Method and apparatus for internet protocol (IP) logical wire security
First Claim
1. A method comprising:
- determining, by a processor, a logical configuration of a network comprising a plurality of links connecting a plurality of nodes;
determining, by the processor, a physical path corresponding to one of the links, the physical path including a plurality of network switches of the network, wherein the processor is configured to determine whether data sent on one of the nodes to another one of the nodes via the one link is received at the other node;
receiving an error detection value computed by one of the network switches using either data stored in one or more routing tables of the one network switch, a configuration type of the one network switch, or a combination thereof; and
validating, by the processor, the one network switch as secured from one or more exploits of the network by determining that the error detection value is identical to a value inaccessible to the one network switch.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for improved approaches for detection of exploits and drift in a network is described. The method includes: determining, by a processor, a logical configuration of a network comprising a plurality of links connecting a plurality of nodes; determining, by the processor, a physical path corresponding to one of the links, the physical path including a plurality of switches of the network, wherein the processor is configured to determine whether data sent on one of the nodes to another one of the nodes by the one link is received at the other node; receiving an error detection value computed by one of the switches; and determining, by the processor, whether the error detection value corresponds with a value inaccessible to the one switch.
7 Citations
22 Claims
-
1. A method comprising:
-
determining, by a processor, a logical configuration of a network comprising a plurality of links connecting a plurality of nodes; determining, by the processor, a physical path corresponding to one of the links, the physical path including a plurality of network switches of the network, wherein the processor is configured to determine whether data sent on one of the nodes to another one of the nodes via the one link is received at the other node; receiving an error detection value computed by one of the network switches using either data stored in one or more routing tables of the one network switch, a configuration type of the one network switch, or a combination thereof; and validating, by the processor, the one network switch as secured from one or more exploits of the network by determining that the error detection value is identical to a value inaccessible to the one network switch. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 21, 22)
-
-
9. An apparatus comprising:
-
at least one processor; and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following, determine a logical configuration of a network comprising a plurality of links connecting a plurality of nodes; determine a physical path corresponding to one of the links, the physical path including a plurality of network switches of the network, wherein the processor is configured to determine whether data sent on one of the nodes to another one of the nodes via the one link is received at the other node; receive an error detection value computed by a first network switch of the network switches using either data stored in one or more routing tables of the first network switch, a configuration type of the first network switch, or a combination thereof; and validate the first network switch as secured from one or more exploits of the network by determining that the error detection value is identical to a value inaccessible to the first network switch. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
receiving, at a network switch, network traffic comprising datagrams; determining, by the network switch, a header of one of the datagrams, the header indicating a destination address; selecting, by the network switch, a physical link to transport the one datagram based on the destination address; determining, by the network switch, a network node to forward the one datagram based on the destination address; forwarding, by the network switch, the one datagram to the network node on the physical link; computing, at the network switch, an error detection value for the network switch using either data stored in one or more routing tables of the network switch, a configuration type of the network switch, or a combination thereof; and forwarding the error detection value to a processing device to validate the network switch as secured from one or more exploits of the network by determining that determine whether the error detection value is identical corresponds to a value inaccessible to the network switch. - View Dependent Claims (18)
-
-
19. An apparatus comprising:
-
at least one processor; and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus embedded in a network switch to perform at least the following, receive network traffic comprising datagrams; determine a header of one of the datagrams, the header indicating a destination address; select a physical link to transport the one datagram based on the destination address; determine a network node to forward the one datagram based on the destination address; forward the one datagram to the network node on the physical link; compute an error detection value for the network switch using either data stored in one or more routing tables of the network switch, a configuration type of the network switch, or a combination thereof; and forward the error detection value to a processing device to validate the network switch as secured from one or more exploits of the network by determining that the error detection value is identical to a value inaccessible to the network switch. - View Dependent Claims (20)
-
Specification