The subject application is directed generally to computer network administration. More particularly, the subject application is directed to filtering data packets using communications protocols so as to prevent unauthorized access to networked devices.
Computer based networks, such as the Internet, transmit packets of information across its system. A packet is a sequence of binary digits, including data and control signals, that is transmitted and switched as a composite whole. The data, control signals, and possibly error control information, are arranged in a specific format. These formats may be expressed in the form of a protocol. A protocol is a formal set of conventions governing the format and control of interaction among communicating functional units. Protocols may govern portions of a network, types of services, or even administrative procedures. In a layered communications system architecture, such as the Internet, an intranet, Ethernet, or other computer network, a protocol is a formal set of procedures that are adopted to facilitate functional interoperation within that layered hierarchy. A resultant use of protocols is the ability of information systems to exchange information.
Most computer networks use the transmission control protocol, or TCP. The transmission control protocol is a network protocol that controls host-to-host transmissions over packet-switched communications networks. Acting in concert with TCP is the Internet protocol, or IP protocol. The IP protocol is a standard protocol designed for use in interconnected systems of packet-switched computer networks. The IP protocol provides for transmitting blocks of data called datagrams from sources to destinations, where sources and destinations are hosts identified by fixed-length addresses. The Internet protocol also provides for fragmentation and reassembly of long datagrams, if necessary, for transmission through small-packet networks. Fragmentation involves the breaking down of a long datagram into multiple datagrams, which are then transmitted and reassembled at the destination computer. The Transmission Control Protocol/Internet Protocol, or TCP/IP, controls how datagrams, or packets, are transmitted over the Internet. The TCP/IP are two interrelated protocols that are part of the Internet protocol suite. While TCP operates on the OSI Transport Layer and breaks data down into packets, IP operates on the OSI Network Layer and handles the routing of packets over the computer network.
Simple Network Management Protocol, or SNMP, is a TCP/IP standard protocol that (a) is used to manage and control IP gateways and the networks to which they are attached, (b) uses IP directly, bypassing the masking effects of TCP error correction, (c) has direct access to IP datagrams on a network that may be operating abnormally, thus requiring management, (d) defines a set of variables that the gateway must store, and (e) specifies that all control operations on the gateway are a side-effect of fetching or storing those data variables, i.e., operations that are analogous to writing commands and reading status.
Modern digital printing devices are often sophisticated enough to provide up-to-date device and print job status to administrators and users through the network protocols, described above. Using SNMP, an administrator is able to not only remotely access the device, but also able to remotely configure the device. Although very powerful as a management protocol, SNMP has one serious drawback, which is the lack of adequate security. SNMP has very limited security built into it. In a computer network, this equates to any user capable of viewing the resources available on a device. Virtually all users who have visibility to the printing device will be able to retrieve or even modify the device parameters. Visibility, as used herein means having the awareness of the status of a resource, which may or may not involve actually monitoring the resource.
Without built-in security features, it is desirable to have some mechanism for administrators to restrict visibility of the device to a smaller group of users. Enterprise firewalls are capable of blocking SNMP traffic from the Internet, however these do little to prevent SNMP access on the intranet side of the firewall. Although routers are capable of filtering network packets, there may not be a router located on an intranet.