System and method for analyzing a router in a shared network system
First Claim
Patent Images
1. A system for detecting security risks in a shared network system shared by different entity networks, said system comprising:
- a central processing unit, a memory and a computer readable storage;
first program instructions to retrieve, from a router for said shared network system, flow tables that identify source and destination networks for which intercommunication is permitted, security policies indicating that at least one of said entity networks is not permitted to communicate with another of said entity networks, filter files that identify at least one of said entity networks which is permitted to use another of said entity networks to access web applications outside of said shared network system, and maps of respective entity networks of said shared network system;
second program instructions to generate a shared network map of said shared network system, based at least in part on said maps of said respective entity networks, said shared network map including said different entity networks;
third program instructions to identify a set of permitted communications through said router based on said flow tables and filter files; and
fourth program instructions to identify a permitted communication of said set which represents a security risk based on said shared network map and said security policies; and
whereinsaid first, second, third and fourth program instructions are stored in said computer readable storage for execution by said central processing unit via said memory.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for analyzing a router in a shared network system (SNS). Specifically, the present invention retrieves information for each network participating in the SNS from a common router. By identifying source and destination networks for communications in the SNS, and then comparing the identified networks to network policies, a network map, and/or flow tables, security findings for each network can be identified. These findings, as well as the network map, can then be outputted to each network according to their preferences in a report or summary format.
47 Citations
6 Claims
-
1. A system for detecting security risks in a shared network system shared by different entity networks, said system comprising:
-
a central processing unit, a memory and a computer readable storage; first program instructions to retrieve, from a router for said shared network system, flow tables that identify source and destination networks for which intercommunication is permitted, security policies indicating that at least one of said entity networks is not permitted to communicate with another of said entity networks, filter files that identify at least one of said entity networks which is permitted to use another of said entity networks to access web applications outside of said shared network system, and maps of respective entity networks of said shared network system; second program instructions to generate a shared network map of said shared network system, based at least in part on said maps of said respective entity networks, said shared network map including said different entity networks; third program instructions to identify a set of permitted communications through said router based on said flow tables and filter files; and fourth program instructions to identify a permitted communication of said set which represents a security risk based on said shared network map and said security policies; and
whereinsaid first, second, third and fourth program instructions are stored in said computer readable storage for execution by said central processing unit via said memory. - View Dependent Claims (2, 3)
-
-
4. A computer program product for detecting security risks in a shared network system shared by different entity networks, said computer program product comprising:
-
a computer readable storage media; first program instructions to retrieve, from a router for said shared network system, flow tables that identify source and destination networks for which intercommunication is permitted, security policies indicating that at least one of said entity networks is not permitted to communicate with another of said entity networks, filter files that identify at least one of said entity networks which is permitted to use another of said entity networks to access web applications outside of said shared network system, and maps of respective entity networks of said shared network system; second program instructions to generate a shared network map of said shared network system, based at least in part on said maps of said respective entity networks, said shared network map including said different entity networks; third program instructions to identify a set of permitted communications through said router based on said flow tables and filter files; and fourth program instructions to identify a permitted communication of said set which represents a security risk based on said shared network map and said security policies; and
whereinsaid first, second, third and fourth program instructions are stored on said computer readable storage media. - View Dependent Claims (5, 6)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsHaugen, James B.
-
Primary Examiner(s)Blair; Douglas B
-
Application NumberUS09/798,835Publication NumberTime in Patent Office3,119 DaysField of Search709/220, 709/224, 709/229, 709/223, 709/242, 709/249, 370/254, 370/401, 713/155, 713/201, 713/187, 713/189, 714/37, 715/736, 726/8, 726/22, 726/23, 726/26, 726/3, 379/189, 340/825.01US Class Current709/229CPC Class CodesH04L 63/0236 Filtering by address, proto...H04L 63/1408 by monitoring network traff...
