Computer networks are a key element in most modern communication systems. To protect the security and integrity of computer networks, various tools have been used by network administrators, government, and security consultants to test the vulnerabilities of computer networks. These tools may detect unauthorized access to the computer network, unauthorized attempts to access the computer network, or look for known vulnerabilities of the computer network. These tools are concentrated on the interface between the computer network and external networks, such as the Internet. The interface defines a change in the level of trust between two networks and/or computers. The interface can be characterized as a network border, and typically comprises hardware (e.g., servers) and software (e.g., firewalls).
To maintain the security and integrity of a computer network, all traffic should pass through network borders. Traditionally, network borders embodied dedicated security gateways, that provided a single point of entry/exit for data to travel to/from a private network. These security gateways were often separate from the networking hardware, and were highly customized to be compatible with the specific specification of the network. Recently, however, many hardware components, such as routers and switches, began incorporating security functions that are customized to particular vulnerabilities of the hardware component. As a result, the traditional model of a centralized security gateway for an entire network gave way to decentralized security features at the network hardware level, thereby creating a plurality of potential security vulnerability points or “breaks” in the network.
Such vulnerabilities in a network border are difficult to detect, yet easily created by accident or on purpose. Those breaks that involve a device participating in routing announcements are relatively easy to find; they will shape traffic to flow through them. Devices that simply forward traffic across their active network interfaces are difficult to detect. To detect them, the traffic flow must be detected or it must be known that they exist and potentially can pass traffic from an external network to an internal network. Additionally, when the internal network includes wireless technologies, another point of vulnerability is added. A wireless access point (WAP) may not contain the same security features as the rest of the border of the internal network. The WAP may become a point of failure allowing access to the internal network.
Further, the growth of proxy servers and peer devices has increased the vulnerability of internal networks. A peer device features the same network connections as a firewall and can provide the same path but without comparable security. Some routers that operate as a peer device to the firewall have a hidden forwarding ability that will pass traffic in unpredictable ways while altering the data packets to give the appearance that the traffic originates from the router itself. Also, proxy servers may be misconfigured, turning web access into a vulnerability where the web servers can be proxy-chained into a pathway that cuts into the internal network. Thus, in an effort to improve the security of the borders of an internal network, a method and system to detect breaks in the border of an internal network may be required.
One system and method for network vulnerability detection and reporting is disclosed in U.S. Pat. No. 7,257,630 (the '630 patent) to Cole et al. issued on Aug. 14, 2007. The '630 patent discloses determining a topology of a network and discovering a set of responsive computers, that is, externally accessible computers, on the network. The '630 patent discloses detecting services on each of the set of responsive computers by transmitting packets to ports of each of the set of responsive computers. In addition, the '630 patent discloses generating a list of responsive ports using the transmissions received in reaction to the transmission of the packets and determining an operating system used by each of the set of responsive computers. Further, the '630 patent discloses testing for vulnerabilities by using an automated vulnerability script on each responsive port in the list of responsive ports. Each of the automated vulnerability scripts tests a vulnerability known to be associated with a computer configuration corresponding to a particular responsive port and a particular operating system.
Although the system and method of the '630 patent may assess the vulnerability of a target computer via a network, it may have several shortcomings. Shortcomings include not testing for unidirectional vulnerabilities, only looking for known vulnerabilities on known computer types, and running the detection software on a production machine. For example, the system and method of the '630 patent detect vulnerabilities that provide access to a machine, and may not be able to detect unauthorized or improper communications originating from that machine, that is, unidirectional vulnerabilities. Also, the system and method of the '630 patent tests for vulnerability known to be associated with a computer configuration comprising a particular responsive port and a particular operating system. The system and method of the '630 patent do not provide a means to detect unknown vulnerabilities. Nor does the system and method of the '630 patent provide a capability to test unknown computer configurations. Additionally, the '630 patent allows the system and method of the '630 patent to be run on a production machine. A production machine is a computer that is part of the internal network and is running processes for the internal network. Using a production machine to execute the software of the system and method of the '630 patent may take computer resources away from the execution of production tasks assigned to that computer.