EP1232626A2 - Test de securite d'acces d'ordinateurs sur un reseau de communication de donnees - Google Patents

Test de securite d'acces d'ordinateurs sur un reseau de communication de donnees

Info

Publication number
EP1232626A2
EP1232626A2 EP00974341A EP00974341A EP1232626A2 EP 1232626 A2 EP1232626 A2 EP 1232626A2 EP 00974341 A EP00974341 A EP 00974341A EP 00974341 A EP00974341 A EP 00974341A EP 1232626 A2 EP1232626 A2 EP 1232626A2
Authority
EP
European Patent Office
Prior art keywords
computer
data
data communication
communication
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00974341A
Other languages
German (de)
English (en)
Inventor
Ulf Munkedal
Aage Hejgaard Vestergaard
Bo Norgaard
Steen Varsted
Lars Neupart
Peter GRÜNDL
Ken Willen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
VIGILANTE.COM, INC.
Original Assignee
Vigilante AS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vigilante AS filed Critical Vigilante AS
Publication of EP1232626A2 publication Critical patent/EP1232626A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements

Definitions

  • the present invention relates to a method of operating a computer system for testing the access security of computers being connected to a data communication network, preferably a public network such as the Internet.
  • a data communication network preferably a public network such as the Internet.
  • the security of the computer system itself is improved by performing individual parts of a complete test from one or more test computers that are only temporarily connected to a scheduler computer from which the execution of the complete test is controlled and to which the partially test results are communicated from the test computer(s).
  • the invention also relates to the computer system for performing the method as well as the computer programme product in a computer readable form being suitable to enable general purpose computers to perform the method.
  • the computer system can perform a series of successive tests on the extemal computer to be tested, the series comprising a scanning for open communication ports of the external computer followed by an identification procedure for identifying the communication protocols of the identified open communication ports, after which the access security of the open communication ports is tested by means of various test applications by utilising the obtained knowledge concerning the communication ports.
  • the present invention relates to a method of identifying the communication protocols of identified open communication ports on an external computer which is accessed vi a public data communication network.
  • a possible response is received from the port when the connection is established and a dialog between the identifying computer system and the external computer is taking place, comprising at least one response from the external computer but usually a series of commands from the identifying computer system and a series of responses from the external computer, from which response(s) the identity of the protocol is determined.
  • a further aspect of the present invention relates to a systematic and automatic scanning of vulnerabilities of data communication devices with respect to reaction to receiving invalid data communication packages so as to test the robustness of the devices.
  • a number of commercially available software applications are known by means of which the access security of a computer system may be tested via a public data communication network. These applications and the intended use of them include certain drawbacks.
  • the procedure of testing access security is in itself endangering the security of the computer system since sensitive knowledge about the system is obtained from the test and it may be necessary to provide sensitive information about the computer system to the test application in order to achieve a useful test result.
  • the system and method includes a IP spoofing generator, a port map service generator and several other parts that individually or as a group can detect vulnerabilities on a computer network.
  • Another such application is disclosed in WO 00/38036 in which results from one scan module may be transferred as input to another module so as to improve the quality of the testing.
  • An old and well-known application for system administrators to analyse networks and test security is SATAN.
  • Another application that is used by system administrators for testing computer security from within the computer network is disclosed in WO 99/56195 in which a database of known vulnerabilities is updated regularly and is accessed by the modules of the application performing the testing.
  • the tests have to be performed from a computer with has an unprotected connection to the public data communication network because a dialog between the external computer to be tested and the test computer on which the application is executed must be enabled.
  • test computer cannot at the same time have a high level of access security and the risk that sensitive knowledge about the tested system it obtained by non-authorised third parts is not negligible.
  • Another drawback of the known software application is that they are only known to be adapted to perform testing of a number of predefined data communication ports using the standard communication protocol of each given port, such as testing port 80 using HTTP (Hyper Text Transfer Protocol) and testing port 21 using FTP (File Transfer Protocol)
  • HTTP Hyper Text Transfer Protocol
  • FTP File Transfer Protocol
  • This is in general obtained from the present invention by performing on separate computers the examinations or tests via a public or private data communication network and the overall control of tests, the separate computers having only temporarily a data communication connection established there between
  • the examination of access security is adapted to examine given ports for identifying their communication protocols prior to the actual examination for access security and optionally also to examine for port status, i e whether ports are open or closed, prior to the examination for communication protocols
  • It is a yet further object of the present invention so provide method of operating a computer system for identifying the communication protocol of data communication ports of an external computer system as well as a such a computer system and a computer program product for performing such method It is a still yet further object of the present invention to provide a method of testing the vulnerability of devices for performing data communication
  • the present invention relates to a method for operating a computer system for examining the access security of communication ports of an external computer, the method comprising the steps of
  • data communication port communication endpoints defining all possible communication entry points into a computer or computer system, in particularly TCP ports and TCP/UDP ports and communication ports derived or further developed from these definitions but also covering other points of communication operated according to a communication protocol
  • the data storage means associated with the various computers described may are computer-readable media such as e g magnetic discs or tapes, optical discs, CD-ROMS, RAM circuits, etc , each media being in permanent or temporarily data-communication contact with the computer in question, the computer having a central processing unit and input and output units
  • the data communication network may be a private network to which only a limited and defined group of computers may have access or preferably a public data communication network
  • the public data communication network is understood as a network to which an undefined group of users may obtain access or are in permanent connection with via computers, the network may further include one or more local networks and/or one or more wide area network
  • the computer system may in order to be more flexible with respect to the inclusion of applications available from third parties comprises at least two second computers being operated by means of different common standard computer operating systems
  • the computer system comprises for a number of operating systems at least two second computers or test computers operated by means of the same common standard computer operating systems, such as Linux, Windows NT, Unix variants etc
  • the computer system comprises at least two second computers which may operate concurrently according to the present method so that different or identical test applications may be executed simultaneously or concurrently
  • the at least two second computers may operate concurrently employing an identical data communication address of the external computer, identical communication port ⁇ dent ⁇ f ⁇ cat ⁇ on(s) as well as identical data communication protocol(s) of the communication port(s) so that the port(s) are examined by more than one test application concurrently or by the same application from two computers concurrently
  • the present method comprises a port identification procedure being performed by a second computer of the computer system prior to the step (1) of retrieving data from said data storage means associated with the first computer of the computer system, the port identification procedure identifying data communication protocol(s) of communication port(s) of the external computer and produce an output accordingly
  • the port setting meaning which ports are open for data communication, may be predefined in the computer system or may be given from an external source
  • the present method comprises a port examining procedure being performed by a second computer of the computer system prior to the port identification procedure, the port examining procedure being adapted to detect whether data communication via each of the plurality of communication ports of the external computer is enabled and produce an output accordingly, said output being significant for which ports of the external computer the data communication protocols are identified by means of the port identification procedure
  • the method may comprise a data location procedure being performed by a second computer of the computer system prior to the step (1) of retrieving data from said data storage means associated with the first computer of the computer system, the data location procedure identifying the location of specific types of data files on data storage means associated with the external computer and produce an output of test result data accordingly to the first computer of the computer system to be used for subsequent examinations of access security of the external computer to which the test result data pertains
  • the data location procedure may comprise the steps of retrieving, by means of a first computer of the computer system, a unique data communication address of the external computer from data storage means associated with the first computer, establishing a data communication connection between the first computer and the second computer of the computer system via a data communication network, communicating the data communication address of the external computer from the first computer via the data communication connection to said second computer, whereupon the data communication connection between the first computer and said second computer is closed, establishing a data communication connection from said second computer via a data communication network to the external computer in accordance with the previously communicated data communication address of the external computer, examining data storage means associated with the external computer so as to identify the location of specific types of data files on data storage means associated with the external computer by means of a software application being designed thereto and being executed by said second computer, whereupon the data communication connection between said second computer and the external computer is closed, generating a set of test result data representing the outcome of said examination and storing the set of test result data within data storage means associated with said second computer, establishing a
  • a preferred embodiment of the present invention includes the initial steps of retrieving from data storage means associated with a third computer of the computer system at least one unique data communication address of an extemal computer, establishing a data communication connection between the third computer and said first computer via a data communication network, communicating said at least one data communication address of the external computer(s) from the third computer via the data communication connection to the first computer, whereupon the data communication connection is closed, and storing said at least one data communication address within data storage means associated with the first computer, after which initial steps the remaining of the method is performed for said communicated at least one data communication address, the method further comprising the final steps of establishing a data communication connection between the third computer of the computer system and said first computer via a data communication network, retrieving test result data relating to at least one of said communicated at least one data communication address from data storage means
  • the set of test result data may further more be deleted from the data storage means associated with said first computer immediately upon the set of data has been communicated to the third computer so as to further enhance the security level of the computer system Likewise, the set of test result data may be deleted from the data storage means associated with said third computer immediately upon the set of data has been communicated to the external computer
  • the unique identification of at least one communication port of the external computer may be provided to the first computer by retrieving said identification from data storage means associated with the third computer during the initial retrieving step, said unique identification of at least one communication port being communicated to the first computer during the initial communication step
  • the data communication protocol(s) of at least one communication port of the external computer may be retrieved from data storage means associated with the third computer during the initial retrieving step, said data communication protocol(s) being communicated to the first computer during the initial communication step
  • Test specification data relating to the type of examination to be performed of the access security of the communication port(s) of the external computer may also be retrieved from data storage means associated with the third computer during the initial retrieving step, said test specification data being communicated to the first computer during the initial communication step
  • These test specification data may have been predefined or may have been obtained from a third, external source It is advantageous that the customer knows when the scanning of the customers external computer is performed because of the load on the computer during the examinations and because the computer needs to be fully operational.
  • the initial steps of the method may accordingly further comprise the step of retrieving from data storage means associated with the third computer of the computer system a predetermined start time and a predetermined end time, the method further comprising the step of controlling the examination of the access security of step (5) so that the examination is performed between said predetermined start time and said predetermined end time.
  • the method may comprise the steps of establishing a data communication connection between an extemal computer and the first computer via a data communication network, retrieving said test result data from data storage means associated with the first computer, encrypting said retrieved test result data by means of a first encryption key, and communicating said encrypted test result data from the first computer via the data communication connection to the external computer, whereupon the data communication connection is closed.
  • the set of test result data may additionally be deleted from the data storage means associated with said first computer immediately upon the set of data has been communicated to the extemal computer.
  • the above-mentioned port identification procedure may in a preferred, particular embodiment of the present invention comprise the steps of (a) retrieving from data storage means associated with the first computer a unique data communication address of an external computer,
  • the first response to the establishment of a data communication connection to a port may be empty, that is no response, which e g. is the case for ports using HTTP, whereas ports using e g FTP provide a response upon the establishment of a connection
  • the responses from different ports using the same data communication protocol to a given command are not necessarily identical
  • the responses may comprise additional information about the manufacturer of the hardware of software, about the given computer or parts of the standard responses may have been removed or suppressed
  • the set of port identification data may for security reasons be deleted from the data storage means associated with said second computer immediately upon the set of data has been communicated to the first computer
  • the second evaluation result is, according to a further preferred embodiment of the present invention, of one of said types of first evaluation results, and the method further comprises the step of performing, in case the second evaluation result is of type in), a process comprising steps being similar to (hi ) to (h4) involving a third command, a third response, a third set of information and a third evaluation result
  • the method may further comprise one or more further processes comprising steps being similar to (hi) to (h4) depending on how many responses are necessary to determine the identity of the protocol
  • the protocols are in general common standard data communication protocols but may also be special protocols utilised by a very limited number of communication applications
  • the identification process may be performed for the individual port in a tree-structured manner, according to which the same process may lead to any of the protocols known by the system depending on the responses from the port so that the commands to be communicated to the port are selected based on the previously received responses
  • a plurality of said identification processes are performed concurrently employing an identical unique data communication address of the external computer as well as an identical unique communication port identification, each of the plurality of identification processes employing command(s) and set(s) of information being specific for a given data communication protocol so as to test the communication port of the extemal computer for a plurality of different data communication protocols concurrently
  • a positive identification is obtained, i e when an evaluation result of type n) is achieved from any of the plurality of identification processes, ongoing identification processes of the plurality of identification processes are in a preferred embodiment terminated
  • the identification process may be repeated automatically with a new port identification from a series of stored port identification of the same external computer, in which case the method further comprises the step of (m) retrieving from data storage means associated with the second computer a new unique communication port identification, after which the steps according to the method with the exception of steps (a)-(c) are repeated using the new unique communication port identification instead of the prior port identification
  • the identifications of the ports of which the data communication protocol is to be identified by means of the described process may be obtained from a port scanning process being integrated in the protocol identification process or being performed simultaneously with the protocol identification process on the same second computer However, it is an advantage that the two processes are separated in order to enhance the security level of the computer system
  • the port identification may alternatively be obtained from a source being external to the computer system and being provided to the first computer by other means
  • unique identification of at least one communication port of the extemal computer is retrieved from data storage means associated with the first computer during step (a), said unique identification of at least one communication port being communicated to the second computer during step (c), said unique identification of at least one communication port being significant for which ports of the external computer the data communication protocols are identified by means of the port identification procedure
  • the types of ports may be mixed in order to prevent shunning, so that communication ports not having communication protocol assigned therewith according to the common or de facto communication standard are arranged in the non-successive order with less than four, preferably less than three and most preferred less than two such communication ports between the communication port in question and a communication port having a communication protocol assigned therewith according to the common or de facto communication standard
  • communication ports not having communication protocol assigned therewith according to the common or de facto communication standard are arranged at the end of the non-successive order Thereby, a possible shunning of the IP address will most likely not be effectuated until most of the communication ports have been examined
  • step (m) and the thereof following port identification procedure are performed for a multitude of communication port of the external computer
  • the check may additionally or alternatively be performed prior to the examination of the plurality of communication ports
  • the check method comprises the steps of
  • the procedure of detecting a possible disruption is performed after the examination of each communication port, so as to avoid false test results
  • the procedure of detecting a possible disruption is performed after the examination of each communication port, the port examining procedure is halted upon a detection of disruption of the ability to establish data communication connections between the second computer and the external computer, where after the examination is resumed on another second computer of the computer system excluding the communication port being examined immediately prior to the disruption was detected
  • the non-successive order of the communication ports may furthermore be arranged according to known shunning-ports, that is communication ports that from experience are known to cause a shunning and/or according to known shunning-sequences, that is known sequences of scanning of communication ports known to cause shunning
  • This empirical knowledge may be collected and used in an automatic and organised manner by means of the computer system disclosed
  • the present method may comprise the steps of store information about the order of examination of communication ports immediately prior to disruptions within data storage means of the computer system for a plurality of examinations of communication ports of external computers, performing an analysis of said information by means of the computer system so as to identify a set of individual communication ports and sequences of communication ports being likely to cause a disruption and a data set in accordance herewith is stored within data storage means of the computer system, and arranging the non-successive order for subsequent examination of communication ports so that said individual communication ports are arranged at the end of the non- successive order and said identified sequences of communication ports are avoided.
  • the above-discussed port examining procedure may in a particular embodiment of the present invention comprise the steps of retrieving, by means of the first computer, a unique data communication address of the external computer from data storage means associated with the first computer, establishing a data communication connection between the first computer and a second computer of the computer system via a data communication network, communicating the data communication address of the external computer from the first computer via the data communication connection to said second computer, whereupon the data communication connection between the first computer and said second computer is closed, establishing a data communication connection from said second computer via a public data communication network to the external computer in accordance with the previously communicated data communication address of the external computer, examining a plurality of communication ports of the external computer to detect whether data communication via each of the plurality of communication ports is enabled, said examination being performed by means of a software application being designed thereto and being executed by said second computer, whereupon the data communication connection between said second computer and the external computer is closed, generating a set of port status data representing the outcome of said examination and storing the set of test result
  • the set of port status data may for security reasons be deleted from the data storage means associated with said second computer immediately upon the set of data has been communicated to the first computer
  • the set of test result data may be deleted from the data storage means associated with said second computer immediately upon the set of data has been communicated to the first computer
  • the present method may be performed on a private data communication network of data communication connections but the method is mainly directed towards the situations where the data communication connect ⁇ on(s) between the second computer and a communication port of the external computer is established via a public data communication network because the risks of unauthorised intrusion is generally higher when a public network is involved
  • the method may if the external computer is as part of an external computer system having a common data communication pathway, typically comprising a Router and a Firewall, through which all data communication to and from computers of the external computer system passes, further comprise steps of establishing a data communication connection between a computer of the computer system and a computer of the external computer system, and at least once prior to or during the performance of an examination of the access security of the communication port(s) receiving data from said computer of the external computer system so as to verify that the common data communication pathway of the extem
  • the generated set of test results is stored within data storage means associated with the computer system for subsequent evaluation of the employed software application for examining the access security if said software application has been employed less than a predetermined number of times by the computer system, whereupon a counter within the computer system and pertaining to said software application is advanced with one step
  • a method for operating a computer system for regularly repeated examination of the access security of communication ports of a plurality of external computers, wherein the computer system comprises a database stored on data storage means of the computer system, the database comprising record files of characteristics of each of the plurality of external computer systems as well as schedule data relating to a desired scheduling of said regular repeated examination, the method comprising the step of examining the access security of communication ports of each of the external computers on a regular basis according to the schedule data by means of the method according disclosed above
  • this method includes that a new partial scanning is performed for registered customers when a new vulnerability is discovered
  • the method further comprising the steps of receiving input data relating to a specific vulnerability of the access security of communication ports of computers as well as test specification data for the type of examination to be performed of the access security of the communication port(s) of the external computer to test for the specific vulnerability, and examining the access security with respect to the specific vulnerability according to the present method for each of the plurality of external computers without interfering with the scheduled regularly repeated examination of the access security
  • a matching may be performed between the system data of the customers and the known data of the vulnerability and a separate scanning for the particular vulnerability is performed.
  • the method further comprises the steps of receiving input data relating to a specific vulnerability of the access security of communication ports of computers having a given set of characteristics as well as test specification data for the type of examination to be performed of the access security of the communication port(s) of the external computer to test for the specific vulnerability, searching the database so as to select a subset of the plurality of external computers based on a matching of the characteristics stored in the database and the set of characteristics given in the receiving input data, and examining the access security with respect to the specific vulnerability according to the present method for each of the external computers of the selected subset without interfering with the scheduled regularly repeated examination of the access security.
  • the customer or another person or entity acting on behalf of the customer may have the opportunity to accept or refuse the performance of the additional scanning.
  • the step of examining the access security with respect to the specific vulnerability may be preceded by the steps of producing a request from the computer system to an external entity via a public data communication network, the request relating to the performance of said examination of one or more of said plurality of external computers, and receiving a positive reply from the external entity to the request.
  • the request and the following reply may according to the present invention e.g. be sent and received via a computer communication connection, a telephone connection using wires and/or wireless transfer means and employing voice response, all constituting a public data communication network as stated above.
  • test result in particular the results from port identification procedures, port examining procedures and data location procedures, may be stored within the computer system for being reused at subsequent examination, in particular examination for a single new test case.
  • the present method may comprise that at least a part of the set of test result data generated by the regularly repeated examination of the access security of each of the plurality of external computers is stored on data storage means of the computer system for being retrieved and used for subsequent examinations of access security of the external computer to which the test result data pertains.
  • a specific test case or software application for testing the access security may be a test case investigating the likeliness of the external computer to become blocked by an attack, to give a so-called "Denial of Service".
  • the attacks may typically be to repeatedly request the opening of a communication connection without finishing the handshake between the two computers according to the communication standard or send a huge amount of communication packages to the external computer, so-called "flooding" or send invalid data packets.
  • the execution of the software application employed in step (5) may comprise the steps of
  • This particular test case is very important to include as it is a common step in many strategies of acquiring illegal access to an external computer to provoke a Denial of Service from one or more ports of the external computer.
  • the method may include a control by repeating the test, so that the method further comprises the step of
  • step (5.3) repeating step (5.1 ) after a predetermined time period in case it is determined in step (5.2) that the communication port in question does not respond.
  • the computer system performing the method may be adapted for having a communication connection established to an external entity via a public data communication network and receiving and executing instructions for ending the execution of step (5.1 ) or for repeating step (5.1 ).
  • the communication network may be the ordinary data communication network of the external computer.
  • the communication connection may be established via a telephone line using data communication or voice response, in case the ordinary communication connection from the external computer is blocked because of the provoked Denial of Service
  • the computer system may be adapted for establishing a second data communication connection via a data communication network under the conditions that it is determined in step (5 2) that the communication port in question does not respond, and the communication port in question does not respond a predetermined time period thereafter, and producing a communication accordingly so that the customer or a person or entity representing the customer is made aware of the fact that the external computer is blocked for communication
  • the present invention also relates to a computer system comprising at least two general purpose computers having one or more computer programs stored within data storage means associated therewith, the computer system being arranged for as well as being adapted for performing the method or methods according to the present invention and described above including each of the described possible combination of steps and procedures
  • the system is generally described as having a single computer performing as the third computer of the method, but it is within the scope of the present invention that the computer system comprises at least two computers each being arranged for as well as being adapted for performing as a third computer according to the method, said at least two computers having a common data storage means associated with each of said at least two computers, each of said at least two computers being adapted for storage of test result data within said common data storage means as well as being adapted for retrieval of test result data from said common data storage means
  • the computer system may likewise comprise at least two computers each being arranged for as well as being adapted for performing as a first computer according to the method
  • the present invention further relates to a method for operating a computer system for identifying data communication protocol(s) of communication port(s) of an external computer, comprising an identification procedure having the steps of (a) retrieving from data storage means associated with the computer system a unique data communication address of the external computer as well as a unique communication port identification,
  • step (b) establishing a data communication connection from the computer system via a data communication network to a communication port of the external computer in accordance with the information retrieved in step (a),
  • the second evaluation result may, as previously described, be of one of said types of first evaluation results, and the method further comprises the step of performing, in case the second evaluation result is of type in), a process comprising steps being similar to (f1) to (f4) involving a third command, a third response, a third set of information and a third evaluation result
  • the method may optionally comprise one or more further processes comprising steps being similar to (f1) to (f4) and at least some of the protocols are preferably common standard data communication protocols and the method may furthermore according to be invention comprise the characteristics as given in the above description in connection with the method for examining access security
  • the present invention also relates to a computer system comprising at least one general purpose computer having one or more computer programs stored within data storage means associated therewith, the computer system being arranged for as well as being adapted for performing the method of identifying data communication protocol(s) of communication port(s) of an external computer as disclosed above
  • the present invention furthermore relates to a computer program product being adapted to enable a computer system comprising at least one general purpose computer having data storage means associated therewith and being arranged suitably to perform said method
  • the present invention relates in a further aspect to a method for testing the vulnerability of a device for performing data communication via a data communication network by using a given common data communication standard, comprising the successive steps of (a) establishing a data communication connection between a computer and the device via a data communication network,
  • step (e) repeating step (b) with a new invalid combination if the device was tested positive in step (d)
  • the step (b) is preferably repeated for a plurality of invalid combinations so that the substantially all possible invalid combinations are tested.
  • Such invalid combinations may be that the defined option length of an ICMP packet is shorter than the actual option length, such as a defined length of 0 (zero).
  • Another invalid combination is to state the same MAC address as the target and the sender in an etherpacket. The possible invalid combinations depend on the communication standard of the devices.
  • Fig 1 shows the overall design of the computer system
  • Fig 2 shows the details of the testing part of the system comprising a computer being the scheduler and a number of test computers performing the actual tests, and
  • Fig 3 is a flow diagram of the port identification procedure
  • the computer system comprises a system controller which is the computer controlling the overall operation of the computer system and handling the communication with customers via a secure data communication connection to the Internet
  • the secure data communication connection such as a secure web server protocol (HTTPS) using a secure socket layer (SSL), enables encrypted communication with the customers through which orders for tests are received by the computer system and the test results are distributed
  • HTTPS secure web server protocol
  • SSL secure socket layer
  • a high security level is furthermore obtained by a so-called "firewall" between the data communication connection to the Internet and the system controller
  • This is preferably the only permanent data communication connection between the computer system and the Internet, optionally together with an ordinary HTTP connection to a restricted part of the computer system for public informational purposes
  • the system controller can establish a data communication connection to the scheduler, in the present embodiment also known as Robert, either via a private data communication network or via a public data communication network, such as the Internet, in which latter case a secure data communication connection is used
  • This data communication connection is only established temporarily for the transfer of order files from the system controller to the scheduler and for retrieving test result files from the scheduler and the data communication may only be established by request from the system controller in order to prevent unauthorised access to the system controller via the scheduler.
  • the order file comprises one or more unique data communication addresses, IP-addresses, of external computer systems to be tested as well as identification of the tests (or tasks) to be performed on the external computer systems and optionally an internal order identification.
  • the result file comprises the results of the tests that have been performed as well as an identification of the external computer systems that have been tested, either in the form of the IP-addresses of the external computer systems or in the form of the optional internal order identification.
  • the security of the system is increased by the use of an internal order identification because it will make it more difficult for an unauthorised extemal intruder to link the test results to the tested computer systems.
  • the scheduler can establish data communication connection with a number of test computers from which the actual tests of the external computer systems are performed. As with the connection between the system controller and the scheduler, this data communication connection may be established either via a private data communication network or via a public data communication network, such as the Internet, in which latter case a secure data communication connection is used. This data communication connection is only established temporarily for the transfer of test order files from the scheduler to the test computer and for retrieving test result files from the test computers and the data communication may only be established by request from the scheduler in order to prevent unauthorised access to the system controller via the test computers.
  • the scheduler determines the order of which the various tests are performed and directs test results from some tests into order files of a succeeding test, such as directing the result of a test that scan an external computer for open ports to be input data in a test order file for a test for determining the data communication protocol of open ports, of which test or task the output in a test result file is directed to a test order file for a number of commercially available test applications for testing the access security of ports of known communication protocols.
  • the scheduler is also able to include test in a job started by an order file from the system controller, which tests are not stated explicitly in the order file but only implicitly, such as a open port scanning is understood to be performed prior to an explicitly stated test for determining the data communication protocol of open ports.
  • test computers run a number of different operating systems, such as Linux, Windows NT, Unix, etc., in order to enable the computer system to execute commercially available test applications that are designed to be executed under the different operating system and thus making the computer system more flexible
  • Each test application is installed on at least two different test computers in order to make the system more robust for individual break-downs of test computers, so that an order from the system controller may be executed if one (or more) of the test computers is unable to perform a given test
  • the test computers are able to establish data communication connections with external computers (or host computers) via a public data communication network, such as the Internet via which connections the tests are performed
  • a vendor of the present system allows a customer to access the system controller via a secure data communication connection and provides the customer with a user identification and a password for entering the system controller
  • a job consisting of a number of tests to be performed on one or more external computer systems defined by their IP addresses
  • a notification is issued from the system controller to the vendor via the public communication network and the job is not effectuated before the elapse of a predefined time period, such as 24 hours, in order to give the vendor a reasonable response time to cancel the job if it turns out to be ordered by a non-authorised third part, is requested to be effectuated on an external computer not belonging to the customer or comprises another irregularity
  • the job is not effectuated until the vendor provides the system controller with a positive response to the ordered job
  • the order file is then created by the system controller, a data communication connection is established with the scheduler and the order file is communicated to the scheduler after which the connection preferably is closed
  • the scheduler has the test computers performing the required tests and
  • nmap A free portscanner available from http://www.insecure.org. This is used both to scan for a number of common TCP ports and to attempt to detect the operating system of the scanned host through IP fingerprinting. It runs under Linux. traceroute: The standard Linux traceroute - freely available. It is used to determine whether the route to the scanned host can be determined using ICMP or UDP packets and to return the route if found. icmp: A free tool that can send and receive various ICMP packets. Used to check if the scanned host answers to ping (ICMP echo request), ICMP timestamp request and ICMP netmask request. nmscan: A port scanner developed for the present embodiment.
  • protocolid A protocol identifier developed for the present embodiment. It is used to determine the protocol for each of the open ports found by nmscan.
  • Internet Scanner NT A commercial security scanner from ISS (http://www.iss.net). It is used to scan for a lot of known vulnerabilities.
  • Internet Scanner Linux A commercial security scanner from ISS (http://www.iss.net). It is used to scan for a lot of known vulnerabilities.
  • CyberCop for Linux and NT A commercial security scanner from Network Associates (http://www.nai.com). It is used to scan for a lot of known vulnerabilities.
  • Protocolid is a tool designed to detect the protocol of an open TCP port. Normally a standard port is used in connection with a protocol. Thus a web server normally offers its services (using the http protocol) on TCP port 80. It is frequently seen though that a non- standard port is used - e.g. a lot of management interfaces uses the http protocol but on another port. Currently available security scanners either give no possibility of testing a non-standard port or require the port to be manually entered.
  • Protocolid automatically detects the protocol of an open port by trying to connect to it a number of times (one for each protocol that it is able to recognise), sending it a specific command or a number of specific commands and determining if the answers are in correspondence with the protocol.
  • protocolid When determining the protocol of a port, protocolid starts a new process for each protocol that it is able to recognise. Each of these new processes opens a connection to the port and sends one or more protocol-specific commands and determines from the response(s) whether the port understands the protocol in question. If the protocol is recognised the process returns 1 otherwise it returns 0.
  • the main process of protocolid waits for the responses from the other processes and if it gets a response of 1 from any of them it kills the rest of the processes and prints the name of the process. If it gets a 0 response from all processes it prints 'unknown'. If a timeout has expired without any of the above conditions to be fulfilled it kills the processes that are not done and prints 'unknown'.
  • the protocols currently recognised are:
  • Protocolid is used in the computer system according to the present invention to determine the protocol that runs behind the open TCP ports to make other tools able to utilise the information
  • Internet Security Scanner for Wndows NT is able to test a web-server on a non-standard port if the port is specified in its policy
  • the wrapper the interface code between Robert and a test application
  • the wrapper that runs the scanner can then extract the result of protocolid and use it to patch the policy of the scanner before it is run
  • the order file from the system controller to the scheduler is for a given embodiment of the invention a command file comprising some of or all of the following commands new job Creates the job Creating the job consists of creating the corresponding directory in WROBERT.OUTPUT and the jobinfo csv file in it
  • ⁇ taskl ⁇ st> is either the name of a single task or a list of task names separated by commas and enclosed in square brackets [] All other arguments are optional and can be specified in any order.
  • ⁇ / > is the IP address of a host to test, if it is not specified all hosts in the job will be tested.
  • ⁇ ports> is a port or a port range to test, if it is not specified all ports are tested.
  • ⁇ email> is an email address to notify when the order is complete.
  • ⁇ priority> is an integer priority enclosed in parentheses ().
  • ⁇ type> is one of: maxrun: Set the maximum number of running tasks in the job to the number given in ⁇ args>. time: Sets three time values that control when the scheduler will schedule tasks in the job. stopmode: If ⁇ args> is strict all running tasks in the job will be stopped (killed) when scheduling in the job stops.
  • the jobinfo.csv file in the scheduler (Robert) is used to communicate the results of Robert between the scheduler and the test computers and between the scheduler and the system controller.
  • the jobinfo.csv file consists of lines with a number of fields separated by tabs. The fields are uid: An automatically generated integer. Related lines are group by uid.
  • wtime The time the line was generated in the format ⁇ YYYY-MM-DD hh:mm:ss".
  • id Identifies the information in the line. Max 20 characters. E.g. Task for task information, name: A subclassification of the information in the line. Max 20 characters. E.g. tcpscan - the name of the task.
  • ipaddr An IP address. ports: A port or a port range, value: A value. Max 30 characters. value2: Another value. Max 30 characters, addinfo: Additional information.
  • addinfo Apart from addinfo the fields cannot contain tabs and control characters.
  • addinfo field lines are separated by ⁇ n (a backslash followed by the letter n) and a backslash as 11 (two backslashes), as a carriage-return is not to be considered part of a line separation.
  • jobinfo.csv file is used to hold both scheduling information, job status and test results it will be changed by a lot of different tools. The following is a detailed description of the possible lines of jobinfo.csv.
  • Job uid 0 value The name of the job. This is the same as the name of the directory the job resides in on WROBERT ⁇ OUTPUT. addinfo An email address
  • Host uid A unique integer given to the line when it was created and larger than all other uids at that time, ipaddr The ip address of the host.
  • Target uid A unique integer given to the line when it was created and larger than all other uids at that time.
  • ipaddr The ip address of the target.
  • Net uid A unique integer given to the line when it was created and larger than all other uids at that time. addinfo The network in the format x.x.x.x/bb.
  • Domain uid A unique integer given to the line when it was created and larger than all other uids at that time. addinfo The name of the domain.
  • the Order line has the following format:
  • id field value Order uid A unique integer given to the line when it was created and larger than all other uids at that time, name The name of the task ordered. If more than one task was ordered only the first is given followed by + (a plus sign), ipaddr An optional IP address to perform the order on. If no IP address is given it means perform it on the IP addresses given in all the Host lines in the job. ports An optional port or port range to perform the order on. If no port is given it means 0-65535 addinfo An optional email address to be notified when the order is complete.
  • id field value Task uid The same as the uid field of the corresponding Order line name The name of the task to be executed.
  • ipaddr An optional IP address to perform the order on. If no IP address is given it means perform it on the ip addresses given in all the Host lines in the job.
  • ports An optional port or port range to perform the order on If no port is given it means 0-65535 value
  • the uid of the other lines relating to this task These lines can contain scheduling information as well as test results value2
  • the scheduling can be controlled through JobControl lines that come in three different flavours
  • JobControl uid Generated when the line is written name maxrun value The maximum number of running tasks that should be allowed in the job at any moment
  • JobControl uid Generated when the line is written value A time to stop scheduling tasks in the job (seconds since
  • TaskScheduled uid The value from the corresponding Task line value The internal IP address of the test computer the task has been started on value2 The process id that the task is running under on the test computer.
  • TaskTimeout uid The value from the corresponding Task line.
  • TaskCancelled uid The value from the corresponding Task line.
  • TaskQueued uid The value from the corresponding Task line.
  • id field value TaskStart uid The value from the corresponding Task line.
  • ipaddr The ipaddr from the corresponding Task line.
  • ports The ports from the corresponding Task line.
  • TaskEnd uid The value from the corresponding Task line.
  • the commercially available applications for performing the tasks in which the access security of the ports is tested are integrated in the present system by programs called wrappers because they so to speak are wrapped around the applications.
  • the wrapper that performs the task writes a line just before it starts a test of a single host and after it has finished. If individual hosts are not relevant for the task the ipaddr field is left blank. id field value
  • HostStart uid The value from the corresponding Task line. name The name of the tool used to perform the task. ipaddr The host that will now be tested. value The version of the tool used to perform the task. HostEnd uid The value from the corresponding Task line.
  • the wrappers also writes lines with the results of the task, informational lines as well as vulnerability lines.
  • the vulnerability lines have the format id field value Vuln uid The value from the corresponding Task line. ipaddr The host where the vulnerability was found ports An optional port where the vulnerability was found value The testcase id for the vulnerability. value2 The (or part of the) tool vulnerability id. addinfo Data from the tool about the vulnerability. Port scanners report their output with
  • Tcplnfo uid The value from the corresponding Task line. ipaddr The host. ports The port(s). value open, closed or unknown. addinfo The reason for the conclusion in value if that is available.
  • Udplnfo uid The value from the corresponding Task line. ipaddr The host. ports The port(s). value closed or unknown. addinfo The reason for the conclusion in value if that is available.
  • the protocol identifier produces the following lines that are included in the jobinfo.csv file
  • Protocol uid The value from the corresponding Task line ipaddr The host. ports A port. value The detected protocol for the port.
  • Trace Route uid The value from the corresponding Task line. ipaddr The host. value icmp, udp or icmp and udp. addinfo The found route.
  • OS operating system
  • Oslnfo uid The value from the corresponding Task line. ipaddr The host. value Possible operating system(s).
  • NetbiosName uid The value from the corresponding Task line ipaddr The host. value The Netbios name
  • NetbiosDomain uid The value from the corresponding Task line ipaddr The host. value The Netbios domain

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention concerne un procédé de fonctionnement d'un système d'ordinateurs, aussi bien que le système d'ordinateurs, destiné à tester la sécurité d'accès d'ordinateurs connectés à un réseau de communication de données. La sécurité du système d'ordinateurs lui-même est améliorée par réalisation de parties individuelles d'un test complet sur un ou plusieurs ordinateurs à tester connectés temporairement à un ordinateur ordonnanceur auquel sont communiqués les résultats des tests partiels effectués sur le ou les ordinateurs testés. Ainsi, le risque d'accès non autorisé aux données de test hautement sensible est diminué. Une série de tests successifs comprend un balayage de recherche de ports de communication ouverts, suivi d'une procédure d'identification destinée à identifier les protocoles de communication des ports de communication, après quoi la sécurité d'accès des ports de communication, ouverts et identifiés, est testée.
EP00974341A 1999-11-03 2000-11-03 Test de securite d'acces d'ordinateurs sur un reseau de communication de donnees Withdrawn EP1232626A2 (fr)

Applications Claiming Priority (7)

Application Number Priority Date Filing Date Title
DK158499 1999-11-03
DKPA199901584 1999-11-03
US16433299P 1999-11-09 1999-11-09
US164332P 1999-11-09
DKPA200001073 2000-07-07
DK200001073 2000-07-07
PCT/DK2000/000616 WO2001033353A2 (fr) 1999-11-03 2000-11-03 Test de securite d'acces d'ordinateurs sur un reseau de communication de donnees

Publications (1)

Publication Number Publication Date
EP1232626A2 true EP1232626A2 (fr) 2002-08-21

Family

ID=27221342

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00974341A Withdrawn EP1232626A2 (fr) 1999-11-03 2000-11-03 Test de securite d'acces d'ordinateurs sur un reseau de communication de donnees

Country Status (5)

Country Link
EP (1) EP1232626A2 (fr)
JP (1) JP2003514275A (fr)
AU (1) AU1268601A (fr)
CA (1) CA2388306A1 (fr)
WO (1) WO2001033353A2 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7228566B2 (en) 2001-07-10 2007-06-05 Core Sdi, Incorporated Automated computer system security compromise
US7277937B2 (en) 2002-07-17 2007-10-02 Core Sdi, Incorporated Distributed computing using syscall proxying
EP2220851A4 (fr) 2007-12-19 2013-07-31 Ericsson Telefon Ab L M Procédé pour faciliter des connexions ip à des hôtes derrière des boîtiers intermédiaires
TWI770855B (zh) * 2021-03-04 2022-07-11 凌華科技股份有限公司 裝置測試排序方法、裝置組態生成方法及其設備
US20220350641A1 (en) * 2021-04-28 2022-11-03 Microsoft Technology Licensing, Llc Securely cascading pipelines to various platforms based on targeting input

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4799153A (en) * 1984-12-14 1989-01-17 Telenet Communications Corporation Method and apparatus for enhancing security of communications in a packet-switched data communications system
US5892903A (en) * 1996-09-12 1999-04-06 Internet Security Systems, Inc. Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0133353A2 *

Also Published As

Publication number Publication date
AU1268601A (en) 2001-05-14
CA2388306A1 (fr) 2001-05-10
JP2003514275A (ja) 2003-04-15
WO2001033353A3 (fr) 2001-12-06
WO2001033353A2 (fr) 2001-05-10

Similar Documents

Publication Publication Date Title
US7761918B2 (en) System and method for scanning a network
US8286249B2 (en) Attack correlation using marked information
US7801980B1 (en) Systems and methods for determining characteristics of a network
US7317693B1 (en) Systems and methods for determining the network topology of a network
Kuwatly et al. A dynamic honeypot design for intrusion detection
US8555393B2 (en) Automated testing for security vulnerabilities of devices
US20030208616A1 (en) System and method for testing computer network access and traffic control systems
WO2001099002A2 (fr) Outil de generation de regles
Deraison et al. Passive vulnerability scanning: Introduction to NeVO
CN114338068A (zh) 多节点漏洞扫描方法、装置、电子设备及存储介质
WO2001033353A2 (fr) Test de securite d'acces d'ordinateurs sur un reseau de communication de donnees
Anderson Introduction to nessus
Aar et al. Analysis of penetration testing tools
Deri et al. Monitoring networks using ntop
Hoffstadt et al. Improved detection and correlation of multi-stage VoIP attack patterns by using a Dynamic Honeynet System
He et al. Network penetration testing
US20230388210A1 (en) Methods and apparatus for adaptive and holistic network measurements
Deraison et al. Using Nessus to detect wireless access points
Turner Wireless Security and Monitoring for the Home Network
CN113868654A (zh) 威胁探测指令集提取方法
CN115150199A (zh) 一种数据库运维客户端账户管控方法、系统、设备及介质
Yek Blackhat fingerprinting of the wired and wireless honeynet
Palani et al. Network security testing using discovery rechniques
Gaspary et al. Network-based Intrusion detection systems Evaluation through a Short Term Experimental Script
Grimes Honeyd Installation

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20020606

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

RIN1 Information on inventor provided before grant (corrected)

Inventor name: GRUENDL, PETER

Inventor name: MUNKEDAL, ULF

Inventor name: NEUPART, LARS

Inventor name: HEJGAARD VESTERGAARD, AAGE

Inventor name: VARSTED, STEEN

Inventor name: WILLEN, KEN

Inventor name: NORGAARD, BO

17Q First examination report despatched

Effective date: 20021202

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: VIGILANTE.COM, INC.

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20050316