Network service zone locking

US 7,895,326 B2
Filed: 12/01/2009
Issued: 02/22/2011
Est. Priority Date: 03/25/2002
Status: Expired due to Fees

First Claim

Patent Images

1. In a computer network wherein packets are communicated between devices on to the computer network, a method for a network monitoring appliance to provide an alarm signal indicating unauthorized network usage by a device on the computer network, comprising the steps of:

providing a configuration file for use by the network monitoring appliance that includes data reflecting prior assignment of a plurality of devices into a plurality of zones where devices assigned to a first zone are not authorized to communicate with devices assigned to a second zone, a zone comprising a plurality of devices that are selected without regard to which physical network the devices are associated with and without regard to whether the devices in a same zone are in a same physical network or in another physical network, a zone comprising a plurality of devices that are authorized to communicate;

(i) with other devices in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices in the same physical network that are in different zones;

the configuration file further including unauthorized zone data specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone;

passively monitoring network communications of the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones with the network monitoring appliance;

capturing packet header information from monitored network communications;

in response to captured packet header information from a device on the computer network, accessing the configuration file to determine whether said device is authorized to communicate packets with another device in the computer network;

determining the zones participating in the monitored network communications based on information in the configuration file;

determining unauthorized network usage based upon the unauthorized zone data in the configuration file and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and

upon detection of unauthorized network usage, generating an alarm from the network monitoring appliance for use by external equipment.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A zone locking system detects unauthorized network usage internal to a firewall. The system determines unauthorized network usage by classifying internal hosts inside a firewall into zones. Certain specified zones are unauthorized to initiate client communications with other selected zones. However, zone override services can be designated for each associated internal zone, and thus, authorizing selected network services. An alarm or other appropriate action is taken upon the detection of unauthorized network usage.

47 Citations

View as Search Results

83 Claims

1. In a computer network wherein packets are communicated between devices on to the computer network, a method for a network monitoring appliance to provide an alarm signal indicating unauthorized network usage by a device on the computer network, comprising the steps of:
- providing a configuration file for use by the network monitoring appliance that includes data reflecting prior assignment of a plurality of devices into a plurality of zones where devices assigned to a first zone are not authorized to communicate with devices assigned to a second zone, a zone comprising a plurality of devices that are selected without regard to which physical network the devices are associated with and without regard to whether the devices in a same zone are in a same physical network or in another physical network, a zone comprising a plurality of devices that are authorized to communicate;
  
  (i) with other devices in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices in the same physical network that are in different zones;
  
  the configuration file further including unauthorized zone data specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone;
  
  passively monitoring network communications of the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones with the network monitoring appliance;
  
  capturing packet header information from monitored network communications;
  
  in response to captured packet header information from a device on the computer network, accessing the configuration file to determine whether said device is authorized to communicate packets with another device in the computer network;
  
  determining the zones participating in the monitored network communications based on information in the configuration file;
  
  determining unauthorized network usage based upon the unauthorized zone data in the configuration file and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and
  
  upon detection of unauthorized network usage, generating an alarm from the network monitoring appliance for use by external equipment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage.
  - 3. The method of claim 1, wherein the steps of the method are carried out within a network device.
  - 4. The method of claim 1, wherein the configuration file is maintained in the network device.
  - 5. The method of claim 1, further comprising the step of providing a filter table comprising a list of source or destination addresses used to block unauthorized network usage.
  - 6. The method of claim 1, wherein a configuration file is provided for each zone.
  - 7. The method of claim 1, wherein a zone is defined by an IP address prefix, and wherein devices having the same IP address prefix are assigned to a single zone.
  - 8. The method of claim 1, wherein a subnet mask divides a network into predefined zones.
  - 9. The method of claim 1, wherein devices in one zone are allowed to communicate with devices in another zone utilizing a predetermined allowable service.
  - 10. The method of claim 9, wherein the alarm is generated if a device in one zone communicates with a device in another zone using an unauthorized service.
  - 11. The method of claim 1, wherein the zones are classified by user functions.
  - 12. The method of claim 1, wherein the zones are classified by subnet.
  - 13. The method of claim 1, wherein the zone data includes an additional zone for outside devices.
  - 14. The method of claim 1, wherein the devices operate behind a firewall.
  - 15. The method of claim 1, wherein the configuration file further includes override service data specifying particular network services in which devices in designated zones are authorized to communicate with devices in unauthorized zones notwithstanding the unauthorized zone data, and further comprising the step of permitting the communication between devices in response to the override service data.

16. In a computer network wherein packets are communicated between devices connected to the computer network in a client/server relationship, a method for a network monitoring appliance to generate an alarm signal indicating unauthorized network usage by a device on the computer network, comprising the steps of:
- providing a configuration file for use by the network monitoring appliance that includes data reflecting prior assignment of a plurality of devices including clients and servers into a plurality of zones where devices assigned to a first zone are not authorized to communicate with devices assigned to a second zone, a zone comprising a plurality of devices that are selected without regard to which physical network the devices are associated with and without regard to whether the devices in a same zone are in a same physical network or in another physical network, wherein devices as servers in a zone are authorized to communicate;
  
  (i) with other devices as clients in the same zone that are on the same physical network, and(ii) with other devices as clients in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices as clients in the same physical network that are in different zones;
  
  the configuration file further including unauthorized zone data specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone;
  
  passively monitoring network communications internal to the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones with the network monitoring appliance;
  
  capturing packet header information from the monitored network communications;
  
  determining the zones participating in the monitored network communications based on information in the configuration file;
  
  determining unauthorized network usage based upon the unauthorized zone data in the configuration file and captured packet header information indicating that a client in a first zone is attempting to communicate with a server in a second but unauthorized zone; and
  
  generating an alarm signal from the network monitoring appliance for use by external equipment upon detection of unauthorized network usage.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The method of claim 16, wherein the steps of the method are carried out within a network device.
  - 18. The method of claim 16, wherein the configuration file is maintained in the network device.
  - 19. The method of claim 16, further comprising the step of providing a filter table comprising a list of source or destination addresses used to block unauthorized network usage.
  - 20. The method of claim 16, wherein the step of generating an alarm signal includes adding a MAC address to the filtering table to block the unauthorized network usage.
  - 21. The method of claim 16, wherein a configuration file is provided for each zone.
  - 22. The method of claim 16, wherein a zone is defined by an IP address prefix, and wherein devices having the same IP address prefix are assigned to a single zone.
  - 23. The method of claim 16, wherein a subnet mask divides a network into predefined zones.
  - 24. The method of claim 16, wherein devices in one zone are allowed to communicate with devices in another zone utilizing a predetermined allowable service.
  - 25. The method of claim 24, wherein the alarm is generated if a device in one zone communicates with a device in another zone using an unauthorized service.
  - 26. The method of claim 16, wherein the zones are classified by user functions.
  - 27. The method of claim 16, wherein the zones are classified by subnet.
  - 28. The method of claim 16, wherein the devices operate behind a firewall.
  - 29. The method of claim 16, wherein the configuration file further includes override service data specifying particular network services in which devices in designated zones are authorized to communicate with devices in unauthorized zones notwithstanding the unauthorized zone data, and further comprising the step of permitting the communication between devices in response to the override service data.

30. In a data communication network wherein packets are communicated between devices on the data communication network, a system for providing an alarm signal indicating unauthorized network usage by a device on the data communication network, comprising:
- a computer system including a processor and a memory storing a configuration file that includes data reflecting prior assignment of a plurality of devices connected to the data communication network into a plurality of zones, a zone comprising a sub-grouping of devices, a zone comprising a plurality of devices that are selected without regard to which physical network the devices are associated with and without regard to whether the devices in a same zone are in a same physical network or in another physical network, wherein devices in a given zone are authorized to communicate;
  
  (i) with other devices in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices in the same physical network that are in different zones;
  
  the configuration file further including unauthorized zone data specifying unauthorized zones for which devices in a particular zone are not authorized to communicate with devices in designated unauthorized zones;
  
  the computer system operative to;
  
  passively monitor network communications by capturing packet header information from packets communicated between devices that have been assigned to the zones;
  
  determine the zones participating in the monitored network communications based upon the unauthorized zone data in the configuration file;
  
  determine unauthorized network usage based upon the unauthorized zone data and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and
  
  provide an alarm signal upon detection of unauthorized network usage.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 31. The system of claim 30, wherein the processor is further operative to provide an address of a device that is attempting to communicate with a device in an unauthorized zone to a filtering table to block the unauthorized network usage.
  - 32. The system of claim 31, wherein the filtering table comprises a list of source or destination addresses used to block unauthorized network usage.
  - 33. The system of claim 30, wherein a configuration file is provided for each zone.
  - 34. The system of claim 30, wherein a zone is defined by an IP address prefix, and wherein devices having the same IP address prefix are assigned to a single zone.
  - 35. The system of claim 30, wherein a subnet mask divides a network into predefined zones.
  - 36. The system of claim 30, wherein devices in one zone are allowed to communicate with devices in another zone utilizing a predetermined allowable service.
  - 37. The system of claim 36, wherein the alarm is generated if a device in one zone communicates with a device in another zone using an unauthorized service.
  - 38. The system of claim 30, wherein the zones are classified by user functions.
  - 39. The system of claim 30, wherein the zones are classified by subnet.
  - 40. The system of claim 30, wherein the zone data includes an additional zone for outside devices.
  - 41. The system of claim 30, wherein the devices operate behind a firewall.
  - 42. The system of claim 30, wherein the configuration file further includes override service data specifying particular network services in which devices in designated zones are authorized to communicate with devices in unauthorized zones notwithstanding the unauthorized zone data, and wherein the processor is operative to permit the communication between devices in response to the override service data.

43. In a data communication network wherein packets are communicated between devices on the data communication network, a system for providing an alarm signal indicating unauthorized network usage by a device on the data communication network, comprising:
- a computer system including a processor and a memory storing a configuration file that includes data reflecting prior assignment of a plurality of devices connected to the data communication network into a plurality of zones, a zone comprising a plurality of devices that are selected without regard to which physical network the devices are associated with and without regard to whether the devices in a same zone are in a same physical network or in another physical network, a zone comprising a plurality of devices that are authorized to communicate;
  
  (i) with other devices that are in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices that are on the same physical network but in different zones;
  
  the configuration file further including unauthorized zone data specifying unauthorized zones for which devices in a particular zone are not authorized to communicate with devices in other unauthorized zones;
  
  the computer system operative to;
  
  receive override service data specifying particular network services for which devices in designated zones are authorized to communicate with devices in other unauthorized zones notwithstanding the unauthorized zone data;
  
  passively monitor network communications by capturing packet header information from packets communicated between devices;
  
  determine which devices are participating in the monitored network communications based on captured packet header information;
  
  determine the zones participating in the monitored network communications based upon the unauthorized zone data in the configuration file;
  
  determine unauthorized network usage based upon the unauthorized zone data, the override service data, and captured packet header information indicating that a device as a client in a first zone is attempting to communicate with a device as a server in a second but unauthorized zone and has not been overridden by the override service data; and
  
  provide an alarm upon detection of unauthorized network usage.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 44. The system of claim 43, wherein the processor is further operative to provide an address of a device that is attempting to communicate with a device in an unauthorized zone to a filtering table to block the unauthorized network usage.
  - 45. The system of claim 44, wherein the filtering table comprises a list of source or destination addresses used to block unauthorized network usage.
  - 46. The system of claim 43, wherein a configuration file is provided for each zone.
  - 47. The system of claim 43, wherein a zone is defined by an IP address prefix, and wherein devices having the same IP address prefix are assigned to a single zone.
  - 48. The system of claim 43, wherein a subnet mask divides a network into predefined zones.
  - 49. The system of claim 43, wherein devices in one zone are allowed to communicate with devices in another zone utilizing a predetermined allowable service.
  - 50. The system of claim 49, wherein the alarm is generated if a device in one zone communicates with a device in another zone using an unauthorized service.
  - 51. The system of claim 43, wherein the zones are classified by user functions.
  - 52. The system of claim 43, wherein the zones are classified by subnet.
  - 53. The system of claim 43, wherein the zone data includes an additional zone for outside devices.
  - 54. The system of claim 43, wherein the devices operate behind a firewall.
  - 55. The system of claim 43, wherein the configuration file further includes override service data specifying particular network services in which devices in designated zones are authorized to communicate with devices in unauthorized zones notwithstanding the unauthorized zone data, and wherein the processor is operative to permit the communication between devices in response to the override service data.

56. In a data communication network wherein packets are communicated between devices on the data communication network, a method for a network monitoring appliance to provide an alarm signal indicating unauthorized network usage by a device on the data communication network, comprising the steps of:
- providing a configuration file for use by the network monitoring appliance that includes data reflecting prior assignment of a plurality of devices on the data communication network to a plurality of communication zones, a zone comprising a sub-grouping of devices on the network that are allowed to communicate with each other, a zone comprising a plurality of devices that are selected without regard to which physical network the devices are associated with and without regard to whether the devices in a same zone are in a same physical network or in another physical network, wherein devices in each respective zone are authorized to communicate;
  
  (i) with other devices that are in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices that are on the same physical network but in different zones;
  
  determining from the configuration file allowed network services that are allowed to be provided by a device as host in one zone to devices in different communication zones and storing the allowed network services as zone data;
  
  determining the zones participating in the monitored network communications based on information in the configuration file;
  
  passively monitoring the communications between the plurality of communication zones within the data communication network with the network monitoring appliance by capturing packet header information from packets communicated between devices that have been assigned to the zones;
  
  determining unauthorized network usage based upon the zone data and captured packet header information indicating that a device in a first zone is either (i) attempting to communicate with a device in a second zone for which communication is not authorized or (ii) attempting to utilize a service of a host in a second zone that is not allowed; and
  
  generating an alarm from the network monitoring appliance upon the detection of unauthorized network usage.
- View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 57. The method of claim 56, further comprising the step of providing an address of a device that is attempting to communicate with a device in an unauthorized zone to a filtering table to block the unauthorized network usage.
  - 58. The method of claim 57, wherein the filter table comprises a list of source or destination addresses used to block unauthorized network usage.
  - 59. The method of claim 56, wherein a configuration file is provided for each zone.
  - 60. The method of claim 56, wherein a zone is defined by an IP address prefix, and wherein devices having the same IP address prefix are assigned to a single zone.
  - 61. The method of claim 56, wherein a subnet mask divides a network into predefined zones.
  - 62. The method of claim 56, wherein devices in one zone are allowed to communicate with devices in another zone utilizing a predetermined allowable service.
  - 63. The method of claim 62, wherein the alarm is generated if a device in one zone communicates with a device in another zone using an unauthorized service.
  - 64. The method of claim 56, wherein the zones are classified by user functions.
  - 65. The method of claim 56, wherein the zones are classified by subnet.
  - 66. The method of claim 56, wherein the zone data includes an additional zone for outside devices.
  - 67. The method of claim 56, wherein the devices operate behind a firewall.
  - 68. The method of claim 56, wherein the configuration file further includes override service data specifying particular network services in which devices in designated zones are authorized to communicate with devices in unauthorized zones notwithstanding the unauthorized zone data, and further comprising the step of permitting the communication between devices in response to the override service data.

69. A computer program product that includes a non-transitory computer readable medium that is executable by a processor, the medium having stored thereon a sequence of instructions that when executed by the processor causes the processor to execute the steps of:
- accessing a configuration file that includes data reflecting prior assignment of a plurality of data communication devices into a plurality of zones where devices assigned to a first zone are not authorized to communicate with devices assigned to a second zone, a zone comprising a plurality of devices that are selected without regard to which physical network the devices are associated with and without regard to whether the devices in a same zone are in a same physical network or in another physical network, a zone comprising a plurality of devices that are authorized to communicate;
  
  (i) with other devices in the same zone that are on the same physical network, and(ii) with other devices in the same zone that are on different physical networks isolated by a network device, but(iii) not with other devices in the same physical network that are in different zones;
  
  the configuration file further including unauthorized zone data specifying designated zones for which devices in a particular zone are not authorized to communicate with other devices in a different unauthorized zone;
  
  passively monitoring network communications of the computer network by monitoring packets communicated between devices that have been assigned to the plurality of zones;
  
  capturing packet header information from monitored network communications;
  
  in response to captured packet header information from a device on the computer network, accessing the configuration file to determine whether said device is authorized communicate packets with another device in the computer network;
  
  determining the zones participating in the monitored network communications based on information in the configuration file;
  
  determining unauthorized network usage based upon the unauthorized zone data in the configuration file and captured packet header information indicating that a device in a first zone is attempting to communicate with a device in a second but unauthorized zone; and
  
  upon detection of unauthorized network usage, generating an alarm for use by external equipment.
- View Dependent Claims (70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83)
- - 70. The computer program product of claim 69, wherein the step of generating an alarm includes providing an address to a filtering table to block the unauthorized network usage.
  - 71. The computer program product of claim 69, wherein the steps of the method are carried out within a network device.
  - 72. The computer program product of claim 69, wherein the configuration file is maintained in the network device.
  - 73. The computer program product of claim 69, further comprising the step of providing a filter table comprising a list of source or destination addresses used to block unauthorized network usage.
  - 74. The computer program product of claim 69, wherein a configuration file is provided for each zone.
  - 75. The computer program product of claim 69, wherein a zone is defined by an IP address prefix, and wherein devices having the same IP address prefix are assigned to a single zone.
  - 76. The computer program product of claim 69, wherein a subnet mask divides a network into predefined zones.
  - 77. The computer program product of claim 69, wherein devices in one zone are allowed to communicate with devices in another zone utilizing a predetermined allowable service.
  - 78. The method of claim 77, wherein the alarm is generated if a device in one zone communicates with a device in another zone using an unauthorized service.
  - 79. The computer program product of claim 69, wherein the zones are classified by user functions.
  - 80. The computer program product of claim 69, wherein the zones are classified by subnet.
  - 81. The computer program product of claim 69 wherein the zone data includes an additional zone for outside devices.
  - 82. The computer program product of claim 69, wherein the devices operate behind a firewall.
  - 83. The computer program product of claim 69, wherein the configuration file further includes override service data specifying particular network services in which devices in designated zones are authorized to communicate with devices in unauthorized zones notwithstanding the unauthorized zone data, and further comprising the step of permitting the communication between devices in response to the override service data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Lancope, Inc. (Cisco Systems, Inc.)
Inventors
Jerrim, John, Copeland, John A. III
Primary Examiner(s)
Burgess; Barbara N

Application Number

US12/628,892
Publication Number

US 20100138535A1
Time in Patent Office

448 Days
Field of Search

709/203, 709/223, 709/224, 709/225, 709/227, 709/212
US Class Current

709/224
CPC Class Codes

G06F 21/1012   to domains

G06F 21/552   involving long-term monitor...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/02   for separating internal fro...

H04L 63/1416   Event detection, e.g. attac...

Network service zone locking

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

83 Claims

Specification

Solutions

Use Cases

Quick Links

Network service zone locking

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

83 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links