1. Field of the Invention
This invention relates to the field of network communications.
2. Background Art
Personal computers, or workstations, may be linked through a computer network to allow the sharing of data, applications, files, processing power, communications and other resources, such as printers, modems, mass storage and the like. Generally, the sharing of resources is accomplished the use of a network server. The server is a processing unit dedicated managing the centralized resources, managing data and sharing these resources with other PC's and workstations, often referred to as "clients". The server, network and PC's or workstations, combined together, constitute client/server computer network. An example of a client/server network model is illustrated in FIG. 1.
FIG. 1 illustrates a client machine 101 coupled to a server macabre 102. The client machine 101 may be a PC, workstation, etc. The server machine may be a dedicated processor, PC, workstation, etc, that includes mass storage on which files are stored. Typically, the mass storage is a disk drive or other suitable device.
The client machine 101 is comprised of a client 102 that communicates with a client stub 103. The client stub 103 communicates with a transport entity 104. The server machine 105 includes a server 106, server stub 107, and transport entity 108.
Referring to the client machine 101, the client 102 is a local processor that utilizes files of the server. The client stub 103 is a collection of local procedures that enable the client to access the server. The transport entity 104 provides access to the network, or "wire" 109. Wire 109 refers to the communications medium between the client and server and may be an actual hardwired communications medium, or may be a wireless connection. Similarly, the server stub 107 is a collection of procedures that enable the server to communicate with the client, and transport entity 108 provides access from the server to the wire 109.
In operation, communication between the client and server is in the form of requests (from the client) and replies (from the server). This communication is in the form of remote procedure calls. The client is analogous to an application calling a procedure and getting a result. The difference is that the procedure is not necessarily on the same machine as the client 101, but rather on the server machine 105.
Initially, the client 102 calls a stub procedure located on the client machine in the client stub 103 (resident in the client 102 local address space). The client stub 103 constructs a message from the call and provides it to the transport entity 104. The transport entity 104 communicates the message on the wire 109 to the server machine 105. At the server, the transport entity 108 passes the message to the server stub 107. The server stub then calls the appropriate server procedure front the server 106. The server 106 operates on the message and then returns the procedure and any result to the server stub 107. The server stub 107 constructs a reply message and provides it to the transport entity 108. The reply message is sent to the transport entity 104 of the client machine 101 over the wire 109. The transport entity provides the reply message to the client stub 103. The client stub 103 returns the procedure and any value returned by the server to the client 102.
On a computer network, clients and users have different levels of privileges. Certain functions, adding users, deleting users, changing passwords, etc., are restricted to the highest privileged users. These users and clients are often network administrators, and it is necessary for these users to be able to modify the network as necessary. In addition, there may be certain types of files or activities that are restricted from most users. For example, financial data is often restricted to users who have a need to know or use the financial data. Generally, other users are not permitted to access that data.
In a client/server model, messages are transported as "packets". An example of a message packet is illustrated in FIG. 3A. The message consists of a 4-byte length header (low high) indicator 301. The length header 301 identifies the length of the message that follows and includes the following information:
CheckSum
PacketLength
TransportControl
HPacketType
DestinationNet
DestinationNode
DestinationSocket
SourceNet
SourceNode
SourceSocket
The length header 301 is followed by a request code 302. The request code 302 is the particular type of procedure being requested by the client. The request code 302 is followed by data 303. The data 303 may be of variable length.
One particular type of message packet is referred to as an "NCP packet", where NCP refers to NetWare Core Protocol. (NetWare is a trademark of Novell, Corporation of Provo, Utah). NetWare is an operating system for network systems. An NCP packet includes the following additional information in the length header:
packet type
sequence number
connection low
task
connection high
The standard portion of the message packet provides source address, destination address and length, among other pieces of information. The NCP portion includes a connection number and a sequence number. The station connection number provides the server with an index into a table of active stations. The server uses the active station table to track information about that station's session, including the station's network address and sequence number.
The connection number is used in part as a security check. When a server receives a request packet, it uses the packet's connection number as an index into its connection table. The request packer's network address must match the network address stored in the connection table entry corresponding to the connection number contained in the request packet. This is one method of validating a request packet.
The sequence number is also used to validate packets. The sequence number is a byte that is maintained by both the server and the client. When the client sends a request packet, that client increments the sequence number. Likewise, when a server receives a request packet, it increments that client's sequence number (stored in the server's connection table). The sequence number wraps around on every 256th request made by the client (because it is one byte in length).
Before incrementing the client's sequence number, the server checks the sequence number against a list of already-received request packets. This check is to ensure that the server does not service duplicate request packets. If the sequence number does not indicate a duplicate request packet, the server checks the request packet's sequence number against the sequence number stored in the server's connection table. If these two numbers are not equal, the server discards the packet.
In spite of these precautions, it is sometimes possible to forge a message packet by detecting the network address, connection station, the station's connection number, and the station's sequence number. Typically, the purpose in forging a message packet is to "imitate" a higher privileged user or client so that the privilege level of the forger can be upgraded. The forger may obtain a more privileged station's connection number by capturing network packets from the communications medium. These are network packets that are sent from a higher privileged station to the server. A forger may capture these packets using a protocol analysis tool.
By obtaining a connection number, a forger may attempt to forge a message by sending a message to the server destination address, using the same station connection number as in the intercepted message. However, that alone is not sufficient to enable an intruder to forge a message. As noted above, the server checks the sequence number and compares it against a list of already-received requests. The sequence number of the new request should have associated with it the next consecutive sequence number. If not, it is an invalid request and the server discards the packet.
An intruder may attempt to forge a message by "guessing" at the sequence number. Because the sequence numbers "wrap around" after 256, the intruder need only try to make 256 attempts before the sequence number is found. It should be noted that the intruder does not receive responses from the server, but rather must detect responses from the server or detect if a request issued to the server has been executed (e.g., a change in privilege status for the intruder).
One possible solution to a network intruder is to monitor network use to detect intruder-type activity. For example, the network could be monitored so that trial and error attempts to provide a correct sequence number are detected. For example, a window could be defined with a certain number of allowed failed tries at providing sequence numbers. A problem is that depending on the size of the window for allowed retries, an intruder could randomly provide a correct sequence number within the window. If the window is made smaller, legitimate transactions might be interrupted when the correct sequence number is not provided by a legitimate user. It is desired to provide a method and apparatus for preventing intruder network access instead of just detecting intruder access.