1. The Field of the Invention
The invention generally relates to the field of network security. More specifically, the invention relates to securing network traffic by preventing host devices from responding to queries until the host has been authenticated.
2. Description of the Related Art
A computer network allows data to be sent and received between computers on the network. Examples of data that may be shared within a network includes financial information, personal information, word processing data, etc. In addition, text, voice and multimedia data may be sent on a network. Networks have become common in many locations and varied in size. For example at the smaller level, many homes now include a home network for sharing multimedia and other data on the network. These networks are traditionally smaller including a relatively small number of connection points that are all in one location (i.e. the home). Smaller networks, such as those in homes, small businesses, and other localized venues, are commonly referred to as local area networks (LANs). At a larger level, many corporations and other large organizations have large networks with numerous connection points. Often the connection points are in a number of different locations up to and including connection points throughout the globe. Some networks allow users to connect from remote locations through an internet connection. Larger networks are often referred to as wide area networks (WANs).
Commonly, a network may be designed such that there are various tools for controlling access to the network and monitoring what computers are on a network. For example, each computer that is connected to a network has a network device such as a network interface card (NIC) installed on it. The network device may be in the form of, for example, a PCI card for desktop computers or a PCMCIA or CardBus card for laptops. Among other network interface devices are USB network adapters for desktop or laptop computers. Each network device has assigned to it a unique (for the particular network) IP address. In many cases, the unique IP addresses allows a network administrator or network hardware to decipher what computers are on the network. Also, the network can be configured such that certain IP addresses have certain restrictions. The restrictions can prevent certain types of data from traveling to and/or from certain IP addresses. An IP address is typically assigned by a software mechanism such that each network device can have the IP address assigned for the particular network on which the network device resides.
Each network device also has a unique media access control (MAC) address that is permanently assigned to the network device in the hardware of the network device. This MAC address can be used to control access to network resources as well. For example, some network resources can be controlled by restricting access to only MAC addresses that have been previously pre-approved for access to the specific resource.
Communications on networks often involve an authentication procedure. Before data is delivered to a computer, the computer requests the data. When a request for data is sent, the request may include the IP address or MAC address of the network device on which the computer sending the request is installed. A repository storing the data can check the IP or MAC address against a list of approved addresses, and if the IP or MAC address is on the approved list, the repository sends the requested data.
One challenge that arises in modem networking is maintaining appropriate security for the network. Most networks have sensitive data that needs to be protected. Financial institutions are especially concerned about protecting financial information to prevent theft and financial loss. Government agencies are interested in protecting military and other secret information. Corporations are interested in protecting trade secrets and other information. Even home users have an interest in protecting data on computers in a network to protect credit card numbers, passwords and other information that may be stored on computers in the network.
Intruders often invade a network for misappropriating data by gaining access to the network using information specific network devices and computers on the network. In one scenario, the intruder can “spoof” an IP or MAC address for a network device that has been granted access to certain network resources. Spoofing includes sending false identification information when requesting data from a repository on the network. Spoofing an IP or MAC address for a network device that is on a list of approved addresses can result in confidential information being sent on the network and being misappropriated by an intruder.
Intruders can often come into possession of IP and MAC addresses by randomly or systematically “pinging” IP and MAC address on a network. Pinging involves sending a request for a response from a device at a particular IP or MAC address. Pinging is used by network administrators and technicians to troubleshoot network connectivity problems. However, an intruder may use this same tool to discover valid IP and MAC address on a network which can then be used to spoof.
Some computer systems include an internal firewall such that the computer systems prevent the network device from responding to a ping except when that ping comes from a known or trusted source such as other network devices that are known to be on the network. These firewalls are fairly effective against random or systematic pinging by an intruder. Generally, however, these firewalls depend on software installed on the host computer that has the network device installed in it. Thus, the firewalls only prevent the network device from responding when the computer on which the network device is installed has been properly booted and logged into. If a computer on a network provides power to the network device, the network devices will generally respond to pings from any device, including one in use by an intruder, on the network. Appropriate correction is needed to prevent intruders form obtaining identification information about computers on a network by random and systematic attacks.