A data network transports information among a number of various devices such as computers, display terminals, routers, printers, hubs, and so forth. Each of the devices interconnected by a given network are coupled to the network, usually through an electrical or optical connection. Furthermore, each device uses a uniform communications protocol enabling any device to transmit data to any other device. The Internet Protocol (IP) is a prevalent communications protocol that is used throughout the worldwide Internet and among self-contained corporate and private networks now known as "Intranets". Each device connected to an IP-compliant network is identified by a unique address or identification means, such as an IP address.
Although IP provides a good way to interconnect diverse types of data equipment, a problem arises as devices bearing confidential information or controlling important functions are connected to a network. Because IP is a standard protocol in such widespread use, devices attached to an IP network are significantly exposed to potential unauthorized access through the Internet and Intranets. Networked devices such as servers usually include authentication features to prevent unauthorized use of the server through the network. Any weakness in a device's security measures are likely to be found eventually and exploited by parties who desire to gain unauthorized access, alter or damage the IP device, or obtain sensitive information.
To assess the exposure of devices interfaced to a network, scanning software is commercially available that can be used to probe the IP interface of a given device and determine if it is vulnerable. Much like virus-detecting software, the IP scanning software is subject to constant updates as new vulnerability mechanisms are discovered. To test for vulnerability, scanning software operates in a processor connected to the communications network and is invoked upon an IP address of the device to be tested. The use of this scanning software is usually licensed by assessing a charge for each instance of checking an individual IP address, regardless of the outcome of the analysis.
Not all devices connected to a network offer services whereby they may be subject to exploitation. Networked input/output devices, such as display terminals and printers, typically do not pose significant security risks. Exposure analysis is more appropriate for devices like host computers (servers or other shareable devices) that offer services such as TELNET, FTP, WWW, SMTP mail, SNMP NetBIOS, and so forth. This means that exposure analysis need only be directed at addresses corresponding to shareable devices, such as servers.
For scanning to be effective, it should be repeated periodically and therefore should be done as quickly and as efficiently as possible. An internal network in a large corporation may have more than one million IP addresses. The scanning process for all of the addresses in such a list can often take days, weeks or even months depending upon the number of scanning devices used. It is costly, time consuming, and wasteful to attempt to check every possible IP address in a given domain of addresses, particularly if only a small proportion of addresses actually correspond to vulnerable devices.
A typical problem occurs when the addresses of the shareable devices are unknown and are within a large domain of IP addresses. Addresses of various devices in a system often change for many reasons. Further, it has proven difficult to accurately track address changes among devices in a network. Merely scanning a previously compiled list of shareable devices is likely to provide inaccurate or incomplete system vulnerability information. Furthermore, such a list may no longer provide accurate information as to the services provided by each shareable device. A scanning operation may be incomplete if only the services previously listed are checked for system vulnerability.
It would thus be desirable to devise a method that could significantly reduce the time and cost involved in scanning for vulnerable devices in an IP network. Further, it would be desirable to scan a given shareable device for only those services provided by that shareable device rather than taking the time to scan for all possible services. Finally, it would be desirable to obtain reports summarizing the results of such scanning in a timely fashion before damage is incurred through any security exposures.