Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service, and so forth.
Network security risk-assessment tools, i.e. “scanners,” may be used by a network manager to simulate an attack against computer systems via a remote connection. Such scanners can probe for network weaknesses by simulating certain types of security events that make up an attack. Such tools can also test user passwords for suitability and security. Moreover, scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses.
During the course of scanning, such security risk-assessment tools often open remote network connections to various target systems. Most of these connections rely on Transmission Control Protocol/Internet Protocol (TCP/IP) connectivity to establish communications, and test for security risks. There are many of such security vulnerabilities. As such, testing for the presence of the vulnerabilities can become quite time consuming, especially when auditing a network consisting of hundreds or thousands of systems.
Most vulnerabilities are specific to a certain network service [e.g. Web servers via Hypertext Transfer Protocol (HTTP), or file servers via File Transfer Protocol (FTP)]. Each of these services is assigned to certain standard TCP ports. A port is a “logical connection place” by which a client program specifies a particular server program on a computer in a network. Higher-level applications that use TCP/IP, such as FTP and HTTP, have ports with pre-assigned numbers. These are referred to as “well-known ports” that have been assigned by the Internet Assigned Numbers Authority. Other application processes may be given port numbers dynamically for each connection. Port numbers range from 0 to 65535, totaling 65536. Ports 0 to 1024 are reserved for use by certain privileged services. For the HTTP service, port 80 is defined as a default number.
When the aforementioned security risk-assessment tools initiate a scan, connections must be established utilizing the foregoing ports. In view of the vast number of ports and the redundancy of their use, such process may be quite time consuming. This, in turn, results in high latencies during the scan.
Further latency may be incurred if the security risk-assessment scan is executed on a port that is unavailable or inactive. Typically, security risk-assessment tools delay a predetermined amount of time, i.e. a timeout, before abandoning a scan on an unavailable or inactive port. Across numerous target systems with numerous unavailable or inactive ports, this delay can be compounded to a significant sum.
There is thus a need for reducing such latencies in risk-assessment scanning, and particularly achieving such goal by addressing the inefficiencies incurred when establishing port connections and initiating scans on unavailable or inactive ports.