GB2419254A - Detecting vulnerability of transient computing entity when accessing a network. - Google Patents

Detecting vulnerability of transient computing entity when accessing a network. Download PDF

Info

Publication number
GB2419254A
GB2419254A GB0422605A GB0422605A GB2419254A GB 2419254 A GB2419254 A GB 2419254A GB 0422605 A GB0422605 A GB 0422605A GB 0422605 A GB0422605 A GB 0422605A GB 2419254 A GB2419254 A GB 2419254A
Authority
GB
United Kingdom
Prior art keywords
computing entity
network
transient
transient computing
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0422605A
Other versions
GB0422605D0 (en
Inventor
Richard Smith
Jonathan Griffin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority to GB0422605A priority Critical patent/GB2419254A/en
Publication of GB0422605D0 publication Critical patent/GB0422605D0/en
Priority to GB0510720A priority patent/GB2414627A/en
Priority to US11/141,760 priority patent/US20050265351A1/en
Publication of GB2419254A publication Critical patent/GB2419254A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method of managing access to a network by a transient computing entity, for example a domestic PC, includes detecting an attempt by the transient computing entity to establish a connection to the network, upon detection of a connection attempt, sending at least one outward data packet to the transient computing entity and determining, on the basis of data packets received, if any, from the transient computing entity, whether or not the transient computing entity is vulnerable, for example to known viruses or worms. Aspects of the invention include permitting or denying access to the network, permitting access to a secondary network and removing the vulnerability detected.

Description

241 9254
NETWORK ADMINISTRATION
BACKGROUND TO THE INVENTION
In a network environment virtually any processing entity (or "host") is at one time or another connected to one or more other hosts. Thus, for example, a host in the form of a S computer is frequently connected to one or more other computers, whether within an intranet of a commercial organization, or as part of the internet. An inevitable result is that the opportunities for the propagation of "malicious" code, such as viruses or worms, which may cause deleterious effects to the network are enhanced.
Within the context of this specification malicious code is the data that is capable of being incorporated by a host and that may cause deleterious effect upon the performance of either the host itself, one or more other hosts, or a network of which any of the abovementioned hosts are a part. A characteristic effect of such code is that it propagates either through self-propagation or through human interaction. Thus for example, the code may act by becoming incorporated within a first host and subsequent to its incorporation may then cause deleterious effects within that first host, such as corruption and/or deletion of files (this type of code is normally known as a virus). In addition, the code may cause self- propagation to one or more further hosts at which it will then cause similar corruption/deletion and further self-propagation. Alternatively, the code may merely be incorporated within the first host and cause no deleterious effects whatsoever, until it is propagated to one or more further hosts where it may then cause such deleterious effects, for example, corruption and/or deletion of files. In yet a further alternative scenario, code may be incorporated within a first host and then cause itself to be propagated to multiple other hosts within the network. The code itself may have no deleterious effect upon any of the hosts by whom it is incorporated, but the self-propagation through the network per se may be of a sufficient magnitude to have a negative effect on the speed of "genuine" network traffic, so that the performance of the network is nonetheless effected in a deleterious manner (this type of code is normally known as a worm). The three examples given above are intended for the illustration of the breadth of the term code, and are not intended to be regarded in any way as exclusively definitive.
Worms and virus's infect computers by taking advantage of one or more vulnerabilities within the operating system or other software installed on a host computer. In this context, a vulnerability is any characteristic of a computer (whether hardware or software, and includes any impact of any surrounding context to that computer, such as network infrastructure) which is capable of being exploited to cause the computer to operate, at the behest of a third party, either contrary to the wishes of the computer's legitimate user or administrator, or without their knowledge. For example, some older operating systems incorporated software (unknown to many users) that automatically enabled the computing entity to operate as a web server, but which, due to a flaw in its operation, also left the entity vulnerable to attack by malicious code. Another example is the capability of a computing entity to establish a connection on port 22, which is indicative of the existence of a capability that runs on Linux operating systems known as secure shells (SSH), which has the capacity to provide a remote computing entity with administrative access to the user machine. Further examples of vulnerabilities are provided in UK patent application GB0409667.3, incorporated herein by reference.
Once a vulnerability of a computer to such viruses or worms becomes known rapid remedial action is typically taken by the installation of a "patch" that has the effect of removing the vulnerability. Such patches are typically made widely available to network administrators to install on a vulnerable host. One manner in which the potential vulnerability of a host within a network may be established is by downloading and running, on a user host, a script that checks that all of the appropriate patches are installed.
The running of such a script can be initiated remotely by a network administrator or be caused to be initiated automatically in response to some triggering event.
UK patent application number GB0409667.3, also in the name of the current applicant and incorporated herein in its totality by reference, relates to the administration of a network of interconnected computers in which user computing entities are tested, or scanned, for the presence of known vulnerabilities in response to one or more trigger events. An example of a trigger event is the allocation of a network address to a user computing entity.
SUMMARY OF T HE INVENTION
The invention has been derived from an appreciation that whilst the periodic testing, or S scanning, of network hosts is a reasonably efficient way of detecting vulnerabilities existing on hosts within a network, there nonetheless remains a clear window of opportunity for an infected or vulnerable machine to join and leave the network without being subject to a test or scan. These machines can be termed as being transient.
According to a first aspect of the present invention there is provided a method of managing access to a network by a transient computing entity, the method comprising detecting an attempt by the transient computing entity to establish a connection with the network, upon detection of a connection attempt sending at least one outward data packet to the transient computing entity, and determining, on the basis of data packets received, if any, from the transient computing entity, whether the transient computing entity is 1 5 vulnerable.
It is therefore possible for the vulnerability of transient computing entities to be determined before a connection to the network is established, thus preventing the network from being put at risk before the vulnerability of the transient computing entity can be assessed.
Preferably, the transient computing entity is denied access to the network prior to the completion of the determining step. Whilst access is denied during the determining step, the transient computing entity may be permitted access to a first subsidiary network. In this manner, the transient computing entity may have access to an information source that provides information on the vulnerability assessment procedures.
If it is determined that the transient computing entity is vulnerable, the transient computing entity may be denied access to the network. Optionally, a transient computing entity that has been denied access to the network may have access to a second subsidiary network. The second subsidiary network may provide remedial utilities to the transient computing entity to remove the determined vulnerability. In addition or alternatively, the transient computing entity may have access to at least one network facility, such as web mail, via the second subsidiary network, According to a second aspect of the present invention there is provided an apparatus for determining the vulnerability of a transient computing entity, the apparatus comprising a first computing entity connected to a network, a network comprising a plurality of further computing entities, a first computing entity being arranged to detect an attempted connection to the network by a transient computing entity, upon detection of a connection attempt, to send at least one outward data packet to the transient computing entity and to determine, on the basis of data packets received, if any, from the transient computing entity, whether the transient computing entity is vulnerable.
The first computing entity is preferably further arranged to deny the transient computing entity access to the network prior to completion of determining the vulnerability of the transient computing entity.
The first computing entity may be further arranged to permit the transient computing entity access to a first subsidiary network prior to completion of determining the vulnerability of the transient computing entity.
The first computing entity may further be arranged to deny the transient computing entity access to the network if the transient computing entity is determined to be vulnerable.
The first computing entity may be also arranged to permit the transient computing entity access to a second subsidiary network if the transient computing entity is determined to be vulnerable.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a schematic illustration of a first embodiment of the present invention; and Figure 2 is a schematic illustration of a second embodiment of the present invention.
DESCRIPTION OF PREFERRED EMBODIMENTS
Referring to Figure l, an internal network, such as a LAN, comprises a plurality of hosts, such as computing entities (not shown). The internal network is characterized by the fact that each of the computing entities are, in ordinary use, permanently connected to the network. An example of such an internal network would be the physical computer network within a single building of a company.
Also illustrated in Figure 1 are a plurality of transient computing entities 302 that in use may be used to temporarily establish a connection with the internal network 100. There can be a number of reasons for a computing entity to appear as transient, the most common of which is that they only have temporary access to the internal network 100.
This access is most commonly established through a VPN (virtual private network) or wirelessly. In secure networks, such as company intranets, it is often the case that a wireless network is treated as untrusted and so connects to the LAN via a VPN anyway.
A virtual private network is a network of interconnected computing entities that uses an existing public network to establish the interconnections, but uses an additional level of security, such as encryption of the transmissions, to ensure only computing entities within the virtual private network and not other entities on the public network have access to communications sent via the virtual private network. An example of a virtual private network would be the connection of an individuals home computer to a company LAN via the internet.
The transient computing entities 302 are typically home computers or laptop/PDAs and as such are at a higher risk of being either infected or vulnerable to infection than a centrally managed desktop computer within a companies premises. There is therefore a need to be able to ensure a level of security compliance of such transient machines at the time that they attempt connection to the internal network 100, as opposed to hoping that they are included in a periodic security scan whilst connected to the internal network.
In the embodiment of the present invention illustrated in Figure 1, a security scanner 304 is connected to a VPN gateway 306 to which the transient computing entities 302 temporarily connect. Also connected to the security scanner 304 is a network router 308 that is in turn connected to the internal network 100. It will be appreciated that the VPN gateway 306, security scanner 304 and network router 308 may all be located at the premises of the internal network 100 operator, although this is not necessarily the case always. It will also be appreciated that although illustrated as discrete units, the VPN gateway, security scanner and router may be implemented by software applications running on one or more computing entities within the internal network 100.
The function of the VPN gateway 306 is to encrypt outgoing packets of data directed to the transient computing entities 302 so as to create the virtual private network over the public network by which communications between the transient computing entities 302 and the VPN gateway are accomplished. The VPN gateway 306 also carries out the required decryption on packets received from the transient computing entities 302. The operation of the VPN gateway 306 may be in accordance with known techniques. The function of the router 308 is to direct packets of a data to the appropriate computing entities within the internal network 100 in accordance with the IP addresses specified in the data packets.
A further function of the VPN gateway 306 is to authenticate a transient computing entity 302 that is attempting to establish communication as being permitted to do so. For example, the VPN gateway 306 may request the provision of a password from the transient computing entity user, or check that other security information such as may be provided by smartcards or bio information sensors has been provided by the transient computing entity 302. In prior art systems, once this authentication has been successfully completed, all data packets received from the transient computing entity 302 are transmitted to the internal network 100 via the router 308. However, in the embodiment of the present invention illustrated in Figure 1 this is not the case. On successful authentication of a transient computing entity 302 the received data packet from the transient computing entity is passed by the VPN gateway 306 to the security scanner 304.
As will be appreciated by those skilled in the art, a data packet received from a computing entity that is not currently registered with the internal network 100 can be recognised as such, for example, by the lack of an allocated network IF address associated with the transient computing entity or by the existence of a MAC address that is not currently registered as being associated with a computing entity within the network. On detection of such an event, the security scanner 304 attempts to establish whether the transient computing entity 302 has a known vulnerability present. For example, the security scanner 304 may attempt to communicate with the transient computing entity 302 using a specified application level protocol, the presence of which is either directly or deductively indicative of the presence of a vulnerability within the transient computing entity 302.
Other kinds of scanning operation may also be conducted, for example attempting to establish a connection with the transient computing entity 302 and recording the time intervals that lapse between the various data packets sent back from the computing entity 302 that are required in accordance with the protocol employed, to establish a connection.
The magnitude of these time intervals can, in certain circumstances, reveal the operating system employed by the transient computing entity 302, and this information can, in turn, enable deductive or diagnosis of the presence, or likely presence, of various vulnerabilities. Other scanning methodologies as known to persons skilled in the art may also be applied.
While the security scanner 304 is checking the transient computing entity 302 for vulnerabilities or infections, any further data packets received from the transient computing entity via the VPN gateway 306 are routed to a first additional network 310.
The security scanner 304 ensures that any data packets received from the transient computing entity 302 are directed solely to this first additional network and are not allowed to be passed to the internal network 100. Whilst the data packets are routed to the first additional network 310, the transient computing entity 302 can be considered to have been placed in a quarantine. Whilst in quarantine, transient computing entities 302 are unable therefore to communicate with any other computing entities on the internal network 100, and depending upon policies applied by the network administrators to the first additional network 310, transient computing entities 302 in quarantine may also not be able to communicate with one another.
If on completion of the security scanning procedures it is determined that the transient computing entity 302 does not have any vulnerabilities or infections, data packets received from the computing entity 302 are routed via the router 308 to the internal network 100, allowing the transient computing entity 302 to communicate with any other machines within the internal network 100 and to have full access to these services provided by the internal network 100.
If on the other hand the scanning procedures determine that the transient computing entity 302 does have a vulnerability or an infection, data packets are routed by the security scanner 304 to a second additional network 312. As with the first additional network 310, a transient computing entity 302 connected to the second additional network 312 cannot communicate with any of the computing entities within the internal network 100, and cannot communicate with any other transient computing entities 302 connected to the second additional network 312. Again, depending on policies applied to the second additional network 312, transient computing entities connected to the second additional network may have access to information services explaining why they have been denied access to the internal network 100, or providing remedial information to remove the detected vulnerability or infection. Transient computing entities connected to the second additional network 312 may additionally have access to a limited network service, such as access to web mail. The security scanner 304 may, on detection of a vulnerability, also take action by utilising the detected vulnerability, for example by causing a pop-up window to appear on the display screen of the transient computing entity 302, the pop-up window including information warning the user that a vulnerability exists.
It will be noted that in the embodiment shown in Figure I the security scanner 304 is located in between the VPN gateway 306 and the network router 308. This is to ensure that all data packets authenticated by the VPN gateway must pass through the security scanner 304 to access the internal network 100, as well as all network traffic trying to reach the transient computing entities 302. As a result, the security scanner 304 is capable of diverting data packets received from the transient computing entities 302 between the different networks, i.e. the internal network 100 and first and second additional networks 310 and 312, depending on their vulnerability assessment. There are no other routes available for data packets to take to bypass the security scanner 304. Once a transient computing entity 302 has passed the vulnerability assessment employed by the security scanner, the security scanner 304 is effectively transparent, as it allows network traffic to flow freely in both directions between the transient computing entity 302 and the internal network 100. If the transient computing entity 302 is in the process of being scanned by the security scanner 304, or has failed the vulnerability assessment applied by the security scanner, then the security scanner operates to drop all data packets from the internal network 100 directed to the transient computing entity. Traffic from the transient computing entity destined for the internal network 100 can be selectively dropped, depending upon the policies of protocols employed, or diverted into the appropriate additional network 310 or 312.
An alternative embodiment of the present invention is illustrated as in Figure 2. In the alternative embodiment the security scanner 304 is located within the internal network 100, with the internal network being connected to the VPN gateway 306 by the router 308.
The operation of the router 308 is controlled by the security scanner 304, as indicated by the chained line 314. In this way data packets from transient computing entities 302 that are attempting to establish a new connection to the internal network 100 are detected by the security scanner 304 as described previously with reference to Figure 1, and the same security scanning procedures can be performed. The direction of data packets to and from the transient computing entities 302 is controlled by the router 308 under the control of the security scanner 304. In this manner the security scanner 304 may also provide security scanning functions for the permanent computing entities located within the internal network 100.
It will be appreciated by those skilled in the art that the first and second additional networks 310 and 312 described above with reference to Figure I need not be physically separate entities, but may utilise computing services residing within the internal network 100. However, the operation of the router 308 prevents data packets that have been determined to be sent to either of the additional networks from being sent to any computing entities within the internal network 100. This may be achieved using conventional network routing techniques, such as IP addresses.

Claims (13)

1. A method of managing access to a network by a transient computing entity, the method comprising: detecting an attempt by the transient computing entity to establish a connection with the network; upon detection of a connection attempt, sending at least one outward data packet to the transient computing entity; and determining, on the basis of data packets received, if any, from the transient computing entity, whether the transient computing entity is vulnerable.
2. A method according to claim 1, wherein prior to the completion of the determining step, the transient computing entity is denied access to the network.
3. A method according to claim 2, wherein prior to the completion of the determining step, the transient computing entity is permitted access to a first subsidiary network.
4. A method according to any preceding claim, wherein if it is determined that the transient computing entity is vulnerable, the transient computing entity is denied access to a network.
5. A method according to claim 4, wherein if it is determined that the transient computing entity is vulnerable, a transient computing entity is permitted access to a second subsidiary network.
6. A method according to claim 5, wherein the transient computing entity has access to remedial utilities to remove the determined vulnerability via the second subsidiary network.
7. A method according to claim 5, wherein the transient computing entity has access to at least one network facility via the second subsidiary network.
8. A method according to claim 1, wherein the transient computing entity attempts to establish a connection to the network via VPN (virtual private network).
9. Apparatus for determining the vulnerability of a transient computing entity, the apparatus comprising a first computing entity connected to a network, the network comprising a plurality of further computing entities, the first computing entity being arranged to: detect an attempted connection to the network by a transient computing entity; upon detection of a connection attempt, to send at least one outward data packet to the transient computing entity; and to determine, on the basis of data packets received, if any, from the transient computing entity, whether the transient computing entity is vulnerable.
10. Apparatus according to claim 9, wherein the first computing entity is further arranged to deny the transient computing entity access to the network prior to completion of determining the vulnerability of the transient computing entity.
Apparatus according to claim 9, wherein the first computing entity is arranged to permit the transient computing entity access to a first subsidiary network prior to completion of determining the vulnerability of the transient computing entity.
12. Apparatus according any one of claims 9, wherein the first computing entity is further arranged to deny the transient computing entity access to the network if the transient computing entity is determined to be vulnerable.
13. Apparatus according to any one of claims 9, wherein the first computing entity is arranged to permit the transient computing entity access to a second subsidiary network if the transient computing entity is determined to be vulnerable.
GB0422605A 2004-05-27 2004-10-12 Detecting vulnerability of transient computing entity when accessing a network. Withdrawn GB2419254A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB0422605A GB2419254A (en) 2004-10-12 2004-10-12 Detecting vulnerability of transient computing entity when accessing a network.
GB0510720A GB2414627A (en) 2004-05-27 2005-05-26 Network administration
US11/141,760 US20050265351A1 (en) 2004-05-27 2005-05-27 Network administration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0422605A GB2419254A (en) 2004-10-12 2004-10-12 Detecting vulnerability of transient computing entity when accessing a network.

Publications (2)

Publication Number Publication Date
GB0422605D0 GB0422605D0 (en) 2004-11-10
GB2419254A true GB2419254A (en) 2006-04-19

Family

ID=33443763

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0422605A Withdrawn GB2419254A (en) 2004-05-27 2004-10-12 Detecting vulnerability of transient computing entity when accessing a network.

Country Status (1)

Country Link
GB (1) GB2419254A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002003178A2 (en) * 2000-06-30 2002-01-10 Internet Security Systems, Inc. Method and apparatus for network assessment and authentication
US20030204728A1 (en) * 2002-04-30 2003-10-30 Tippingpoint Technologies, Inc. Steganographically authenticated packet traffic
US20030204632A1 (en) * 2002-04-30 2003-10-30 Tippingpoint Technologies, Inc. Network security system integration
US20040015728A1 (en) * 2002-01-15 2004-01-22 Cole David M. System and method for network vulnerability detection and reporting
WO2004031953A1 (en) * 2002-10-01 2004-04-15 Skybox Security, Ltd. System and method for risk detection and analysis in a computer network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002003178A2 (en) * 2000-06-30 2002-01-10 Internet Security Systems, Inc. Method and apparatus for network assessment and authentication
US20040015728A1 (en) * 2002-01-15 2004-01-22 Cole David M. System and method for network vulnerability detection and reporting
US20030204728A1 (en) * 2002-04-30 2003-10-30 Tippingpoint Technologies, Inc. Steganographically authenticated packet traffic
US20030204632A1 (en) * 2002-04-30 2003-10-30 Tippingpoint Technologies, Inc. Network security system integration
WO2004031953A1 (en) * 2002-10-01 2004-04-15 Skybox Security, Ltd. System and method for risk detection and analysis in a computer network

Also Published As

Publication number Publication date
GB0422605D0 (en) 2004-11-10

Similar Documents

Publication Publication Date Title
US20050265351A1 (en) Network administration
US11652829B2 (en) System and method for providing data and device security between external and host devices
US10284603B2 (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
US7984493B2 (en) DNS based enforcement for confinement and detection of network malicious activities
US7653941B2 (en) System and method for detecting an infective element in a network environment
US20070294759A1 (en) Wireless network control and protection system
US20060203736A1 (en) Real-time mobile user network operations center
WO2010059864A1 (en) Systems and methods for providing real time access monitoring of a removable media device
JP2010520566A (en) System and method for providing data and device security between an external device and a host device
Rahman et al. Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm
GB2419254A (en) Detecting vulnerability of transient computing entity when accessing a network.
Kamal et al. Analysis of network communication attacks
Ali et al. Design and implementation of a secured remotely administrated network
Arkin Bypassing network access control systems
Ortiz Detection and analysis of man-in-the-middle attacks in windows 8 and windows 8.1
Mohammed On the design of SOHO networks
Vacca Standards Design Issues
Tevemark Intrusion Detection and Prevention in IP Based Mobile Networks
US20080148385A1 (en) Sectionalized Terminal System And Method
Xing et al. An Integrated Framework for Enhancing Campus Security

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)