Detecting unsanctioned network servers
First Claim
1. A method of monitoring an enterprise network, comprising:
- retrieving metadata describing the enterprise network from the Internet, wherein the metadata comprises domain name system (DNS) records describing the enterprise network;
analyzing the metadata describing the enterprise network, the analyzing comprising analyzing one or more of the DNS records to identify a set of sanctioned servers on the enterprise network;
generating a security profile responsive to the metadata, the security profile describing an expected usage of the enterprise network and identifying the set of sanctioned servers on the enterprise network;
analyzing traffic on the enterprise network using the security profile to determine whether the traffic indicates that an unsanctioned server is operating on the enterprise network; and
reporting an indication of an unsanctioned server operating on the enterprise network, the reporting comprising retrieving configuration information from the security profile describing an action to take responsive to the indication of the unsanctioned server, the action including one or more of;
blocking traffic to the unsanctioned server;
blocking traffic from the unsanctioned server; and
interacting with a network device to secure the network.
2 Assignments
0 Petitions
Accused Products
Abstract
An enterprise network can have sanctioned and unsanctioned servers on it. Sanctioned servers are approved by an administrator and perform tasks such as web page serving and mail routing. Unsanctioned servers are not approved by the administrator and represent possible security risks. A service monitor accesses one or more metadata sources having information describing the enterprise network, such as domain name system (DNS) records on the Internet. The service monitor analyzes the metadata and creates a security profile for the enterprise network. The security profile identifies the sanctioned servers. The service monitor monitors network traffic for compliance with the security profile, and detects unsanctioned servers on the network. The service monitor reports violations of the profile and informs the administrator of the unsanctioned servers.
36 Citations
6 Claims
-
1. A method of monitoring an enterprise network, comprising:
-
retrieving metadata describing the enterprise network from the Internet, wherein the metadata comprises domain name system (DNS) records describing the enterprise network; analyzing the metadata describing the enterprise network, the analyzing comprising analyzing one or more of the DNS records to identify a set of sanctioned servers on the enterprise network; generating a security profile responsive to the metadata, the security profile describing an expected usage of the enterprise network and identifying the set of sanctioned servers on the enterprise network; analyzing traffic on the enterprise network using the security profile to determine whether the traffic indicates that an unsanctioned server is operating on the enterprise network; and reporting an indication of an unsanctioned server operating on the enterprise network, the reporting comprising retrieving configuration information from the security profile describing an action to take responsive to the indication of the unsanctioned server, the action including one or more of; blocking traffic to the unsanctioned server; blocking traffic from the unsanctioned server; and interacting with a network device to secure the network. - View Dependent Claims (2)
-
-
3. A system for monitoring an enterprise network, comprising:
-
a computer-readable storage medium storing executable computer program code modules, comprising; a metadata retrieval module for retrieving metadata describing the enterprise network from the Internet, wherein the metadata comprises domain name system (DNS) records describing the enterprise network; a metadata analysis module for analyzing the metadata describing the enterprise network, the analyzing comprising analyzing one or more of the DNS records to identify a set of sanctioned servers on the enterprise network, and for generating a security profile describing an expected usage of the enterprise network and identifying the set of sanctioned servers on the enterprise network; a traffic analysis module for analyzing traffic on the enterprise network using the security profile to determine whether the traffic indicates that an unsanctioned server is operating on the enterprise network; and a reporting module for reporting an indication of an unsanctioned server operating on the enterprise network, the reporting comprising retrieving configuration information from the security profile describing an action to take responsive to the indication of the unsanctioned server, the action including one or more of; blocking traffic to the unsanctioned server; blocking traffic from the unsanctioned server; and interacting with a network device to secure the network. - View Dependent Claims (4)
-
-
5. A computer-readable storage medium having executable computer program code modules embodied therein for monitoring an enterprise network, comprising:
-
a metadata retrieval module for retrieving metadata describing the enterprise network from the Internet, wherein the metadata comprises domain name system (DNS) records describing the enterprise network; a metadata retrieval module for analyzing the metadata describing the enterprise network, the analyzing comprising analyzing one or more of the DNS records to identify a set of sanctioned servers on the enterprise network, and for generating a security profile describing an expected usage of the enterprise network and identifying the set of sanctioned servers on the enterprise network; a traffic analysis module for analyzing traffic on the enterprise network using the security profile to determine whether the traffic indicates that an unsanctioned server is operating on the enterprise network; and a reporting module for reporting an indication of an unsanctioned server operating on the enterprise network, the reporting comprising retrieving configuration information from the security profile describing an action to take responsive to the indication of the unsanctioned server, the action including one or more of; blocking traffic to the unsanctioned server; blocking traffic from the unsanctioned server; and interacting with a network device to secure the network. - View Dependent Claims (6)
-
Specification