Computer networks are capable of coupling many different types of devices, including, but not limited to, routers, workstations, servers, switches, bridges, hubs, IP telephones, IP video cameras, computer hosts, modem racks and printers. It is often desirable to obtain status information about the devices coupled to a network, and, in particular, to monitor such devices to detect the occurrence of conditions that warrant administrative attention. Simple Network Management Protocol (SNMP) is an Internet-standard protocol that was developed for managing devices on computer networks. In a typical SNMP application, one or more administrative computers (managers) are tasked with monitoring one or more devices on a computer network (the managed devices). A network management system (NMS) runs on the administrative computer which communicates with agent software modules running on the managed devices. Communications between the administrative computer and a managed device may be based upon an explicit request, with the administrative computer issuing a request for information and the managed device responding to the request, or pushed, with the managed device providing an asynchronous notification to the administrative computer (an SNMP Trap message). The data that may be collected about routers and switches using SNMP can be invaluable to network administrators. However, utilizing SNMP could make a network vulnerable to security attacks, if the security features of SNMP are not enabled or not properly enabled. For example, the first two versions of SNMP provided for a community string (i.e., a password) and for an access list of authorized devices. Even if the community string is enabled, there still could be some vulnerability, as some users fail to change the default password and a packet analyzer might be used to detect the community string within the network traffic. Further, the access list can be overcome by spoofing. Version three of SNMP provides more robust security, but can be more difficult to set up and enable. Furthermore, all three versions of SNMP are subject to brute force and dictionary attacks for guessing the community strings, authentication strings, authentication keys, encryption strings or encryption keys because no challenge-response handshake is required.
Highly engineered solutions, such as the Owl Computing Technologies Dual Diode, (described in U.S. Pat. No. 8,068,415, the disclosure of which is incorporated herein by reference) provide a direct point-to-point optical link between network domains in the low-to-high direction or in the high-to-low direction. The unidirectionality of the data transfer is enforced in the circuitry of the network interface cards at both network endpoints and in the cable interconnects. In this way, the hardware provides an added layer of assurance of unidirectional information flow and non-bypassable operation. In contrast to software based one-way data transfer systems, it is easy to prove that data is not bypassing the Dual Diode.
In such systems, shown as system 100 in block diagram form in FIG. 1, a first server (the Blue Server) 101 includes a transmit application 102 for sending data across a one-way data link, e.g., optical link 104, from a first network domain coupled to server 101 to a second network domain coupled to server 111. First server 101 also includes a transmit (here a phototransmission) component, e.g., optical emitter 103. Transmit application 102 provides data to the optical emitter for transmission across the optical link 104. A second server (the Red Server) 111 includes a receive (here a photodetection) component, e.g., optical detector 113, for receiving data from the optical link 104, which data is then provided to the receive application 112 for further processing. The first server 101 is only able to transmit data to second server 111, since it does not include any receive circuitry (e.g., an optical detector comparable to detector 113) and the second server 11 is only able to receive data from first server 101, since it does not include any transmit circuitry (e.g., an optical emitter comparable to emitter 103).
It is an object of the present invention to provide a more secure interface for outputting status information from a network device that overcomes the problems with SNMP discussed above.