The rapid growth in devices capable of connecting to a network and their increasingly vital role in day-to-day operations has created a need for the ability to easily manage, access, and service these devices. The functionality of these devices has created a need to provide external access to the network that was not previously required. This access comes with both substantial advantages and inherent security weaknesses.
The network devices no longer merely exist in a highly controlled environment, but are ubiquitous in everyday life. They exist in homes, medical offices, retirement communities, hotels, apartment buildings, yachts, airplanes, and virtually anywhere humans live or work. By their very nature, these devices require exposing the network to previously unpermitted security vulnerabilities in order to support their functionality. An example of this would be the port forwarding that is required to permit external access to an internet protocol (“IP”) device, such as a digital video recorder (“DVR”) or IP camera, as well as the network services that support these devices. This increased opening of ports provides a larger target for common network vulnerability scanning tools.
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint used by transport layer protocols of the internet protocol suite, such as the transmission control protocol (“TCP”) and the user datagram protocol (“UDP”). A specific port is identified by its number, commonly known as the port number, the IP address with which it is associated, and the protocol used by the port for communication.
For example, Nmap is a “Network Mapper” used to discover computers and services on a computer network, thus creating a “map” of the network. Just like many simple port scanners, Nmap is capable of discovering passive services on a network despite the fact that such services aren't broadcasting themselves with a service discovery protocol. In addition, Nmap may be able to determine various details about the remote computers or devices on the network. Such details may include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of certain firewall techniques, and, on a local area network, even vendor of the remote network card or interface. This also exposes other devices connected to the network that would not normally be externally-accessible to unnecessary vulnerability. By leaving these additional outside ports open, the risk of one of the devices being compromised is increased.
Devices that are connected to the network and are not normally accessible can now be accessed through the external connection that was intended for a different target device. For example, an unauthorized user exploiting ports left open for a remote desktop protocol could now leverage the access to the remote computer, thereby gaining access to a video camera that was previously only accessible internally.
With the wide variety of manufacturers of network-accessible devices that are entering into the network marketplace, there is yet to be a standard developed for providing access to and management of these devices. This has left each entity who is responsible for managing these networks and the manufacturers who sell the devices to determine and derive their own best practices for network security.
IP devices entering into increasingly vital arenas that have historically had little-to-no interface with the network (e.g., health monitoring devices) raise important personal privacy issues, and the issue of increased uptime and timely servicing has come to the forefront in network management. This phenomenon has created a need for an ever-increasing number of people to have remote access to networks, devices, information, and data. At the same time, however, there are no corresponding standards of accountability in managing this increased access flow that could impact other types of information security standards, such as the Health Insurance Portability and Accountability Act (“HIPAA”).
With the increase in IP devices and the need to access and manage their performance, the given number of devices any given administrator is accessing and managing on a daily basis has proportionally increased the burden placed on the administrator. This phenomenon has created a need for a simple-to-use system that can centrally access and manage devices/networks in multiple geographical locations simultaneously by any given amount of concurrent users.
The administrators who manage these network systems face a difficult and ever-increasing problem of how to balance the need for secure passwords for each of these devices versus enabling the user to access devices as part of their daily job or the end-user consumer accessing their IP appliances, which will only become more unmanageable as the growth in IP devices continues to proliferate in the marketplace. The fact that these complex IP device-driven networks and their associated login credentials are not centrally manageable leads to the common practice of developing a password schema that is known to all users or is easily broken by password-guessing software. This practice increases the threat of unauthorized internal access to the device(s) and removes any form of accountability as to who gained access and when they gained access, including unknown access by IP device/appliance manufacturers.