The present invention generally pertains to the field of networked computers. More particularly, the present invention is related to a method for enhancing network security by detecting that a network has been accessed by an entity not authorized to be in such access.
Modern computing networks allow great benefits by sharing information and computing resources. However, such networking presents several security issues. One such security issue is detecting that the security of a network has been potentially compromised by unauthorized access. Detection of such potential security compromise requires the detection of access to the computing network by entities lacking authorization to have such access.
Related to this issue of unauthorized access is a second security issue, which is preventing an unauthorized device, e.g., a computing and/or communications device wielded by an unauthorized entity, from actually getting into the network, Also, related to this second security issue is preventing such an unauthorized device that does penetrate the network from learning about the existence of network resources.
Further, related to the foregoing security issues is another: if an unauthorized device is detected, e.g., that its access to a network has not been prevented, the portion of the network to which it has access must at least be restricted. This can delimit the mischief the unauthorized device can cause.
Conventionally, two principal methods moderate access to a network. The first of these methods requires some type of identity authentication process for the entity attempting to access the network, effectively restricting network access to authorized persons. An example of this first method is the IEEE 802.1xc3x97Protocol, discussed in more detail below, wherein a satisfactory authentication interaction is required prior to any exposure of the network to the entity attempting to access it.
The second such method is the deployment of techniques to detect intrusion. An example of this second method is an Intrusion Detection System (IDS). An IDS employs software that detects unauthorized entrance to a network and/or to computer system components thereof. A network IDS (NIDS) supports multiple hosts. Typically, an IDS looks for signatures of known attempts to breach security as a signal of a possible security violation. An IDS may also look for deviations of normal routines as indications of a possible intrusion or other network security violation.
Referring to FIG. 1, most networks 120 have firewalls 135 to prevent unauthorized users to directly access the network 120 from outside the network 120 (e.g., from the Internet 140). The firewall 135 may implemented in software on a computer, in a router, in a stand-alone firewall box, etc. The network 120 may also have a Virtual Private Network (VPN) gateway 130. Virtual Private Networks enjoy the security of a private network via access control and encryption. All traffic from the Internet 140 goes through either the firewall 135 or the VPN gateway 130. Thus, a certain measure of protection is provided for those paths.
However, the firewall 135 and VPN gateway 130 will not detect or prevent unauthorized access from within the network 120. For example, with a typical Ethernet network anyone that has physical access to a hardware port 128 on the network can attach a laptop computer 125 to gain access to the network 120, e.g., by using a Network Interface Card (NIC).
Unauthorized access can also be gained by attaching to a wireless Local Area Network (LAN) Point 127 attached to the network 120. Also, the firewall 135 may be avoided if a remote device connects to the network 120 using dial-up (RAS) 132 or even the Virtual Private Network gateway 130, thus achieving direct access the network 120. For example, an employee having a username and a password may use a dial-up connection to obtain access to a corporate network.
Furthermore, with a typical Ethernet network, any device connected to the network 120 can communicate with any other device on that segment of the network 120. A router or switch may be programmed block packets originating at a given device from leaving the segment. However, this conventional method will not prevent the unauthorized device from communicating with devices on its own segment.
One conventional method for providing security for a network is described in the IEEE 802.1xc3x97specification. Therein is described a hardware block technique as illustrated in FIG. 2. When a client device 126 first connects to the network, the client device 126 is only allowed to communicate with the authentication server 121. A hardware switch 131 prevents the client device 126 from accessing the full network 141. After the client device 126 authenticates with the authentication server 121, the hardware switch 131 allows the client device 126 to have access to the network 141.
Another conventional method for promoting network security also involves a degree of server control. In this scheme, a network is constituted by a centralized server and peripheral entities, interconnected via their individual NICs. A peripheral entity intercommunicates with the centralized server via its NIC. The centralized server promulgates intercommunication policies to the NIC, instructing its entity as to whether intercommunication between that entity and certain Internet Protocol (IP) addresses is permissible or forbidden.
The intercommunication policies promulgated by the centralized server may also instruct an entity to permit or to prohibit certain intercommunication related events. Examples of such events include allowing its NIC to go into a promiscuous mode, and allowing the generation of fake responses or other signals to polling and other network queries, in order to keep a session active and prevent termination, such as by timeouts.
The foregoing conventional methods of moderating network access are problematic for at least two major reasons. In the first place, requiring authentication procedure compliance to gain network access is not fool proof. xe2x80x9cSpoofing,xe2x80x9d e.g., faking the sending address of a data transmission in order to xe2x80x9cauthenticate without authorization,xe2x80x9d if successful, may expose even a seemingly secure network to intrusion. Spoofing will be discussed in somewhat greater detail below.
Further, the xe2x80x9cseemingly securexe2x80x9d nature of the network in such an instance weaves an obviously false sense of security. This false sense of security has its own risks, because great amounts of mischief may occur under its camouflage. Such mischief may perhaps occur in a manner and on an order unlikely in a patently unsecure system, wherein network participants would more probably know to take appropriate precautions.
Secondly, conventional methods of detecting intrusion into secured networks typically seek effects there caused by the presence of and/or actions there taken by unauthorized entities who have gained access thereto. In many cases, this amounts to nothing more than internal damage assessment. It thus provides no ability to prevent the intrusion or resultant damage, or even to detect such intrusion in real time or near real time.
Another difficulty with conventional network security lies in how to detect unauthorized entry into certain network areas by an entity authorized to access other areas, and to prevent such unauthorized access. Once an entity has access to a portion of a network to which it is authorized for such access, problems may occur when that entity spoofs to gain access to other network areas normally off limits, e.g., restricted to it. However, it has proven difficult to establish conventional networking regimes that effectuate segregation of a network into areas differentially accessible to various entities.
On an exemplary corporate LAN for instance, an entity authorized for access to engineering may lack authority to access accounting, legal, personnel, marketing, and executive areas. Another entity thereon may be authorized access to accounting and personnel, but engineering, legal, and various other areas may be restricted to it. An entity wielded by a senior executive may, of course, require access to most, if not all, of the areas on the exemplary LAN.
Spoofing for intrusive access to a network and/or other circumvention or defeat of network security protocols may proceed by any of a number of different schemes. These schemes may be executed singly or in combination. Examples of more problematic spoofing schemes include the following.
As discussed above, an entity intruding upon a network may initiate spoofing. Spoofing may be effectuated in a number of ways. Exemplary methods by which spoofing has successfully led to intrusive network security violations include transmitting data packets purporting to originate from another entity, e.g., an entity authorized for access to the network being intruded upon. Spoofing by this method, an intrusive entity transmits identification information among the spoofing data packets which falsely claim the identity of (e.g., identifies the intrusive spoofing entity to the network by) the Internet Protocol (IP) address of the NIC of an authorized entity.
Similarly, an intrusive entity may engage in spoofing by transmitting data packets duplicating the media access control (MAC) address of an authorized entity. A MAC address is a singular number used by NICs, such as Ethernet and Token Ring adapters and serving to uniquely identify that NIC from all others. The MAC address identifier is a participant in MAC layer functionality network adapters, including IEEE 802.1xc3x97and other IEEE 802 protocols, controlling access to the physical transmission media of a network.
This form of spoofing may be carried out in an attempt to gain access to network addresses that check MAC addresses. Such spoofing may also be conducted in an attempt to intercept network traffic intended only for the NIC that legitimately holds that MAC address.
Importantly, although each NIC does have a unique MAC Address burned into it, this preset MAC Address is effectively that NIC""s default-MAC Address. It is possible for the driver software controlling that NIC to override this burned in MAC Address by instructing the NIC to adopt a different MAC Address for use, similar or even identical in configuration to the burned in MAC Address, but differing in some identifyingly unique specific. This possibility is what actually effectuates spoofing in this particular manner. Further, some NICs may allow the burned in MAC Address to actually be changed, such as by having new information burned into them, thus overwriting the original burned in MAC Address. This also effectuates this mode of spoofing.
In the case of an entity whose MAC address rightfully gains it access to a certain portion of a network, spoofing may be attempted to intrude upon restricted areas of the network. Spoofing in such cases has been conducted by the entity admitted to the unrestricted area, then transmitting data packets purporting to have the MAC address of another entity, e.g., one permitted access to the restricted area.
Typically, entities seeking access to a network initiate a communicative interaction with a dynamic host configuration protocol (DHCP) server, wherein among other actions, the entity seeking access requests assignment of a network-specific IP address by that server. However, an intrusive entity may engage in spoofing by attempting to circumvent this assignment. Spoofing by this method, the intrusive entity adopts a static, e.g., unchanging, effectively permanent IP address, instead of requesting one from the network""s DHCP server.
Networks are often segregated into localized sub-networks (e.g., subnets). Typically, IP addresses of entities within a particular subnet conform to some local configuration standard, identifying them as local IP addresses and assigning them an access level. These addresses would be assigned by a switch or a router respectively switching or routing data packets from those entities onto that particular subnet. However, an intrusive entity may engage in spoofing by attempting to circumvent this convention. Such spoofing includes the transmission of data packets having IP addresses inappropriate to that subnet, e.g., foreign to the configuration standard IP address identifier typically assigned by the routers and/or switches serving that subnet.
Segregated into local subnets, local network data traffic follows corresponding routing and switching pathways, which are also appropriate to the configuration of the local subnets. However, an intrusive entity may engage in spoofing by attempting to obscure, misrepresent, and/or otherwise obfuscate the path its data packets take. Such spoofing includes the transmission of data packets having IP addresses inappropriate to the pathway data packets would normally take on a particular subnet and possibly foreign to the configuration of that subnet.
The foregoing examples are not meant to be an exhaustive list of spoofing schemes used to intrude into secured networks or otherwise breach network security measures. They represent some of the more problematic of such spoofing schemes. However, in as much as such intrusions and other security breaches enabled by such spoofing continue to be problematic to networking and costly to users of networks, countermeasures to such schemes are sought. Such countermeasures should be capable of implementation without gross revamping of network architecture or burdening network accessibility by legitimate authorized entities.
Thus, a need exists for a way to detect unauthorized access to a network. Another need exists for a way to detect unauthorized access to a network by ascertaining the presence of spoofing activity. A need also exists for a NIC to detect unauthorized access to a network by ascertaining the presence of spoofing activity by monitoring for packets purporting to be from itself. Further, a need exists to detect unauthorized access to a network by ascertaining the presence of spoofing activity in a manner that does not require gross revamping of network architecture or the burdening of network accessibility by legitimate authorized entities.
Embodiments of the present invention provide a way to detect unauthorized access to a network. In one embodiment, the present invention provides a way to detect unauthorized access to a network by ascertaining the presence of spoofing activity. One embodiment provides a way for a NIC to detect unauthorized access to a network by ascertaining the presence of spoofing activity by monitoring for packets purporting to be from itself. These embodiments detect unauthorized access to a network by ascertaining the presence of spoofing activity in a manner that does not require gross revamping of network architecture or the burdening of network accessibility by legitimate authorized entities.
In one embodiment, a way is provided for a NIC to detect unauthorized access to a network exists to detect unauthorized access to a network by ascertaining the presence of spoofing activity by monitoring for data packets purporting to be from itself. In the present embodiment, a NIC views data packets trafficking on the network to which it is connected. The NIC detects spoofing during this watch when it discovers among such packets certain data packets having the NIC""s MAC Address as its source, but which the NIC did not send.
In one embodiment, a NIC is connected to a network whereon TCP/IP networking is being used. In the present embodiment, a NIC views data packets trafficking on the network to which it is connected. The NIC detects spoofing during this watch when it discovers among such packets certain data packets having the NIC""s IP address as its source, but which the NIC did not send.
In both of the immediately foregoing embodiments, a NIC detects spoofing activity by discovery of data packets purporting to be from itself, but which have their origins not from that particular NIC, but from elsewhere. It is probable in such circumstances that the origin of such falsely purportive packets is from suspicious other entities. Such suspect entities may be rogue entities attempting to gain unauthorized access to the network to which the observant NIC is coupled.
In other embodiments, a way is provided to detect unauthorized access to a network by ascertaining the presence of spoofing activity by searching for changing MAC addresses. The present embodiment looks for an entity by its NIC that has been using a certain IP address while connected to the network ceasing to use a MAC address originally presented to the network for authorization and adopting, e.g., claiming to have a new MAC address. This type of activity is considered highly suspicious; its observation effectuates detection of spoofing.
In further embodiments, unauthorized access to a network is detected by ascertaining the presence of spoofing activity by tracking IP addresses. An intrusive entity may spoof by attempting to circumvent the assignment of on-network IP addresses by a network DHCP server and instead, claiming for itself a static, e.g., unchanging, effectively permanent IP address. Observing such activity effectuates the detection of this form of spoofing.
In still further embodiments, unauthorized access to a network is detected by ascertaining the presence of spoofing activity by scanning for non-local IP addresses. Intrusive entities may be presenting for authorization and/or other network access activities an IP address inappropriate for the subnet they seek access to. In the present embodiment, observing such apparently non-local IP addresses effectuates the detection of another mode of spoofing activity.
Another embodiment of the present invention detects unauthorized access to a network by ascertaining the presence of spoofing activity by confirming the routing of non-local IP addresses. Routing tables extant upon a packet-receiving network entity, as well as routing tables on switches and routers assigned to handling network traffic present a path verification record to ascertain the path a data packet followed to get to the receiving entity. Such data packets have expected pathways. Observing that certain data packets do not originate where they were expected to effectuates the detection of spoofing in the present embodiment.
None of the foregoing detection methods require gross revamping of network architecture or the burdening of network accessibility by legitimate authorized entities. They are all effectuated upon network hardware already extant. Thus, embodiments of the present invention may be implemented without great expenditure of resources to develop and deploy new types of networks and related hardware. However, embodiments of the present invention may be applied to new network architectures and related hardware as they develop.
These and other advantages of the present invention will no doubt become obvious to those of ordinary skill in the art after having read the following detailed description of the preferred embodiments which are illustrated in the various drawing figures.