The use of network based electronic communications and information processing systems for information control and information retrieval has rapidly proliferated in modern business environments. Within a typical enterprise, hundreds of client computer systems and server computer systems are constantly accessed by hundreds, or even thousands, of users for obtaining company information, news, competitive information, training materials, and the like, via one or more company wide LANs (local area networks) or WANs (wide area networks).
As used generally, the term network refers to a system that transmits any combination of voice, video and/or data between users. The network includes the embodying system of connected clients and servers and their associated software (e.g., network operating system in the client and server machines, the cables connecting them and the supporting hardware, such as bridges, routers, switches, etc.).
LANs and WANs are generally differentiated by the geographical area of the users being served. Both are made up of servers, clients, NOS (network operating system) services and supporting hardware. Servers are typically high-speed computer systems that hold programs and data or perform services that are shared by network users (e.g., the clients). The clients (e.g., desktop computer systems, workstations, and the like) are typically used to perform individualized, stand-alone processing and access the network servers as required. The actual communications path hardware is the cable (twisted pair, coax, optical fiber) that interconnects each network adapter. In wireless systems such as WLANs (wireless LANs) and the like, antennas, access point devices, and towers are also part of the network hardware. The overall scheme of multiple individual clients connected to shared servers comprises the well known client server network architecture.
Communication and message transfer within client server networks is generally managed by a transport protocol such as, for example, TCP/IP, IPX, or the like. The physical transmission of data is typically performed by the access method (Ethernet, Token Ring, etc.) which is implemented in the network adapters that are plugged into the computer systems. The standardized communications protocols enable the widespread interoperability of communications networks and the widespread exchange of business related information.
The widespread use of interconnected and interrelated communications networks provides a significant security challenge. Virtually all modern companies and corporations are now implementing information exchange networks for their employees, suppliers and customers and the like. Private networks (LANs, WANs, WLANs, etc.) along with the Internet allow this information to exchange more quickly and widely than ever.
Unfortunately, this widespread exchange of information has put the security of such information, and the security of the network infrastructure itself, at risk. Attacks against networks are becoming increasingly common, and pose conflicts for network managers with respect to providing access to network resources for those individuals requiring it, and preventing and denying access to those who are not authorized.
Providing secure communication between and among various network resources is generally implemented through the use of certain standardized communication protocols. These protocols are designed to provide a degree of security for transmission of information while also ensuring interoperability among the hardware components of different networks. However, experience has shown that these prior art communication protocols have a number of security deficiencies. For example, prior art methods of assigning security information (e.g., SNMP, TFTP, TELNET, Embedded Web, and the like) transmit sensitive information in plain text across the network. Such sensitive information is often used to initialize certain security protocols for follow-on communication (e.g., passwords, security keys, etc.). However, a simple trace at startup, configuration, or any general communication across the network exposes these passwords. Using such a trace, an unauthorized user (e.g., hacker, etc.) can obtain the passwords and compromise any subsequent communication, or obtain access to critical network resources.
One prior art solution involves limiting access to network resources only to those users on a predefined access control list. For example, the access control list can be used to provide set access control to network resources based on the IP address of the client, thereby protecting against unauthorized access. However, the access control list does not prevent spoofing, where a unauthorized client (e.g., hacker, etc.) assumes the IP address of an authorized client.
Other prior art solutions involve using sophisticated encryption routines that encrypt all packets between the transmitting and receiving nodes. One such protocol is SNMP (Simple Network Management Protocol). SNMP is a widely used network monitoring and control protocol, wherein data is passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device (hub, router, bridge, etc.) to the workstation console used to oversee the network. The agents return information contained in a MIB (Management Information Base), which is a data structure that defines what is obtainable from the device and what can be controlled (turned off, on, etc.). SNMP has become widely used in network infrastructure components. SNMPv3 (SNMP version 3) is a recently adopted version of the specification that defines a secure version of the SNMP protocol.
The security of prior art SNMPv3 schemes solves some problems but unfortunately creates others. SNMPv3 provides for encryption of all data packets during transmission across the network However, SNMPv3 is problematic in that it does not easily accommodate new users or mobile users with respect to access to protected network resources. For example, in many circumstances, it is desirable for a non-predetermined user, such as, for example, a visiting outside contractor or employee from a different company campus, to obtain access to network resources. Examples include obtaining access to print servers on the network to print information, reports, etc. Some portions of a company network maybe specifically configured to provide access to such mobile users through wireless access points and the like. However, these provisions may be defeated by the SNMPv3 protocols which are not designed for easy accommodation to allow access to new authorized users (e.g., no access to printers, no access to digital projectors, no access to networked storage, etc.). Faced with these difficulties, many companies simply ignore the threat of unauthorized use and simply stick to the more easily supported easily accommodating insecure version of SNMP.
Thus what is required is a solution that protects sensitive network resources, such as print servers and the like, while retaining the ability of accommodating new users. What is required is a solution that protects against common network attacks such as spoofing, packet sniffing, and the like. What is required is a solution that accommodates the ease of use aspects of wireless networks while still providing protection for sensitive network resources.