Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service; and so forth.
Network security risk-assessment tools, i.e. “scanners,” may be used by a network manager to simulate an attack against computer systems via a remote connection. Such scanners can probe for network weaknesses by simulating certain types of security events that make up an attack. Such tools can also test user passwords for suitability and security. Moreover, scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses.
During the course of scanning, such security risk-assessment tools often open remote network connections to various target computer systems. Most of these connections rely on Transmission Control Protocol/Internet Protocol (TCP/IP) connectivity to establish communications, and test for security risks using scan-related data. When scanning the target computer systems in such a manner, it is important that the scan-related data be communicated directly with the target computer systems. Modification of the scan-related data may result in inaccurate results, including failure to identify known security vulnerabilities on the target computer system being tested.
One common source of data modification is a proxy server that may be arbitrating requests to and/or from the target computer systems. There is thus a need for a technique of identifying the presence of such proxy servers to prompt administrators or auditors to take additional steps to accurately assess the risk of potentially vulnerable target computer systems.