As networking and automation expands in business and organizations, one of the most important new technical capabilities in today's modern network computing is the ability for organizations to establish free local (host) networks for access to the Internet and other network service providers. In essence, organizations are allowing “connectivity” from their local area network, (LAN), to the Internet and any other public network, which can be accessed from the Internet. Many public corporations, private corporations, state and federal government, including the Department Of Defense, have established host LAN connection access for employees and visitors to those organizations. As an example, it would be very common to walk into a local coffee shop in a medium to large city and for that coffee shop to have free access to a wireless host LAN for access to the Internet.
Another issue, is that a 32/64-bit Microsoft computer automatically creates hidden “administrative shares” for its logical drives C:, D:, etc., which it names C$, D$, etc., respectively. The 32/64-bit Microsoft computer also creates an Admin$ hidden share for the \WINNT or \Windows folder. Domain administrators design these shares for remote access support. By default, if these administrative shares are deleted, they are automatically recreated when the computer is rebooted. These active “administrative shares” allow any individual user, to remotely log into a 32/64-bit Microsoft computer, if the remote user knows the system name and password of that particular computer. What compounds the issue is that an individual, who is allowed to access and utilize an organization's host LAN, frequently has 100% administrative access rights (i.e., privileges) to their computer, while they are connecting into and utilizing the host LAN. Other shares may also be of issue, including, but not limited to, an ipc$ share, which is a network share that is used to facilitate communication between processes and computers. This share is often used to exchange authentication data between computers.
The issue of establishing host LANs for public connection access is actually a “three way” problem. It is a problem for the host organization, if an individual utilizing the host LAN successfully breaks into an unauthorized area of the (host) LAN. It is a problem for the individual utilizing the host LAN, if an administrator of the host LAN gains unauthorized access to the individual's computer while that individual is utilizing the host LAN. It is a problem for the individual utilizing the host LAN, if another individual who is also utilizing the host LAN, gains unauthorized access to the other individual's computer, while they are both utilizing the host LAN.
The problem becomes much more complicated, when an organization attempts to apply the most current, common technology solutions available in the industry, to combat the problems as defined in the previous paragraphs.
The majority of the current technical solutions for these defined problems are firewalls and intrusion detection systems (IDS). The problem with a majority of these technical solutions is that parameters must be defined and applied in the form of policy “absolutes”, without any consideration for allowing any use of logical ports or connections for other legitimate purposes. As an example, many personal firewalls simply have one of two possible configurations when installed and configured to function on a networked computer, which is either: 1) allow (i.e., enable) other computers to make a direct connection to this computer; or 2) disallow (i.e., disable) the ability for any other computer to make a direct connection to this computer. Unfortunately, there is no “middle of the road” margin for other policy options for connection scenarios. Additionally, many personal firewalls either allow a logical port to be opened for use, or the logical port must be permanently disabled. Again, there is no “middle of the road” margin for other policy options for logical port scenarios. In summary, when available technical solutions can only be applied in the form of policy “absolutes”, these solutions are usually never applied as permanent security solutions in real-world operational networks.
While all the previous issues and problems stated are extremely important to the background of this invention, one that is more important than all of these issues and problems actually being identified and defined by the information system (IS) network security industry is commonly referred to as the “Inside Threat”. Many experts in the IS network security industry believe that the real problem of the “Inside Threat” has not been solved and will not be solved for some time in the future.
In order to define the exact problem of the “Inside Threat”, it is necessary to understand the fundamental mechanics of network operations and what must happen in order for a network to function as a network.
The fundamental design mechanics of a network requires that a network continuously publicly “broadcast” information throughout the network, in order to actually manage and maintain the operational integrity of the network. The information that is continuously broadcasted includes domain information regarding MAC (media access codes), Internet Protocol (IP) addresses, device configuration, status reporting, event signaling, etc. One can determine that if a network is required to publicly broadcast this information, in order to maintain itself in proper working order, then how would it be possible to secure and verify network communications (from the Inside Threat), if “all possible network connectivity” is continuously broadcast throughout the network?
In essence, this is the actual problem of the “Inside Threat”, because for a network to function, the network must broadcast information, but at the same time the network is broadcasting information, a new technology is needed to protect the network from itself.
In summary, the true definition of the “Inside Threat”, is the problem of protecting a network from itself in the course of the network performing its normal network operations.
In order to create a technical solution that will protect the network from itself and resolve the problem of the “Inside Threat”, the solution must be dynamic, work in real-time conditions and allow network communications to function, until such time as an unauthorized event is detected, then terminate the event and reestablish the logical port for authorized communications.
As an example, a current state-of-the-art Microsoft 32-bit computer, or a 64-bit Microsoft computer, may be connected to a network (i.e., a host LAN), which is connected to the Internet, which in turn is connected to several other networks. This computer may have a user with administrative privileges and also have tools installed in that computer that allow the user to automatically “probe” the network to find security holes, weaknesses and available passwords to other computers. If the tools are successful in retrieving certain information, the user can gain access and log into another computer connected into the same network (i.e., host LAN) and successfully penetrate and retrieve any information from that computer. Therefore, the unauthorized access to another company can be successfully achieved, data extracted, new programs installed, without any knowledge of the unauthorized activity ever known by the host LAN administrators who manage the network. The terms Microsoft PC, Microsoft Server, Microsoft computer, Microsoft 32-bit computer, and/or any other similar variations and combinations using Microsoft to describe a specific computer, device and/or server may be used interchangeably to mean a computer, device and/or server on which a Microsoft operating system (O/S) is implemented.
Because of the problems described in the previous paragraphs, a new technology, such as, for example, but not limited to, a utility, is needed that has the ability to perform an analysis of a 32/64-bit Microsoft personal computer (PC) or Server from the time the computer is turned on (i.e., boots-up) and that can perform an analysis of a Microsoft computer's internal communications configuration, then can configure the computer for “secure communications”, by only allowing direct connections inside the LAN from authorized computers with approved Internet protocol (IP) addresses. Additionally, the solution must configure the network computer to allow the use of all logical communication ports and if an unauthorized event occurs, then terminate the event and allow authorized communications to continue on the same logical port.