CA2468841A1 - Credential management and network querying - Google Patents
Credential management and network querying Download PDFInfo
- Publication number
- CA2468841A1 CA2468841A1 CA002468841A CA2468841A CA2468841A1 CA 2468841 A1 CA2468841 A1 CA 2468841A1 CA 002468841 A CA002468841 A CA 002468841A CA 2468841 A CA2468841 A CA 2468841A CA 2468841 A1 CA2468841 A1 CA 2468841A1
- Authority
- CA
- Canada
- Prior art keywords
- credential
- credentials
- network device
- network
- repository
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 claims abstract description 24
- 238000012360 testing method Methods 0.000 claims abstract description 22
- 238000010200 validation analysis Methods 0.000 claims description 2
- 239000003795 chemical substances by application Substances 0.000 description 84
- 229910003460 diamond Inorganic materials 0.000 description 8
- 239000010432 diamond Substances 0.000 description 8
- 230000004044 response Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 102100031184 C-Maf-inducing protein Human genes 0.000 description 2
- 101000993081 Homo sapiens C-Maf-inducing protein Proteins 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The present invention is directed to a system and method for determining one or more credentials of a network device. The system and method select a firs t network device from among a plurality of network devices, access a credentia l repository (108), contact the first network device, and test the validity of the first set of credentials. The credential repository (108) comprises a first set of credentials corresponding to the first network device. If user provides invalid or no credentials, a candidate credential queue (112) can b e used to guess a valid second set of credentials when the first set of credentials is not valid.
Description
CREDENTIAL MANAGEMENT AND NETWORK QUERYING
FIELD OF THE INVENTION
The present invention is related generally to authentication in data networks and specifically to determining credentials for computational components in data networks.
BACKGROUND OF THE INVENTION
In computational networks, it is common to have one or more automated network management system (NMS) devices for collecting data to ascertain levels of performance (e.g., BER, loss of synchronization, etc.), equipment, module, subassembly, and card failures, circuit outages, levels of traffic, and network usage. NMS devices typically interrogate network components, such as routers, ethernet switches, and other hosts for stored information. As will be appreciated, a network device or component is a computational component that may or may not have a physical counterpart, e.g., the component may be a 1 S virtual computational component such as an interface. Examples of proprietary network management systems include Hewlett-Packard's OPENVIEWTM, IBM's NETVIEWTM, and Digital Equipment Corporation's EMATM. To permit such network management systems in distributed processing networks to communicate with hosts for monitoring and controlling the enterprise network, network management communication protocols have been developed, such as the Simple Network Management Protocol or SNMP and the Common Management Information Protocol or CMIP.
During interrogation, NMS devices interact with authentication systems present in network devices, such as routers. Authentication systems are an essential part of network security. Typically, a user is able to access information in certain network devices only by entering one or more credentials. As used herein, a "credential" refers to a set of information (e.g., a character or string of characters) which must be provided to a computational component for access to information in the computational component to be provided.
Examples of credentials for version 1 of SNMP include a community string, for version 3 of SNMP User-Based/SecurityModel or include USM mode, user name, authentication method, authentication password, privacy method, and privacy password, and for TELNET
include a user login, password, router type, and prompt. As will be appreciated, different credentials can be required for differing levels of information access, e.g. read-only access and supervisor levels.
FIELD OF THE INVENTION
The present invention is related generally to authentication in data networks and specifically to determining credentials for computational components in data networks.
BACKGROUND OF THE INVENTION
In computational networks, it is common to have one or more automated network management system (NMS) devices for collecting data to ascertain levels of performance (e.g., BER, loss of synchronization, etc.), equipment, module, subassembly, and card failures, circuit outages, levels of traffic, and network usage. NMS devices typically interrogate network components, such as routers, ethernet switches, and other hosts for stored information. As will be appreciated, a network device or component is a computational component that may or may not have a physical counterpart, e.g., the component may be a 1 S virtual computational component such as an interface. Examples of proprietary network management systems include Hewlett-Packard's OPENVIEWTM, IBM's NETVIEWTM, and Digital Equipment Corporation's EMATM. To permit such network management systems in distributed processing networks to communicate with hosts for monitoring and controlling the enterprise network, network management communication protocols have been developed, such as the Simple Network Management Protocol or SNMP and the Common Management Information Protocol or CMIP.
During interrogation, NMS devices interact with authentication systems present in network devices, such as routers. Authentication systems are an essential part of network security. Typically, a user is able to access information in certain network devices only by entering one or more credentials. As used herein, a "credential" refers to a set of information (e.g., a character or string of characters) which must be provided to a computational component for access to information in the computational component to be provided.
Examples of credentials for version 1 of SNMP include a community string, for version 3 of SNMP User-Based/SecurityModel or include USM mode, user name, authentication method, authentication password, privacy method, and privacy password, and for TELNET
include a user login, password, router type, and prompt. As will be appreciated, different credentials can be required for differing levels of information access, e.g. read-only access and supervisor levels.
When a new NMS system device is connected to a network, the NMS device must learn the various forms of authentication used to be able to interrogate network devices. The learning process typically involves a user manually setting credentials before using the tool on the network. This is not only a slow task but also fails to easily allow for dynamic changes of authentication during use. For example, some network security schemes require a credential to be periodically changed to maintain a high level of network security.
Network management personnel typically compromise network security for ease of credential configuration in NMS devices. For example, some network management systems rely on the credential being set to a default credential (generally public level access credentials) on all components in the network. In some applications, the varying access levels to the network components are compromised by using a common default credential.
This practice unnecessarily restricts the type of authentication to a type of default credential and can restrict with what type of equipment the network management system can be used and also compromises network security. Other network management systems do permit a limited number of passwords to be entered before the network management system performs interrogation but fail to allow for dynamic changes in authentication during use.
SUMMARY OF THE INVENTION
These and other needs are addressed by the various embodiments and configurations of the present invention. The credential discovery agent of the present invention determines credentials of network devices by maintaining a credential repository, which typically is a historical record of credentials used in the network, and/or a candidate credential queue, which typically is a listing of credentials ordered based on the likelihood that the credentials are in current use by the network devices of interest. In one architecture, the agent, repository, and queue consider that network management personnel reuse credentials over time and, at any given time, reuse the same credential for different network devices.
In one embodiment, the credential discovery agent determines one or more credentials of a network device by performing the steps of:
(a) selecting a first network device from among a plurality of network devices;
(b) accessing the credential repository, the credential repository comprising a first set of credentials corresponding to the first network device;
Network management personnel typically compromise network security for ease of credential configuration in NMS devices. For example, some network management systems rely on the credential being set to a default credential (generally public level access credentials) on all components in the network. In some applications, the varying access levels to the network components are compromised by using a common default credential.
This practice unnecessarily restricts the type of authentication to a type of default credential and can restrict with what type of equipment the network management system can be used and also compromises network security. Other network management systems do permit a limited number of passwords to be entered before the network management system performs interrogation but fail to allow for dynamic changes in authentication during use.
SUMMARY OF THE INVENTION
These and other needs are addressed by the various embodiments and configurations of the present invention. The credential discovery agent of the present invention determines credentials of network devices by maintaining a credential repository, which typically is a historical record of credentials used in the network, and/or a candidate credential queue, which typically is a listing of credentials ordered based on the likelihood that the credentials are in current use by the network devices of interest. In one architecture, the agent, repository, and queue consider that network management personnel reuse credentials over time and, at any given time, reuse the same credential for different network devices.
In one embodiment, the credential discovery agent determines one or more credentials of a network device by performing the steps of:
(a) selecting a first network device from among a plurality of network devices;
(b) accessing the credential repository, the credential repository comprising a first set of credentials corresponding to the first network device;
(c) contacting the first network device; and (d) testing the validity of the first set of credentials.
The credential repository holds credentials that have been learned (e.g., from the user, by a successful guess, etc.). The repository is used to save the credentials between executions and can have things removed or added to it during agent operation. Between runs the repository allows the credentials to be stored so they can be used on subsequent runs of the agent.
The credential repository can include a number of variables associated with the first network device. These variables can include a corresponding credential state, a corresponding protocol identifier, a corresponding (IP) address, a total number of instances of use of at least one credential in the first set of credentials, a corresponding candidate credential frequency counter associated with at least one credential in the first set of credentials, a recency of use of at least one credential in the first set of credentials, and the administrative locality of at least one credential in the first set of credentials. The protocol identifier is indicative of the protocol defining or associated with the credentials and/or the authentication system used to communicate with the network device.
If the agent is unable to determine the valid credentials using the repository, the agent can prompt the user for additional credentials to test. In this manner, the user can provide input into the operation of the agent. The user is typically prompted for credentials as the agent contacts differing types of network devices. The user fills in the required credentials) and the agent then verifies that the inputted credentials) are correct by using the inputted credentials) to contact the network device. When the credentials) is valid, it is copied into the repository.
In another embodiment, the agent determines at least one credential of a network device when previously used credentials are invalid or unsuccessfully validated by performing the steps of:
(a) selecting one or more credential from a candidate credential queue;
(b) contacting a network device;
(c) testing the validity of the credential(s); and (d) assigning a priority value or ranking to the tested credential based on whether or not the credentials) is valid.
The credential repository holds credentials that have been learned (e.g., from the user, by a successful guess, etc.). The repository is used to save the credentials between executions and can have things removed or added to it during agent operation. Between runs the repository allows the credentials to be stored so they can be used on subsequent runs of the agent.
The credential repository can include a number of variables associated with the first network device. These variables can include a corresponding credential state, a corresponding protocol identifier, a corresponding (IP) address, a total number of instances of use of at least one credential in the first set of credentials, a corresponding candidate credential frequency counter associated with at least one credential in the first set of credentials, a recency of use of at least one credential in the first set of credentials, and the administrative locality of at least one credential in the first set of credentials. The protocol identifier is indicative of the protocol defining or associated with the credentials and/or the authentication system used to communicate with the network device.
If the agent is unable to determine the valid credentials using the repository, the agent can prompt the user for additional credentials to test. In this manner, the user can provide input into the operation of the agent. The user is typically prompted for credentials as the agent contacts differing types of network devices. The user fills in the required credentials) and the agent then verifies that the inputted credentials) are correct by using the inputted credentials) to contact the network device. When the credentials) is valid, it is copied into the repository.
In another embodiment, the agent determines at least one credential of a network device when previously used credentials are invalid or unsuccessfully validated by performing the steps of:
(a) selecting one or more credential from a candidate credential queue;
(b) contacting a network device;
(c) testing the validity of the credential(s); and (d) assigning a priority value or ranking to the tested credential based on whether or not the credentials) is valid.
The priority value is used to determine an order in which to test corresponding credentials when it is necessary to guess the credential in use by the network device. In one configuration, the priority value is used to order the listing of credentials in the candidate credential queue. In another configuration, the priority value is determined based on one or more of a candidate credential frequency counter, a recency of use counter, and an administrative locality associated with the corresponding set of credentials.
In one configuration, the agent attempts to guess the credential before prompting the user for a credential. These guesses may include standard defaults, credentials which have been used or tried elsewhere in the network, or credentials which have been provided by the user up-front.
The agent, credential repository, and candidate credential queue can have a number of advantages. First, the agent can dynamically and automatically maintain the repository and candidate over time. Conventional tools allow for a limited number of credentials to be entered before the tool is used, but such tools do not allow for dynamically adding more credentials during use of the tool. In contrast, the agent updates the repository and queue during and/or after each run of the credential discovery agent. Second, the agent can be convenient to use and determine credentials in significantly less time than conventional techniques. Third, the agent can reduce the amount of user interaction by making educated guesses at the credential before prompting the user. In some configurations, the agent speculatively tests credentials on any new network devices detected to reduce the requirement for user interaction. Fourth, the agent can obviate the need for the user to manually input an extensive list of credentials before the agent is run. Fifth, the agent can make network management systems more flexible in dealing with unknown credentials by prompting the user and also storing known credentials in the repository for later use. These and other advantages will be apparent from the disclosure of the inventions) contained herein.
The above-described embodiments and configurations are neither complete nor exhaustive. As will be appreciated, other embodiments of the invention are possible utilizing, alone or in combination, one or more of the features set forth above or described in detail below.
S
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a block diagram of a computational architecture according to a first embodiment of the present invention and Figs. 2A and 2B depict a flow schematic of the credential discovery agent.
DETAILED DESCRIPTION
Fig. 1 depicts a computational architecture 100 according to a first embodiment of the present invention. The architecture 100 comprises a credential discovery agent 104 configured to determine one or more valid credentials for selected network devices or components, a credential repository 108 mapping credentials to IP addresses and containing other information, a candidate credential queue 112 listing credentials in order of priority for credential guessing by the credential discovery agent 104, and a skip list 116 listing IP
addresses for which credential determination was not performed at the request of the user.
The credential repository 108, which is typically encrypted, is loaded at runtime of the agent 104 to provide an initial population of credentials for IP addresses of network components. The repository can include a number of fields for each IP address including one or more credentials, a credential state, a protocol identifier, and protocol access level for credential and/or for each credential a protocol identifier, corresponding IP
addresses, the total number of instances of use of the credential by the listed IP addresses, a priority of use of the credential, a candidate credential frequency counter to reflect the frequency of use of the credential in the network (or in the credential repository), recency of use of the (valid) credential in the network (or recency of use as determined by the agent 104), the administrative locality of the credential, and other information that can be used to assign a priority value to the credential in the candidate credential queue 112. During operation of the agent 104, the credential repository 108 is updated by the agent 104, such as after each IP address is considered and/or after all of the IP addresses are considered.
As will be appreciated, a unique network component identifier other than IP address can be employed, depending upon the protocol associated with the network component.
The candidate credential queue 112 provides a listing of credentials, each of which has a corresponding priority and protocol identifier. When guessing, the agent 104 tests the credentials in order of each credential's corresponding priority value. In one implementation for version 1 of SNMP, the queue 112 is initially populated with a credential containing the community string "public". During any individual discovery task, each credential, which is successfully validated by the credential repository is also added to the queue 112, though with a lower priority than that of the "public" credential. As will be appreciated, the priority can be assigned based on any one of or combination of factors including the candidate credential frequency counter to reflect the frequency of use of the credential in the network (or in the credential repository), the recency of use of the (valid) credential in the network (or the recency of use as determined by the agent 104), and/or the administrative locality of the credential relative to the IP address under consideration (e.g., if the network component under consideration is associated with or connected to another network component which has a corresponding credential the corresponding credential is first used as a test credential).
The skip list 116 is simply a listing of network component IP addresses for which the agent 104 will not perform a credential determination.
The operation of the credential discovery agent 104 is depicted in Figs. 2A
and 2B.
Referring to Fig. 2A, the agent 104 is created in step 200.
In step 204, the agent 104 determines if the credential repository 108 is populated with one or more IP addresses. If the credential repository 108 is empty or nonexistent, the agent 104 initializes the repository and proceeds to step 208. If the credential repository is not empty, the repository is loaded by the agent in step 212. Initially, all credentials in the credential repository 108 are assumed to be untested or not yet successfully validated. The agent 104 then proceeds to step 208.
In decision diamond 208, the agent determines whether the user has requested to stop discovery. If the user has so requested, the agent 104 proceeds to step 216 and returns with an error code (STOP CRED) indicating the request. If the user has not so requested, the agent proceeds to step 220.
In step 220, the agent selects an initial IP address for credential determination. The initial IP address is typically selected from a network access list of one or more IP addresses provided by the user. This network access list can be generated by the user manually or automatically using a network topology discovery algorithm such as described in U. S. Patent Applications entitled "Topology Discovery by Partitioning Multiple Discovery Techniques"
and "Using Link State Information to Discover IP Network Topology", both by Goringe, et al., filed concurrently herewith and incorporated herein by this reference.
The network access list typically includes a list of network component identifiers (e.g., IP addresses) and a corresponding credential state field for each identifier.
The agent then proceeds to step 224 where the agent determines if the selected IP
address is on the skip list 116.
If the selected IP address is on the skip list 116, the agent 104 sets the credential state for the IP address in the network access list as NO CREDENTIAL in step 228 and proceeds to decision diamond 232 where the agent determines if there is another If address on the network access list. The NO CREDENTIAL state means that no valid credential was obtained for the corresponding IP address. The corresponding IP address entry in the credential repository 108 (if any) is typically not removed from the repository if the IP
address is skipped. If a next IP address is available, the agent 104 gets the next IP address in step 236 and repeats step 224. If a next IP address is unavailable, the agent 104 saves the updated credential repository and terminates operation in step 216.
If the IP address is not on the skip list, the agent 104 next determines in decision diamond 240 whether there is in the credential repository 108 an IP address entry matching the selected IP address. In other words, the agent 104 determines whether the repository 108 contains a credential corresponding to the selected IP address.
When a corresponding credential exists, the agent in step 244 tests the validity of the credential by known techniques. The techniques, of course, depend upon the protocol being used by the network component corresponding to the IP address.
When the credential is valid in step 248, the agent 104 proceeds to step 252 where the credential is added to the candidate credential queue 112 and then to step 256 where the corresponding entry in the network access list (and/or credential repository) is assigned the credential state of FOUND CREDENTIAL. This state means that the credential was validated. The credential is stored in the appropriate out-parameter corresponding to the IP
address. The agent 104 may increment a candidate credential frequency counter and/or otherwise adjust the priority of the credential in the candidate credential queue 112. The agent 104 then returns to step 232 discussed above.
When the credential is invalid in step 248, the agent 104 must determine the reason why the credential was not successfully validated. The unsuccessful validation could be due to an invalid credential or to the network component being uncontactable at the time.
Accordingly, the agent 104 in step 260 pings the device and in decision diamond 264 determines whether a response is received from the component within a selected time interval. The ping step 260 can be done using an Internet Control Message Protocol or ICMP
echo request.
In any event, if a response is not received, the agent 104 in step 268 assigns a credential state of UNCONTACTABLE to the corresponding entry in the network access list (and/or credential repository) and returns to step 232 above. As will be appreciated, the credential state of UNCONTACTABLE indicates that the network component was unresponsive to the ping. The corresponding IP address entry in the credential repository is not removed when the credential state is UNCONTACTABLE.
If a response is received, the agent 104 in step 272 removes the entry corresponding to the IP address from the credential repository 108, updates the entry corresponding to the credential in the credential repository 108, and adjusts the candidate credential queue 112 when the credential is listed in the candidate credential queue. As noted, the priority of the credentials in the queue 112 can be based on any number of factors, including usage of the credential. When the credential is no longer in use by a network component, the priority often requires adjustment downward to reflect the nonuse. Typically, the candidate credential frequency counter is decremented.
The agent next proceeds to step 276 where the agent 104 attempts to guess the credential from the credentials listed in the queue 112. When guessing, the agent 104 tries all of the credentials in the queue 112 in order of priority. As shown in steps 280, 284, and 288, each credential is retrieved sequentially and an attempt is made to validate it.
When a credential is successfully validated in steps 276, 280, 284 and 288, the credential is stored in the appropriate out-parameter corresponding to the IP
address in step 292 and the corresponding entry in the network access list (and/or credential repository) is assigned the credential state of FOUND CREDENTIAL in step 256. The agent 104 may increment a candidate credential frequency counter and/or otherwise adjust the priority of the credential in the candidate credential queue 112. The agent 104 then returns to step 232 which is discussed above.
When a credential is unsuccessfully validated in steps 276, 280, 284 and 288, the agent 104 in step 296 checks the user's preferences regarding whether or not the user is to be prompted for further instructions regarding the IP address. This preference is indicated by using a flag state. If no credentials that can be used to access the remote network component are found or if none of the found credentials work, the user may be prompted for a new set of credentials. The user is prompted only if the existence of the remote network component has earlier been confirmed by pinging as noted above and the flag to not prompt the user is not set (or vice versa).
In decision diamond 300, the agent 104 determines whether to prompt the user.
When the prompt flag is set(i.e., the user does not want to be prompted) then the agent 104 in step 304 marks the IP address for which no credential can be found as through the user had responded with a skip command. In other words, the IP address is added to the skip list 116.
The corresponding entry in the network access list (and/or credential repository) is then assigned in step 308 a credential state of NO CREDENTIAL. The agent 104 then returns to 15' step 232 discussed above.
When the prompt flag is not set(i.e., the user wants to be prompted), then the agent 104 in step 312 prompts the user. The user can respond in five different ways.
First, the user can respond by entering a credential as shown by decision diamond 316. When a credential is entered, the agent 104 tests the validity of the credential in step 320.
When in step 324 the credential is valid, the agent proceeds to step 292 discussed above. When in step 324 the credential is invalid, the agent returns to step 312 and again prompts the user. Second, the user can respond by instructing the agent 104 to skip the IP address. This is shown in step 328. When the agent 104 receives this response, the agent 104 proceeds to step discussed previously. Third, the user can respond by instructing the agent 104 to stop. This is shown in step 332. In that event, the agent 104 sets the prompt flag to stop in step 336, adds the address to the skip list 116 in step 340, saves the updated credential table and terminates operation in step 344. Fourth, the user can respond by instructing the agent 104 to no prompt. This is shown by step 348. In that event, the agent 104 sets the prompt flag to no prompt in step 352 and proceeds to step 304 discussed above. Finally, the user can provide an unintelligible or unrecognized response. In that event, the agent 104 returns to step 312 and again prompts the user.
Returning to decision diamond 240, when a corresponding credential is not in the credential repository the agent 104 in step 356 pings the device as discussed above to determine if the network component is contactable. The agent 104 in decision diamond 360 determines whether or not a response is timely received. When a timely response is received, 5 the agent 104 proceeds to step 276 discussed above. When no timely response is received, the agent 104 proceeds to step 268 also discussed above.
A number of variations and modifications of the invention can be used. It would be possible to provide for some features of the invention without providing others. For example in one alternative embodiment, the architecture discussed above supports other versions of 10 SNMP, such as version 3 of SNMP, and/or protocols other than SNMP, such as TELNET
and CMIP. In this embodiment, the credential object would be defined in ways) to support one or more different protocols. For example, the architecture can support multiple protocols at the same time. A protocol identifier is then used in the credential repository to identify the protocol corresponding to the network component and the credential object accorded a number of alternative definitions depending upon the corresponding protocol.
In this embodiment, the credentials in the candidate credential frequency queue 112 would only be used in the credential guessing routine for the network component corresponding to the IP
address under consideration when the network component used the protocol corresponding to the credential (as shown by the corresponding protocol identifier). In another alternative embodiment, a unique network component identifier other than IP address is used in the credential repository. For example, the identifier could be a component id as defined by the OSPF protocol, and/or credentials preconfigured by the user to be used as candidates for guessing. In another alternative embodiment, credentials in the repository that are not successfully validated are not removed from the respository but are marked with an appropriate flag indicating this fact. The credential may still be used by the network at a subsequent time or be concurrently used by a network component that is not listed in the credential repository. These credentials are eligible for inclusion in the candidate credential queue 112. As will be appreciated, some network security schemes rotate use of or periodically reuse credentials. In yet another alternative embodiment, the candidate credential queue can include credentials from sources other than the network itself. For example, the queue can include credentials that are in common or widespread use in the industry, default credentials in use when a device is initially acquired from a supplier or manufacturer, and/or credentials that are provided by the user in advance.
The present invention, in various embodiments, includes components, methods, processes, systems and/or apparatus substantially as depicted and described herein, including various embodiments, subcombinations, and subsets thereof. Those of skill in the art will understand how to make and use the present invention after understanding the present disclosure. The present invention, in various embodiments, includes providing devices and processes in the absence of items not depicted and/or described herein or in various embodiments hereof, including in the absence of such items as may have been used in previous devices or processes, e.g. for improving performance, achieving ease and\or reducing cost of implementation.
In one alternative embodiment, the credential discovery agent is implemented in whole or part as an application specific integrated circuit or other type of logic circuit.
The foregoing discussion of the invention has been presented for purposes of illustration and description. The foregoing is not intended to limit the invention to the form or forms disclosed herein. Although the description of the invention has included description of one or more embodiments and certain variations and modifications, other variations and modifications are within the scope of the invention, e.g. as may be within the skill and knowledge of those in the art, after understanding the present disclosure. It is intended to obtain rights which include alternative embodiments to the extent permitted, including alternate, interchangeable and/or equivalent structures, functions, ranges or steps to those claimed, whether or not such alternate, interchangeable and/or equivalent structures, functions, ranges or steps are disclosed herein, and without intending to publicly dedicate any patentable subject matter.
In one configuration, the agent attempts to guess the credential before prompting the user for a credential. These guesses may include standard defaults, credentials which have been used or tried elsewhere in the network, or credentials which have been provided by the user up-front.
The agent, credential repository, and candidate credential queue can have a number of advantages. First, the agent can dynamically and automatically maintain the repository and candidate over time. Conventional tools allow for a limited number of credentials to be entered before the tool is used, but such tools do not allow for dynamically adding more credentials during use of the tool. In contrast, the agent updates the repository and queue during and/or after each run of the credential discovery agent. Second, the agent can be convenient to use and determine credentials in significantly less time than conventional techniques. Third, the agent can reduce the amount of user interaction by making educated guesses at the credential before prompting the user. In some configurations, the agent speculatively tests credentials on any new network devices detected to reduce the requirement for user interaction. Fourth, the agent can obviate the need for the user to manually input an extensive list of credentials before the agent is run. Fifth, the agent can make network management systems more flexible in dealing with unknown credentials by prompting the user and also storing known credentials in the repository for later use. These and other advantages will be apparent from the disclosure of the inventions) contained herein.
The above-described embodiments and configurations are neither complete nor exhaustive. As will be appreciated, other embodiments of the invention are possible utilizing, alone or in combination, one or more of the features set forth above or described in detail below.
S
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a block diagram of a computational architecture according to a first embodiment of the present invention and Figs. 2A and 2B depict a flow schematic of the credential discovery agent.
DETAILED DESCRIPTION
Fig. 1 depicts a computational architecture 100 according to a first embodiment of the present invention. The architecture 100 comprises a credential discovery agent 104 configured to determine one or more valid credentials for selected network devices or components, a credential repository 108 mapping credentials to IP addresses and containing other information, a candidate credential queue 112 listing credentials in order of priority for credential guessing by the credential discovery agent 104, and a skip list 116 listing IP
addresses for which credential determination was not performed at the request of the user.
The credential repository 108, which is typically encrypted, is loaded at runtime of the agent 104 to provide an initial population of credentials for IP addresses of network components. The repository can include a number of fields for each IP address including one or more credentials, a credential state, a protocol identifier, and protocol access level for credential and/or for each credential a protocol identifier, corresponding IP
addresses, the total number of instances of use of the credential by the listed IP addresses, a priority of use of the credential, a candidate credential frequency counter to reflect the frequency of use of the credential in the network (or in the credential repository), recency of use of the (valid) credential in the network (or recency of use as determined by the agent 104), the administrative locality of the credential, and other information that can be used to assign a priority value to the credential in the candidate credential queue 112. During operation of the agent 104, the credential repository 108 is updated by the agent 104, such as after each IP address is considered and/or after all of the IP addresses are considered.
As will be appreciated, a unique network component identifier other than IP address can be employed, depending upon the protocol associated with the network component.
The candidate credential queue 112 provides a listing of credentials, each of which has a corresponding priority and protocol identifier. When guessing, the agent 104 tests the credentials in order of each credential's corresponding priority value. In one implementation for version 1 of SNMP, the queue 112 is initially populated with a credential containing the community string "public". During any individual discovery task, each credential, which is successfully validated by the credential repository is also added to the queue 112, though with a lower priority than that of the "public" credential. As will be appreciated, the priority can be assigned based on any one of or combination of factors including the candidate credential frequency counter to reflect the frequency of use of the credential in the network (or in the credential repository), the recency of use of the (valid) credential in the network (or the recency of use as determined by the agent 104), and/or the administrative locality of the credential relative to the IP address under consideration (e.g., if the network component under consideration is associated with or connected to another network component which has a corresponding credential the corresponding credential is first used as a test credential).
The skip list 116 is simply a listing of network component IP addresses for which the agent 104 will not perform a credential determination.
The operation of the credential discovery agent 104 is depicted in Figs. 2A
and 2B.
Referring to Fig. 2A, the agent 104 is created in step 200.
In step 204, the agent 104 determines if the credential repository 108 is populated with one or more IP addresses. If the credential repository 108 is empty or nonexistent, the agent 104 initializes the repository and proceeds to step 208. If the credential repository is not empty, the repository is loaded by the agent in step 212. Initially, all credentials in the credential repository 108 are assumed to be untested or not yet successfully validated. The agent 104 then proceeds to step 208.
In decision diamond 208, the agent determines whether the user has requested to stop discovery. If the user has so requested, the agent 104 proceeds to step 216 and returns with an error code (STOP CRED) indicating the request. If the user has not so requested, the agent proceeds to step 220.
In step 220, the agent selects an initial IP address for credential determination. The initial IP address is typically selected from a network access list of one or more IP addresses provided by the user. This network access list can be generated by the user manually or automatically using a network topology discovery algorithm such as described in U. S. Patent Applications entitled "Topology Discovery by Partitioning Multiple Discovery Techniques"
and "Using Link State Information to Discover IP Network Topology", both by Goringe, et al., filed concurrently herewith and incorporated herein by this reference.
The network access list typically includes a list of network component identifiers (e.g., IP addresses) and a corresponding credential state field for each identifier.
The agent then proceeds to step 224 where the agent determines if the selected IP
address is on the skip list 116.
If the selected IP address is on the skip list 116, the agent 104 sets the credential state for the IP address in the network access list as NO CREDENTIAL in step 228 and proceeds to decision diamond 232 where the agent determines if there is another If address on the network access list. The NO CREDENTIAL state means that no valid credential was obtained for the corresponding IP address. The corresponding IP address entry in the credential repository 108 (if any) is typically not removed from the repository if the IP
address is skipped. If a next IP address is available, the agent 104 gets the next IP address in step 236 and repeats step 224. If a next IP address is unavailable, the agent 104 saves the updated credential repository and terminates operation in step 216.
If the IP address is not on the skip list, the agent 104 next determines in decision diamond 240 whether there is in the credential repository 108 an IP address entry matching the selected IP address. In other words, the agent 104 determines whether the repository 108 contains a credential corresponding to the selected IP address.
When a corresponding credential exists, the agent in step 244 tests the validity of the credential by known techniques. The techniques, of course, depend upon the protocol being used by the network component corresponding to the IP address.
When the credential is valid in step 248, the agent 104 proceeds to step 252 where the credential is added to the candidate credential queue 112 and then to step 256 where the corresponding entry in the network access list (and/or credential repository) is assigned the credential state of FOUND CREDENTIAL. This state means that the credential was validated. The credential is stored in the appropriate out-parameter corresponding to the IP
address. The agent 104 may increment a candidate credential frequency counter and/or otherwise adjust the priority of the credential in the candidate credential queue 112. The agent 104 then returns to step 232 discussed above.
When the credential is invalid in step 248, the agent 104 must determine the reason why the credential was not successfully validated. The unsuccessful validation could be due to an invalid credential or to the network component being uncontactable at the time.
Accordingly, the agent 104 in step 260 pings the device and in decision diamond 264 determines whether a response is received from the component within a selected time interval. The ping step 260 can be done using an Internet Control Message Protocol or ICMP
echo request.
In any event, if a response is not received, the agent 104 in step 268 assigns a credential state of UNCONTACTABLE to the corresponding entry in the network access list (and/or credential repository) and returns to step 232 above. As will be appreciated, the credential state of UNCONTACTABLE indicates that the network component was unresponsive to the ping. The corresponding IP address entry in the credential repository is not removed when the credential state is UNCONTACTABLE.
If a response is received, the agent 104 in step 272 removes the entry corresponding to the IP address from the credential repository 108, updates the entry corresponding to the credential in the credential repository 108, and adjusts the candidate credential queue 112 when the credential is listed in the candidate credential queue. As noted, the priority of the credentials in the queue 112 can be based on any number of factors, including usage of the credential. When the credential is no longer in use by a network component, the priority often requires adjustment downward to reflect the nonuse. Typically, the candidate credential frequency counter is decremented.
The agent next proceeds to step 276 where the agent 104 attempts to guess the credential from the credentials listed in the queue 112. When guessing, the agent 104 tries all of the credentials in the queue 112 in order of priority. As shown in steps 280, 284, and 288, each credential is retrieved sequentially and an attempt is made to validate it.
When a credential is successfully validated in steps 276, 280, 284 and 288, the credential is stored in the appropriate out-parameter corresponding to the IP
address in step 292 and the corresponding entry in the network access list (and/or credential repository) is assigned the credential state of FOUND CREDENTIAL in step 256. The agent 104 may increment a candidate credential frequency counter and/or otherwise adjust the priority of the credential in the candidate credential queue 112. The agent 104 then returns to step 232 which is discussed above.
When a credential is unsuccessfully validated in steps 276, 280, 284 and 288, the agent 104 in step 296 checks the user's preferences regarding whether or not the user is to be prompted for further instructions regarding the IP address. This preference is indicated by using a flag state. If no credentials that can be used to access the remote network component are found or if none of the found credentials work, the user may be prompted for a new set of credentials. The user is prompted only if the existence of the remote network component has earlier been confirmed by pinging as noted above and the flag to not prompt the user is not set (or vice versa).
In decision diamond 300, the agent 104 determines whether to prompt the user.
When the prompt flag is set(i.e., the user does not want to be prompted) then the agent 104 in step 304 marks the IP address for which no credential can be found as through the user had responded with a skip command. In other words, the IP address is added to the skip list 116.
The corresponding entry in the network access list (and/or credential repository) is then assigned in step 308 a credential state of NO CREDENTIAL. The agent 104 then returns to 15' step 232 discussed above.
When the prompt flag is not set(i.e., the user wants to be prompted), then the agent 104 in step 312 prompts the user. The user can respond in five different ways.
First, the user can respond by entering a credential as shown by decision diamond 316. When a credential is entered, the agent 104 tests the validity of the credential in step 320.
When in step 324 the credential is valid, the agent proceeds to step 292 discussed above. When in step 324 the credential is invalid, the agent returns to step 312 and again prompts the user. Second, the user can respond by instructing the agent 104 to skip the IP address. This is shown in step 328. When the agent 104 receives this response, the agent 104 proceeds to step discussed previously. Third, the user can respond by instructing the agent 104 to stop. This is shown in step 332. In that event, the agent 104 sets the prompt flag to stop in step 336, adds the address to the skip list 116 in step 340, saves the updated credential table and terminates operation in step 344. Fourth, the user can respond by instructing the agent 104 to no prompt. This is shown by step 348. In that event, the agent 104 sets the prompt flag to no prompt in step 352 and proceeds to step 304 discussed above. Finally, the user can provide an unintelligible or unrecognized response. In that event, the agent 104 returns to step 312 and again prompts the user.
Returning to decision diamond 240, when a corresponding credential is not in the credential repository the agent 104 in step 356 pings the device as discussed above to determine if the network component is contactable. The agent 104 in decision diamond 360 determines whether or not a response is timely received. When a timely response is received, 5 the agent 104 proceeds to step 276 discussed above. When no timely response is received, the agent 104 proceeds to step 268 also discussed above.
A number of variations and modifications of the invention can be used. It would be possible to provide for some features of the invention without providing others. For example in one alternative embodiment, the architecture discussed above supports other versions of 10 SNMP, such as version 3 of SNMP, and/or protocols other than SNMP, such as TELNET
and CMIP. In this embodiment, the credential object would be defined in ways) to support one or more different protocols. For example, the architecture can support multiple protocols at the same time. A protocol identifier is then used in the credential repository to identify the protocol corresponding to the network component and the credential object accorded a number of alternative definitions depending upon the corresponding protocol.
In this embodiment, the credentials in the candidate credential frequency queue 112 would only be used in the credential guessing routine for the network component corresponding to the IP
address under consideration when the network component used the protocol corresponding to the credential (as shown by the corresponding protocol identifier). In another alternative embodiment, a unique network component identifier other than IP address is used in the credential repository. For example, the identifier could be a component id as defined by the OSPF protocol, and/or credentials preconfigured by the user to be used as candidates for guessing. In another alternative embodiment, credentials in the repository that are not successfully validated are not removed from the respository but are marked with an appropriate flag indicating this fact. The credential may still be used by the network at a subsequent time or be concurrently used by a network component that is not listed in the credential repository. These credentials are eligible for inclusion in the candidate credential queue 112. As will be appreciated, some network security schemes rotate use of or periodically reuse credentials. In yet another alternative embodiment, the candidate credential queue can include credentials from sources other than the network itself. For example, the queue can include credentials that are in common or widespread use in the industry, default credentials in use when a device is initially acquired from a supplier or manufacturer, and/or credentials that are provided by the user in advance.
The present invention, in various embodiments, includes components, methods, processes, systems and/or apparatus substantially as depicted and described herein, including various embodiments, subcombinations, and subsets thereof. Those of skill in the art will understand how to make and use the present invention after understanding the present disclosure. The present invention, in various embodiments, includes providing devices and processes in the absence of items not depicted and/or described herein or in various embodiments hereof, including in the absence of such items as may have been used in previous devices or processes, e.g. for improving performance, achieving ease and\or reducing cost of implementation.
In one alternative embodiment, the credential discovery agent is implemented in whole or part as an application specific integrated circuit or other type of logic circuit.
The foregoing discussion of the invention has been presented for purposes of illustration and description. The foregoing is not intended to limit the invention to the form or forms disclosed herein. Although the description of the invention has included description of one or more embodiments and certain variations and modifications, other variations and modifications are within the scope of the invention, e.g. as may be within the skill and knowledge of those in the art, after understanding the present disclosure. It is intended to obtain rights which include alternative embodiments to the extent permitted, including alternate, interchangeable and/or equivalent structures, functions, ranges or steps to those claimed, whether or not such alternate, interchangeable and/or equivalent structures, functions, ranges or steps are disclosed herein, and without intending to publicly dedicate any patentable subject matter.
Claims (33)
1. A method for determining one or more credentials of a network device, comprising:
selecting a first network device from among a plurality of network devices;
accessing a credential repository, the credential repository comprising a first set of credentials corresponding to the first network device;
contacting the first network device; and testing the validity of the first set of credentials.
selecting a first network device from among a plurality of network devices;
accessing a credential repository, the credential repository comprising a first set of credentials corresponding to the first network device;
contacting the first network device; and testing the validity of the first set of credentials.
2. The method of Claim 1, wherein the credential repository further comprises, for the first network device, a plurality of a corresponding credential state, a corresponding protocol identifier, a corresponding address, a total number of instances of use of at least one credential in the first set of credentials, a corresponding candidate credential frequency counter associated with at least one credential in the first set of credentials, a recency of use of at least one credential in the first set of credentials, and the administrative locality of at least one credential in the first set of credentials.
3. The method of Claim 1, further comprising:
assigning a credential state to at least one credential in the first set of credentials.
assigning a credential state to at least one credential in the first set of credentials.
4. The method of Claim 1, further comprising, when at least one credential in the first set of credentials is valid:
adding the at least one credential to a candidate credential queue.
adding the at least one credential to a candidate credential queue.
5. The method of Claim 1, further comprising, when at least one credential in the first set of credentials is not valid:
pinging the first network device to determine whether the first network device is contactable.
pinging the first network device to determine whether the first network device is contactable.
6. The method of Claim 1, further comprising, when at least one credential in the first set of credentials is not valid:
selecting a second set of credentials from a candidate credential queue; and testing the validity of the second set of credentials.
selecting a second set of credentials from a candidate credential queue; and testing the validity of the second set of credentials.
7. The method of Claim 6, further comprising, when at least one credential in the second set of credentials is not valid:
prompting a user for a third set of credentials; and when the third set of credentials is received from the user, testing the validity of the third set of credentials.
prompting a user for a third set of credentials; and when the third set of credentials is received from the user, testing the validity of the third set of credentials.
8. The method of Claim 1, wherein the plurality of network devices comprises a second network device, each of the first and second network devices has an associated protocol identifier indicative of a protocol used by the network device, and the first and second protocol identifiers are different.
9. The method of Claim 6, further comprising:
comparing a protocol associated with the first network device with a protocol identifier associated with the second set of credentials.
comparing a protocol associated with the first network device with a protocol identifier associated with the second set of credentials.
10. The method of Claim 9, wherein, when the protocol associated with the first network device is different from the protocol associated with the protocol identifier, the testing step is not performed.
11. A credential repository for a network, comprising:
a plurality of network device identifiers, at least first and second network devices in the plurality of network devices using different protocols;
for each of the plurality of network devices, the credential repository further comprises, for the first and second network devices, a corresponding protocol identifier; and for each of the plurality of network devices, a corresponding set of credentials configured for the protocol associated with the corresponding protocol identifier.
a plurality of network device identifiers, at least first and second network devices in the plurality of network devices using different protocols;
for each of the plurality of network devices, the credential repository further comprises, for the first and second network devices, a corresponding protocol identifier; and for each of the plurality of network devices, a corresponding set of credentials configured for the protocol associated with the corresponding protocol identifier.
12. The credential repository of Claim 11, comprising, for each of the plurality of network device identifiers, a plurality of a corresponding credential state, a corresponding address, a total number of instances of use of at least one credential in the corresponding set of credentials, a corresponding candidate credential frequency counter associated with at least one credential in the corresponding set of credentials, a recency of use of at least one credential in the first set of credentials, and an administrative locality of at least one credential in the corresponding set of credentials.
13. A system for determining one or more credentials of a network device, comprising:
means for selecting a first network device from among a plurality of network devices;
a credential repository comprising a first set of credentials corresponding to the first network device;
means for accessing the credential repository;
means for contacting the first network device; and means for testing the validity of the first set of credentials.
means for selecting a first network device from among a plurality of network devices;
a credential repository comprising a first set of credentials corresponding to the first network device;
means for accessing the credential repository;
means for contacting the first network device; and means for testing the validity of the first set of credentials.
14. The system of Claim 13, wherein the credential repository further comprises, for the first network device, a plurality of a corresponding credential state, a corresponding protocol identifier, a corresponding address, a total number of instances of use of at least one credential in the first set of credentials, a corresponding candidate credential frequency counter associated with at least one credential in the first set of credentials, a recency of use of at least one credential in the first set of credentials, and the administrative locality of at least one credential in the first set of credentials.
15. The system of Claim 13, further comprising:
means for assigning a credential state to at least one credential in the first set of credentials.
means for assigning a credential state to at least one credential in the first set of credentials.
16. The system of Claim 13, further comprising, when at least one credential in the first set of credentials is valid:
means for adding the at least one credential to a candidate credential queue.
means for adding the at least one credential to a candidate credential queue.
17. The system of Claim 13, further comprising, when at least one credential in the first set of credentials is not valid:
means for pinging the first network device to determine whether the first network device is contactable.
means for pinging the first network device to determine whether the first network device is contactable.
18. The system of Claim 13, further comprising, when at least one credential in the first set of credentials is not valid:
second means for selecting a second set of credentials from a candidate credential queue; and second means for testing the validity of the second set of credentials.
second means for selecting a second set of credentials from a candidate credential queue; and second means for testing the validity of the second set of credentials.
19. The system of Claim 18, further comprising, when at least one credential in the second set of credentials is not valid:
means for prompting a user for a third set of credentials; and when the third set of credentials is received from the user, third means for testing the validity of the third set of credentials.
means for prompting a user for a third set of credentials; and when the third set of credentials is received from the user, third means for testing the validity of the third set of credentials.
20. A system for determining one or more credentials of a network device, comprising:
a credential repository comprising a first set of credentials corresponding to a first network device; and a credential discovery agent configured to select the first network device from among a plurality of network devices, access the credential repository, contact the first network device, and test the validity of the first set of credentials.
a credential repository comprising a first set of credentials corresponding to a first network device; and a credential discovery agent configured to select the first network device from among a plurality of network devices, access the credential repository, contact the first network device, and test the validity of the first set of credentials.
21. The system of Claim 20, wherein the credential repository further comprises, for the first network device, a plurality of a corresponding credential state, a corresponding protocol identifier, a corresponding address, a total number of instances of use of at least one credential in the first set of credentials, a corresponding candidate credential frequency counter associated with at least one credential in the first set of credentials, a recency of use of at least one credential in the first set of credentials, and the administrative locality of at least one credential in the first set of credentials.
22. The system of Claim 20, wherein the credential discovery agent is further configured to assign a credential state to at least one credential in the first set of credentials.
23. The system of Claim 20, wherein the credential discovery agent is further configured, when at least one credential in the first set of credentials is valid, to add the at least one credential to a candidate credential queue.
24. The system of Claim 20, wherein the credential discovery agent is further configured, when at least one credential in the first set of credentials is not valid, to ping the first network device to determine whether the first network device is contactable.
25. The system of Claim 20, wherein the credential discovery agent is further configured, when at least one credential in the first set of credentials is not valid, to select a second set of credentials from a candidate credential queue and test the validity of the second set of credentials.
26. The system of Claim 25, wherein the credential discovery agent is further configured, when at least one credential in the second set of credentials is not valid, to prompt a user for a third set of credentials and, when the third set of credentials is received from the user, to test the validity of the third set of credentials.
27. A candidate credential queue for determining a credential of a network device, comprising:
a plurality of sets of credentials, each of the plurality of sets of credentials having a corresponding ranking indicative of a probability that the plurality of sets of credentials is currently in use by the network device.
a plurality of sets of credentials, each of the plurality of sets of credentials having a corresponding ranking indicative of a probability that the plurality of sets of credentials is currently in use by the network device.
28. The candidate credential queue of Claim 27, wherein the ranking is determined based on at least one of a candidate credential frequency counter, a recency of use counter, an administrative locality associated with the corresponding set of credentials, preferences of the user, a user configured priority, and an ordering of validation of at least one set of credentials on another network device.
29. A method for determining at least one credential of a network device, comprising:
selecting at least one credential;
contacting a network device;
testing the validity of the at least one credential; and assigning a ranking to the at least one credential based on whether or not the at least one credential is valid.
selecting at least one credential;
contacting a network device;
testing the validity of the at least one credential; and assigning a ranking to the at least one credential based on whether or not the at least one credential is valid.
30. The method of Claim 29, wherein the ranking reflects a probability that the at least one credential is in current use in the network associated with the network device.
31. A system for determining at least one credential of a network device, comprising:
a credential discovery agent configured to assign a rank to at least one credential based on whether or not the at least one credential is valid.
a credential discovery agent configured to assign a rank to at least one credential based on whether or not the at least one credential is valid.
32. The system of Claim 31, wherein the rank reflects a probability that the at least one credential is in current use in the network associated with the network device.
33. The system of Claim 31, wherein the credential discovery agent is further configured to select at least one credential from a candidate credential queue, test the validity of the at least one credential, and assign the rank to the at least one credential based on whether or not the at least one credential is valid.
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US34706002P | 2002-01-08 | 2002-01-08 | |
US60/347,060 | 2002-01-08 | ||
US10/127,938 US7571239B2 (en) | 2002-01-08 | 2002-04-22 | Credential management and network querying |
US10/127,938 | 2002-04-22 | ||
PCT/US2002/030630 WO2003060744A1 (en) | 2002-01-08 | 2002-09-26 | Credential management and network querying |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2468841A1 true CA2468841A1 (en) | 2003-07-24 |
Family
ID=26826100
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002468841A Abandoned CA2468841A1 (en) | 2002-01-08 | 2002-09-26 | Credential management and network querying |
Country Status (6)
Country | Link |
---|---|
US (1) | US7571239B2 (en) |
EP (1) | EP1472613A4 (en) |
JP (1) | JP2005515550A (en) |
AU (1) | AU2002343432A1 (en) |
CA (1) | CA2468841A1 (en) |
WO (1) | WO2003060744A1 (en) |
Families Citing this family (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7421442B2 (en) * | 2002-07-02 | 2008-09-02 | American Express Travel Related Services Company, Inc. | System and method for data capture and reporting |
US7546452B2 (en) * | 2002-08-20 | 2009-06-09 | Intel Corporation | Hardware-based credential management |
US8032931B2 (en) * | 2002-10-30 | 2011-10-04 | Brocade Communications Systems, Inc. | Fabric manager multiple device login |
US7779420B1 (en) * | 2003-09-29 | 2010-08-17 | Cisco Technology, Inc. | Verifying information stored on a managed network device |
US20050278778A1 (en) * | 2004-05-28 | 2005-12-15 | D Agostino Anthony | Method and apparatus for credential management on a portable device |
US20070179794A1 (en) * | 2006-01-20 | 2007-08-02 | Jamie Fisher | Internet based credential management system |
US8189468B2 (en) * | 2006-10-25 | 2012-05-29 | Embarq Holdings, Company, LLC | System and method for regulating messages between networks |
US8195944B2 (en) * | 2007-01-04 | 2012-06-05 | Motorola Solutions, Inc. | Automated method for securely establishing simple network management protocol version 3 (SNMPv3) authentication and privacy keys |
US20090037994A1 (en) * | 2007-07-30 | 2009-02-05 | Novell, Inc. | System and method for ordered credential selection |
US9401839B2 (en) * | 2008-04-04 | 2016-07-26 | Schweitzer Engineering Laboratories, Inc. | Generation and control of network events and conversion to SCADA protocol data types |
US8291490B1 (en) * | 2008-06-30 | 2012-10-16 | Emc Corporation | Tenant life cycle management for a software as a service platform |
US8099767B2 (en) * | 2008-07-01 | 2012-01-17 | International Business Machines Corporation | Secure agent-less enterprise infrastructure discovery |
US8365261B2 (en) * | 2008-07-09 | 2013-01-29 | International Business Machines Corporation | Implementing organization-specific policy during establishment of an autonomous connection between computer resources |
US8863303B2 (en) * | 2008-08-12 | 2014-10-14 | Disney Enterprises, Inc. | Trust based digital rights management systems |
CN101795268B (en) * | 2010-01-20 | 2014-11-05 | 中兴通讯股份有限公司 | Method and device for enhancing security of user-based security model |
US8572699B2 (en) * | 2010-11-18 | 2013-10-29 | Microsoft Corporation | Hardware-based credential distribution |
US20120310837A1 (en) * | 2011-06-03 | 2012-12-06 | Holden Kevin Rigby | Method and System For Providing Authenticated Access to Secure Information |
US20130125231A1 (en) * | 2011-11-14 | 2013-05-16 | Utc Fire & Security Corporation | Method and system for managing a multiplicity of credentials |
US9046886B2 (en) * | 2012-04-30 | 2015-06-02 | General Electric Company | System and method for logging security events for an industrial control system |
WO2014209380A1 (en) * | 2013-06-28 | 2014-12-31 | Intel Corporation | Open and encrypted wireless network access |
US11410165B1 (en) * | 2015-12-10 | 2022-08-09 | Wells Fargo Bank, N.A. | Systems and methods for providing queued credentials for an account |
US11489829B1 (en) * | 2018-12-21 | 2022-11-01 | Wells Fargo Bank, N.A. | Automatic account protection for compromised credentials |
Family Cites Families (93)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4556972A (en) | 1983-12-27 | 1985-12-03 | At&T Bell Laboratories | Arrangement for routing data packets through a circuit switch |
US4644532A (en) | 1985-06-10 | 1987-02-17 | International Business Machines Corporation | Automatic update of topology in a hybrid network |
CA1314101C (en) | 1988-02-17 | 1993-03-02 | Henry Shao-Lin Teng | Expert system for security inspection of a digital computer system in a network environment |
CA2017969C (en) | 1989-08-07 | 1999-04-20 | Richard Alan Becker | Dynamic graphics arrangement for displaying spatial-time-series data |
CA2017974C (en) | 1989-08-07 | 1998-06-16 | Richard Alan Becker | Dynamic graphical analysis of network data |
US5185860A (en) * | 1990-05-03 | 1993-02-09 | Hewlett-Packard Company | Automatic discovery of network elements |
US5226120A (en) | 1990-05-21 | 1993-07-06 | Synoptics Communications, Inc. | Apparatus and method of monitoring the status of a local area network |
US5557745A (en) | 1990-09-04 | 1996-09-17 | Digital Equipment Corporation | Method for supporting foreign protocols across backbone network by combining and transmitting list of destinations that support second protocol in first and second areas to the third area |
JP3315404B2 (en) | 1990-09-28 | 2002-08-19 | ヒューレット・パッカード・カンパニー | How to detect network topological features |
US5644692A (en) | 1991-12-06 | 1997-07-01 | Lucent Technologies Inc. | Information display apparatus and methods |
US5734824A (en) | 1993-02-10 | 1998-03-31 | Bay Networks, Inc. | Apparatus and method for discovering a topology for local area networks connected via transparent bridges |
US6269398B1 (en) | 1993-08-20 | 2001-07-31 | Nortel Networks Limited | Method and system for monitoring remote routers in networks for available protocols and providing a graphical representation of information received from the routers |
CA2127764A1 (en) | 1993-08-24 | 1995-02-25 | Stephen Gregory Eick | Displaying query results |
US5581797A (en) | 1993-10-22 | 1996-12-03 | Lucent Technologies Inc. | Method and apparatus for displaying hierarchical information of a large software system |
US5596703A (en) | 1993-10-22 | 1997-01-21 | Lucent Technologies Inc. | Graphical display of relationships |
JP3521955B2 (en) | 1994-06-14 | 2004-04-26 | 株式会社日立製作所 | Hierarchical network management system |
US5564048A (en) | 1994-06-15 | 1996-10-08 | Lucent Technologies Inc. | Object-oriented functionality class library for use in graphics programming |
US5572650A (en) | 1994-06-30 | 1996-11-05 | Lucent Technologies Inc. | Method and apparatus for displaying structures and relationships of a relational database |
US5737526A (en) | 1994-12-30 | 1998-04-07 | Cisco Systems | Network having at least two routers, each having conditional filter so one of two transmits given frame and each transmits different frames, providing connection to a subnetwork |
US6456306B1 (en) | 1995-06-08 | 2002-09-24 | Nortel Networks Limited | Method and apparatus for displaying health status of network devices |
US5881051A (en) | 1995-07-10 | 1999-03-09 | International Business Machines | Management of route testing in packet communications networks |
US5751971A (en) | 1995-07-12 | 1998-05-12 | Cabletron Systems, Inc. | Internet protocol (IP) work group routing |
US5805593A (en) | 1995-09-26 | 1998-09-08 | At&T Corp | Routing method for setting up a service between an origination node and a destination node in a connection-communications network |
JP2728051B2 (en) | 1995-10-18 | 1998-03-18 | 日本電気株式会社 | ATM network configuration management method |
US5850397A (en) | 1996-04-10 | 1998-12-15 | Bay Networks, Inc. | Method for determining the topology of a mixed-media network |
US5881246A (en) | 1996-06-12 | 1999-03-09 | Bay Networks, Inc. | System for generating explicit routing advertisements to specify a selected path through a connectionless network to a destination by a specific router |
US6088451A (en) * | 1996-06-28 | 2000-07-11 | Mci Communications Corporation | Security system and method for network element access |
EP0876649A4 (en) | 1996-10-28 | 1999-11-03 | Switchsoft Systems Inc | Method and apparatus for generating a network topology |
US6275492B1 (en) | 1996-12-03 | 2001-08-14 | Nortel Networks Limited | Method and apparatus for routing data using router identification information |
US6252856B1 (en) | 1996-12-03 | 2001-06-26 | Nortel Networks Limited | Method and apparatus for minimizing calculations required to construct multicast trees |
US6256675B1 (en) | 1997-05-06 | 2001-07-03 | At&T Corp. | System and method for allocating requests for objects and managing replicas of objects on a network |
FI115686B (en) | 1997-08-27 | 2005-06-15 | Teliasonera Finland Oyj | Method of using a service in a telecommunication system and telecommunication system |
JPH1185701A (en) | 1997-09-09 | 1999-03-30 | Fuji Xerox Co Ltd | Information processor |
US5926463A (en) | 1997-10-06 | 1999-07-20 | 3Com Corporation | Method and apparatus for viewing and managing a configuration of a computer network |
US6122639A (en) | 1997-12-23 | 2000-09-19 | Cisco Technology, Inc. | Network device information collection and change detection |
US6263446B1 (en) * | 1997-12-23 | 2001-07-17 | Arcot Systems, Inc. | Method and apparatus for secure distribution of authentication credentials to roaming users |
US6131117A (en) | 1997-12-29 | 2000-10-10 | Cisco Technology, Inc. | Technique for correlating logical names with IP addresses on internetworking platforms |
US6047330A (en) | 1998-01-20 | 2000-04-04 | Netscape Communications Corporation | Virtual router discovery system |
US6119171A (en) | 1998-01-29 | 2000-09-12 | Ip Dynamics, Inc. | Domain name routing |
DE69800039T2 (en) * | 1998-03-04 | 2000-03-16 | Hewlett Packard Co | Illustration of a network topology |
US6298391B1 (en) * | 1998-03-13 | 2001-10-02 | Microsoft Corporation | Remote procedure calling with marshaling and unmarshaling of arbitrary non-conformant pointer sizes |
JP3604898B2 (en) | 1998-03-31 | 2004-12-22 | キヤノン株式会社 | Network device management apparatus and method, recording medium |
US6446121B1 (en) | 1998-05-26 | 2002-09-03 | Cisco Technology, Inc. | System and method for measuring round trip times in a network using a TCP packet |
US6260070B1 (en) | 1998-06-30 | 2001-07-10 | Dhaval N. Shah | System and method for determining a preferred mirrored service in a network by evaluating a border gateway protocol |
JP3239844B2 (en) | 1998-05-26 | 2001-12-17 | 日本電気株式会社 | PNNI architecture with NMS management |
US6442144B1 (en) | 1998-06-15 | 2002-08-27 | Compaq Computer Corporation | Method and apparatus for discovering network devices using internet protocol and producing a corresponding graphical network map |
US6360255B1 (en) | 1998-06-25 | 2002-03-19 | Cisco Technology, Inc. | Automatically integrating an external network with a network management system |
US6418476B1 (en) | 1998-06-29 | 2002-07-09 | Nortel Networks, Limited | Method for synchronizing network address translator (NAT) tables using the open shortest path first opaque link state advertisement option protocol |
JP2000032132A (en) | 1998-07-10 | 2000-01-28 | Nec Corp | Interface device between client management system and communication infrastructure |
US6269400B1 (en) | 1998-07-22 | 2001-07-31 | International Business Machines Corporation | Method for discovering and registering agents in a distributed network |
DE69840809D1 (en) | 1998-09-05 | 2009-06-18 | Ibm | Method for generating the optimal complex PNNI node representations with respect to limited costs |
JP2000083057A (en) | 1998-09-07 | 2000-03-21 | Toshiba Corp | Network management terminal device and path information collecting method |
JP2000082043A (en) | 1998-09-07 | 2000-03-21 | Ricoh Co Ltd | User authentication system, method therefor and computer-readable recording medium recorded with program allowing computer to implement the method |
US5943317A (en) | 1998-10-15 | 1999-08-24 | International Business Machines Corp. | Sub-network route optimization over a shared access transport facility |
US6298381B1 (en) | 1998-10-20 | 2001-10-02 | Cisco Technology, Inc. | System and method for information retrieval regarding services |
US6108702A (en) | 1998-12-02 | 2000-08-22 | Micromuse, Inc. | Method and apparatus for determining accurate topology features of a network |
US6550012B1 (en) * | 1998-12-11 | 2003-04-15 | Network Associates, Inc. | Active firewall system and methodology |
US6377987B1 (en) | 1999-04-30 | 2002-04-23 | Cisco Technology, Inc. | Mechanism for determining actual physical topology of network based on gathered configuration information representing true neighboring devices |
US6895436B1 (en) * | 1999-07-01 | 2005-05-17 | International Business Machines Corporation | Method and system for evaluating network security |
JP3788892B2 (en) | 1999-07-16 | 2006-06-21 | 富士通株式会社 | Intercommunication system |
US6282404B1 (en) * | 1999-09-22 | 2001-08-28 | Chet D. Linton | Method and system for accessing multimedia data in an interactive format having reporting capabilities |
US6697338B1 (en) * | 1999-10-28 | 2004-02-24 | Lucent Technologies Inc. | Determination of physical topology of a communication network |
US6859878B1 (en) * | 1999-10-28 | 2005-02-22 | International Business Machines Corporation | Universal userid and password management for internet connected devices |
JP3813776B2 (en) | 1999-11-17 | 2006-08-23 | 富士通株式会社 | Network distributed management system |
US20020161591A1 (en) * | 1999-11-23 | 2002-10-31 | Gunner D. Danneels | Method of securely passing a value token between web sites |
US6871284B2 (en) * | 2000-01-07 | 2005-03-22 | Securify, Inc. | Credential/condition assertion verification optimization |
US6747957B1 (en) * | 2000-04-28 | 2004-06-08 | Cisco Technology, Inc. | Network availability monitor |
GB2362970B (en) * | 2000-05-31 | 2004-12-29 | Hewlett Packard Co | Improvements relating to information storage |
JP4833489B2 (en) * | 2000-06-05 | 2011-12-07 | フィーニックス テクノロジーズ リミテッド | System, method and software for remote password authentication using multiple servers |
AU2001274719A1 (en) * | 2000-06-07 | 2001-12-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Network agent password storage and retrieval scheme |
US7200673B1 (en) | 2000-06-09 | 2007-04-03 | Steven Augart | Determining the geographic location of a network device |
US7133929B1 (en) | 2000-10-24 | 2006-11-07 | Intel Corporation | System and method for providing detailed path information to clients |
AU2002239391A1 (en) * | 2000-11-30 | 2002-06-11 | Message Machines, Inc. | Systems and methods for routing messages to communications devices |
US20020141593A1 (en) * | 2000-12-11 | 2002-10-03 | Kurn David Michael | Multiple cryptographic key linking scheme on a computer system |
US7131140B1 (en) | 2000-12-29 | 2006-10-31 | Cisco Technology, Inc. | Method for protecting a firewall load balancer from a denial of service attack |
US20020128885A1 (en) * | 2001-01-06 | 2002-09-12 | Evans Robert E. | Method and system for characterization and matching of attributes and requirements |
US7210167B2 (en) * | 2001-01-08 | 2007-04-24 | Microsoft Corporation | Credential management |
GB2372360B (en) * | 2001-02-15 | 2005-01-19 | Hewlett Packard Co | Improvements in and relating to credential transfer methods |
GB2372412A (en) * | 2001-02-20 | 2002-08-21 | Hewlett Packard Co | Digital credential monitoring |
US7085925B2 (en) * | 2001-04-03 | 2006-08-01 | Sun Microsystems, Inc. | Trust ratings in group credentials |
US6744739B2 (en) | 2001-05-18 | 2004-06-01 | Micromuse Inc. | Method and system for determining network characteristics using routing protocols |
JP2002366454A (en) * | 2001-06-11 | 2002-12-20 | Fujitsu Ltd | Network managing method and its device |
US7904326B2 (en) * | 2001-06-29 | 2011-03-08 | Versata Development Group, Inc. | Method and apparatus for performing collective validation of credential information |
WO2003014899A1 (en) * | 2001-08-06 | 2003-02-20 | Certco, Inc. | System and method for trust in computer environments |
US7069343B2 (en) | 2001-09-06 | 2006-06-27 | Avaya Technologycorp. | Topology discovery by partitioning multiple discovery techniques |
US7200122B2 (en) | 2001-09-06 | 2007-04-03 | Avaya Technology Corp. | Using link state information to discover IP network topology |
US20030065626A1 (en) * | 2001-09-28 | 2003-04-03 | Allen Karl H. | User verification for conducting health-related transactions |
US7302700B2 (en) | 2001-09-28 | 2007-11-27 | Juniper Networks, Inc. | Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device |
US20030084176A1 (en) * | 2001-10-30 | 2003-05-01 | Vtel Corporation | System and method for discovering devices in a video network |
US20040172412A1 (en) * | 2002-07-19 | 2004-09-02 | Kirby Files | Automated configuration of packet routed networks |
US6952779B1 (en) * | 2002-10-01 | 2005-10-04 | Gideon Cohen | System and method for risk detection and analysis in a computer network |
US20040186903A1 (en) * | 2003-03-20 | 2004-09-23 | Bernd Lambertz | Remote support of an IT infrastructure |
US20050071469A1 (en) | 2003-09-26 | 2005-03-31 | Mccollom William G. | Method and system for controlling egress traffic load balancing between multiple service providers |
-
2002
- 2002-04-22 US US10/127,938 patent/US7571239B2/en not_active Expired - Fee Related
- 2002-09-26 CA CA002468841A patent/CA2468841A1/en not_active Abandoned
- 2002-09-26 EP EP02780375A patent/EP1472613A4/en not_active Withdrawn
- 2002-09-26 JP JP2003560770A patent/JP2005515550A/en not_active Abandoned
- 2002-09-26 WO PCT/US2002/030630 patent/WO2003060744A1/en active Application Filing
- 2002-09-26 AU AU2002343432A patent/AU2002343432A1/en not_active Abandoned
Also Published As
Publication number | Publication date |
---|---|
AU2002343432A1 (en) | 2003-07-30 |
US7571239B2 (en) | 2009-08-04 |
US20030131096A1 (en) | 2003-07-10 |
EP1472613A4 (en) | 2010-09-29 |
EP1472613A1 (en) | 2004-11-03 |
WO2003060744A1 (en) | 2003-07-24 |
JP2005515550A (en) | 2005-05-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7571239B2 (en) | Credential management and network querying | |
US8479048B2 (en) | Root cause analysis method, apparatus, and program for IT apparatuses from which event information is not obtained | |
US7069343B2 (en) | Topology discovery by partitioning multiple discovery techniques | |
KR101280346B1 (en) | Method and device for terminal device management based on right control | |
US8914787B2 (en) | Registering software management component types in a managed network | |
CN101232375B (en) | Single sign-on system, information terminal device, single sign-on server, single sign-on utilization method | |
US9853960B2 (en) | Peer applications trust center | |
US20100005506A1 (en) | Dynamic address assignment for access control on dhcp networks | |
US8826412B2 (en) | Automatic access to network devices using various authentication schemes | |
US9582233B1 (en) | Systems and methods for registering, configuring, and troubleshooting printing devices | |
US6601094B1 (en) | Method and system for recommending an available network protocol | |
US7774438B2 (en) | Parameter provisioning | |
US20080177868A1 (en) | Address Provisioning | |
KR20080071208A (en) | Software execution management device and method thereof | |
KR20040073799A (en) | Method for supporting error cause of SNMP and apparatus thereof | |
US10171301B2 (en) | Identifying hardcoded IP addresses | |
CN111614476A (en) | Equipment configuration method, system and device | |
EP1479192B1 (en) | Method and apparatus for managing configuration of a network | |
WO2012066652A1 (en) | Method for finding communication devices connected to communication network, and management device | |
US7412512B2 (en) | Indirect addressing method and system for locating a target element in a communication network | |
US9697017B2 (en) | Configuring and processing management information base (MIB) in a distributed environment | |
KR20100036095A (en) | System for managing convergence network and method for controlling the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
FZDE | Discontinued |