the second network switch, or a combination thereof based on the received first and second geolocations when the first and second network switches are validated.
  - 11. The apparatus according to claim 10, wherein the apparatus is further caused to:
    - determine, an indication of a physical location associated with the network traffic; and
      
      compare the indication of the physical location with the determined physical path.
  - 12. The apparatus according to claim 11, wherein the apparatus is further caused to:
    - determining a source and/or destination address of a datagram of the network traffic; and
      
      determining the indication of the physical location according to the source and/or destination address.
  - 13. The apparatus according to claim 12, wherein the apparatus is further caused to:
    - determining whether the first network switch connects an end device associated with the destination or source address with the network switches of the network; and
      
      determining the indication of the physical location as the first geolocation based on whether the first network switch connects the end device to the network switches.
  - 14. The apparatus according to claim 11, wherein the indication of the physical location is an automatic number identification (ANI) of the network traffic.
  - 15. The apparatus according to claim 11, wherein the apparatus is further caused to:
    - determine a media access control (MAC) address of a endpoint device connected to the network via the first network switch, the endpoint device being an endpoint of the network traffic;
      
      determine a type of device according to the MAC address; and
      
      determine the indication of the physical location based on the type of device.
  - 16. The apparatus according to claim 9, wherein the first error detection value is according to a configuration type and/or a datastore associated with the first network switch, the value is stored in a datastore inaccessible to the apparatus and/or calculated by another apparatus and the data is a datagram, the apparatus being further caused to initiate a stateful inspection of the network based on the comparison.

17. A method comprising:
- receiving, at a network switch, network traffic comprising datagrams;
  
  determining, by the network switch, a header of one of the datagrams, the header indicating a destination address;
  
  selecting, by the network switch, a physical link to transport the one datagram based on the destination address;
  
  determining, by the network switch, a network node to forward the one datagram based on the destination address;
  
  forwarding, by the network switch, the one datagram to the network node on the physical link;
  
  computing, at the network switch, an error detection value for the network switch using either data stored in one or more routing tables of the network switch, a configuration type of the network switch, or a combination thereof; and
  
  forwarding the error detection value to a processing device to validate the network switch as secured from one or more exploits of the network by determining that determine whether the error detection value is identical corresponds to a value inaccessible to the network switch.
- View Dependent Claims (18)
- - 18. The method according to claim 17, further comprising:
    - determining the network node according to the routing table of the network switch, wherein the error detection value is computed based on values indicated in the routing table.

19. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code for one or more programs,the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus embedded in a network switch to perform at least the following,receive network traffic comprising datagrams;
  
  determine a header of one of the datagrams, the header indicating a destination address;
  
  select a physical link to transport the one datagram based on the destination address;
  
  determine a network node to forward the one datagram based on the destination address;
  
  forward the one datagram to the network node on the physical link;
  
  compute an error detection value for the network switch using either data stored in one or more routing tables of the network switch, a configuration type of the network switch, or a combination thereof; and
  
  forward the error detection value to a processing device to validate the network switch as secured from one or more exploits of the network by determining that the error detection value is identical to a value inaccessible to the network switch.
- View Dependent Claims (20)
- - 20. The apparatus according to claim 19, wherein the apparatus is further caused to:
    - determining the network node according to the routing table of the network switch, wherein the error detection value is computed based on values indicated in the routing table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Perez, John Scott
Primary Examiner(s)
Phunkulh, Bob
Assistant Examiner(s)
BUTT, WALLI Z

Application Number

US13/735,262
Publication Number

US 20140192675A1
Time in Patent Office

932 Days
Field of Search

370/225, 370/235, 370/245, 370/252, 370/254, 370/349, 370/389, 370/392, 370/395.1, 370/397, 370/401, 370/419, 455/411, 455/423, 709207-224
US Class Current

1/1
CPC Class Codes

H04L 45/02 Topology update or discovery

H04L 45/28 using route fault recovery

Method and apparatus for internet protocol (IP) logical wire security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for internet protocol (IP) logical wire security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links