Patent Grant
7562389
The present invention relates generally to the field of network security, and more particularly a method and system for network security.
A network has many resources which are vulnerable to attacks from external networks, so developers have created mechanism for protecting against such attacks. Resources may include servers, printers, network hardware and software, and others. Network Security Gateways (NSGs), which sit on the edge of protected and external networks, provide security to a protected network and generally operate in one of two modes. In “promiscuous” mode, besides sending packets between an external and protected network, the NSG monitors copies of incoming network traffic for intrusion pattern characteristics and generates alarms in response to detecting such patterns. In “inline” mode, network traffic is scanned prior to being passed to a protected network by the NSG to determine whether it contains a hostile signature. In addition to generating alarms in the inline mode, the NSG can prevent traffic from reaching the protected network. If either actuation is detected, the NSG prevents the network from receiving the traffic. Generally, NSGs operating in the inline mode have two physical ports, one coupled to the outside network and one coupled to the protected network. On the other hand, NSGs operating in promiscuous mode only need one physical port to received network traffic.
In accordance with one embodiment of the present invention, a method includes receiving a packet at a physical interface of a network security gateway. The packet is tagged with a first VLAN identifier associated with an external network. The method also includes communicating a copy of the packet to a first processor, analyzing the copy of the packet at the first processor to determine whether the packet violates a security condition, and communicating a reply message from the first processor to the interface. The reply message indicates whether the packet violates a security condition. If the packet does not violate a security condition, the method includes re-tagging the packet with a second VLAN identifier associated with a protected network by using a second processor at the physical interface. The method further includes communicating the re-tagged packet to the protected network if the packet does not violate a security condition.
In accordance with another embodiment of the present invention, a network security gateway includes an interface operable to receive a packet tagged with a first VLAN identifier associated with an external network. The interface is further operable to communicate a copy of the packet to a processor and re-tag the packet with a second VLAN identifier associated with a protected network. The interface is further operable to communicate the packet to the protected network. The network security gateway also includes a processor operable to analyze the copy of the packet to determine if it violates a security condition and communicate a reply message to the interface. The reply message indicates whether the packet violates a security condition. The interface re-tags and communicates the packet if the reply message indicates that the packet does not violate a security condition.
Important technical advantages of certain embodiments of the present invention include traffic control at the VLAN level using a single port. This may provide a lower cost alternative to multiple-port devices used for inline intrusion detection.
Other important technical advantages of certain embodiments of the present invention include more efficient use of memory and bus resources. Re-tagging packets with a VLAN identifier can be performed at the physical interface. Thus, certain embodiments of the present invention allow a packet to be buffered and re-tagged without having to be processed and returned by a processor. This reduces the amount of packet communication between the interface and the processor.
Additional technical advantages of the present invention will be readily apparent to one skilled in the art from the following figures, descriptions, and claims. Moreover, while specific advantages have been enumerated above, various embodiments may include all, some, or none of the enumerated advantages.
For a more complete understanding of the present invention and its advantages, reference is now made to the following description, taken in conjunction with the accompanying drawings, in which:
External network 104 may include any collection of networked communication devices exchanging information. Networked communication devices may include hubs, routers, switches, gateways, personal computers, telephones, or any other device that can exchange information. Devices in external network 104 may exchange information in the form of packets, cells, frames, segments, or other portions of data (collectively referred to as “packets”). External network 104 may use any suitable medium or media of transmission, including wireline, wireless, or optical connections. Devices in external network 104 may communicate with one another using any number of suitable protocols, such as asynchronous transfer mode (ATM), transport control protocol/Internet protocol (TCP/IP), synchronous optical network (SONET), or Ethernet. External network 104 may also include the Internet.
Protected network 106 represents any collection of communication devices communicating in any suitable manner. In particular, protected network 106 may include any of the devices and communication media discussed in conjunction with external network 104. Protected network 106 may also use one or more suitable communication protocols, such as the ones described above. In particular, protected network 106 supports the use of virtual local area networks (VLANs). A VLAN is a logical separation created between devices that share a physical network, so that devices on one VLAN cannot communicate with one another using the existing physical connections between the devices except through suitable network bridging hardware and/or software. VLANs are described in IEEE specification 802.1q.
Network gateway 105 represents any suitable hardware and/or software that communicates traffic received from external network 104 to protected network 106 and NSG 102. Traffic received from external network 104 is automatically tagged with an identifier for a first VLAN. Protected network 106 is configured to be on a second VLAN, so that it does not recognize traffic tagged with the identifier of the first VLAN. Thus, even though network gateway 105 may replicate the information to all of its ports, such as might take place in a network hub, the traffic will not be recognized by protected network 106 unless tagged with the proper VLAN identifier. Network gateway 105 includes a monitoring port that replicates the contents of incoming network traffic for NSG 102.
NSG 102 is a network security gateway that receives traffic from external network 104, analyzes the traffic to determine if it violates a security condition, and prevents information that violates the security conditions from reaching protected network 106. In the depicted embodiment, NSG 102 includes an interface 108, a processor 112, and a memory 114. Processor 112 may be any hardware and/or software components suitable for processing information, such as microprocessors, microcontrollers, or digital signal processors (DSPs).
Memory 114 is any suitable form of information storage, which may include magnetic media, optical media, removable media, local storage, remote storage, or other suitable component. In the depicted embodiment, memory 114 stores code 116, VLAN tags 118, and security conditions 120. Code 116 is executed by processor 112 to perform any suitable task associated with NSG 102. VLAN tags 118 are stored identifiers associated respectively with external network 104 and protected network 106. Security conditions 120 are policies that determine whether a packet may be forwarded from external network 104 to protected network 106. In one embodiment, a security condition 120 comprises an attack signature, i.e., a pattern of information that indicates that an incoming packet represents a hostile action directed at protected network 106. For example, hostile action may comprise uploading a virus to protected network 106. Another example may include a pattern exploiting the vulnerabilities of the protected resources such as, for example, buffer overflow. In another embodiment, security conditions 120 comprise firewall policies that prevent unauthorized users from accessing protected network 106 and/or prevent users of protected network 106 from accessing designated resources in external network 104. For example, security conditions 120 may comprise a domain name and IP address of external network 104 such that packets from the source address are discarded by NSG 102. Processor 112 compares information to security conditions 120 for detection.
Interface 108 represents a physical connection allowing communication between NSG 102 and devices on protected network 106 and external network 104. Communications with interface 108 take place at layer 2 of the Open Systems Interconnect (OSI) model. Interface 108 supports VLAN trunking. VLAN trunking allows interface 108 to recognize and communicate with multiple VLANS, each identified by a particular VLAN tag. Interface 108 therefore effectively includes multiple logical ports, each associated with a particular VLAN. Interface 108 may tag packets and change existing tags appropriately so that a packet is communicated to a particular VLAN.
In the depicted embodiment, interface 108 establishes a first VLAN for external network 104 and a second VLAN for protected network 106. Thus, interface 108 has two logical ports 110A and 110B. Information received from external network 104 is tagged with the VLAN tag associated with the first VLAN network, so it is not recognized by protected network 106. Once the information is determined to be safe for protected network 106, interface 108 may re-tag the information with the tag of the second VLAN. This effectively communicates information to protected network 106 using logical port 110B, even though interface 108 only includes one physical connection.
This re-tagging of the information from the tag of the first VLAN to the tag of the second VLAN provides the impression to networks 104 and 106 that they are directly connected on the same LAN. This apparent collapse of the two networks into one may also be extended to the use of the well-known spanning-tree protocol to prevent loops from occurring. Spanning-tree protocol is a link management protocol that provides path redundancy while preventing undesirable loops in a network, which may be caused by multiple active paths in a network. Loops are undesirable because of the associated potential for duplication of messages. Spanning-tree protocol addresses this problem according to well-known techniques. In particular messages, referred to as bridge protocol data units (BPDUs) are communicated within networks to provide information that is then used to avoid system loops. BPDUs are data messages that are exchanged across the switches within an extended LAN that uses a spanning tree protocol topology. BPDU packets contain information on ports, addresses, priorities and costs and ensure that the data ends up where it was intended to go. BPDU messages are exchanged across bridges to detect loops in a network topology. The loops are then removed by shutting down selected bridge interfaces and placing redundant switch ports in a backup, or blocked, state.
In the context where more than one NSG 102 exists, which may be desirable for both load sharing and redundancy reasons, a layer 2 loop could develop in the network, which will cause traffic storm and potential denial of service, bringing down the network. Thus, according to one aspect of the invention, the well-known spanning tree protocol may be run between networks 104 and 106, but with bridging the BPDUs between the two networks. Before the bridging occurs, however, the VLAN field of the BPDU is replaced with the outgoing VLAN. Thus, in the above described context of re-tagging of the information of the tag of the first VLAN to the tag of the second VLAN, spanning-tree protocol may be adopted to prevent loops in such a system by bridging BPDUs between the two parts 110A and 110B of interface 108. Information provided to NSG 102 has an associated BPDU, which includes a VLAN field. According to this aspect of the invention, once the information is determined to be safe for the protected distribution network (network 106 in the above example) the VLAN in the BPDU is modified from the source VLAN to the destination VLAN. This prevents creation of layer 2 loops in the networks which is desirable.
Interface 108 also includes a buffer 122. Buffer 122 represents local information storage at interface 108. Buffer 122 may include any suitable form of information storage, such as magnetic media, flash memory, optical media, or other type of information storage medium. Buffer 122 stores incoming information from external network 104 while the information is processed by components of NSG 102. In a particular embodiment, buffer 122 retains a copy of incoming traffic while the traffic is being analyzed by processor 112 to determine whether the incoming information violates a security condition 120.
In one example of a mode of operation, network gateway 105 receives traffic from external network 104 and tags the traffic with a first VLAN identifier. Network gateway 105 may then broadcast the traffic to all of its ports or may communicate it to NSG 102 only. Protected network 106 is configured to recognize only information on a second VLAN, so even if the packet is broadcast to protected network 106, it will not be recognized. NSG 102 receives the traffic at interface 108 and buffers the traffic in buffer 122. NSG 102 communicates a copy of the packet to processor 112, which analyzes the traffic to determine whether it violates a security condition. Processor 112 then returns a message to NSG 102 indicating whether the packet violates a security condition. If the packet violates a security condition, then NSG 102 discards the packet from buffer 112. Otherwise, NSG 102 may re-tag the packet with a second VLAN identifier and communicate the packet back to network gateway 105, which in turn communicates the packet to protected network 106.
One technical advantage of certain embodiments of the present invention is the opportunity to conserve memory and bus resources in NSG 102. Since VLAN re-tagging may be performed at interface 108, interface 108 does not require additional processing resources to move a packet from one VLAN to another. Conversely, network protection systems that operate at higher layers, such as firewalls, typically require network address translation or other similar adjustments to packet header information. Such systems must forward a packet to the appropriate processing resource using an internal bus, and then receive a returned packet suitably modified for communication to the network protected by these systems. In contrast to these conventional systems, interface 108 may receive a reply message, which may be as short as a single bit, that indicates whether or not the packet should be communicated to protected network 106. Thus, NSG 102 may use less internal bus resources and also reduce the load of buffer 122, which need not store both incoming packets and packets returned by processor 112.
Processor 112 analyzes the packet by comparing the packet to security conditions 120 at step 208. If a security condition is violated at decisional step 210, then processor 112 sends an alert to interface 108 at step 212. Interface 108 then discards the packet from buffer 122 at step 214. If a security condition is not violated, processor 112 sends an OK message to interface 108 at step 216. At step 220, it is determined whether the packet is a BPDU packet. If so, the VLAN field in the associated BPDU is replaced with the VLAN identifier for the second VLAN associated with the protected network 106 at step 222. As described above, in the context where more than one NSG exists, which may be desirable for both load sharing and redundancy reasons, a layer 2 loop could develop in the network, which will cause traffic storm and potential denial of service, bringing down the network. Thus, according to one aspect of the invention, the well-known spanning tree protocol may be run between networks 104 and 106, but with bridging the BPDUs between the two networks. Before the bridging occurs, however, the VLAN hold of the BPDU is replaced with the outgoing VLAN. If the packet is not a BPDU packet, interface 108 re-tags the packet with the identifier for the second VLAN associated with protected network 106 at step 221. Interface 108 then communicates the packet to protected network 106 at step 224. The method may be repeated as long as there are incoming packets, as shown by decision step 226.
Although the present invention has been described with several embodiments, a myriad of changes, variations, alterations, transformations, and modifications may be suggested to one skilled in the art, and it is intended that the present invention encompass such changes, variations, alterations, transformations, and modifications as fall within the scope of the appended claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 3974328 | Thomas et al. | Aug 1976 | A |
| 4103847 | Thomas et al. | Aug 1978 | A |
| 4286261 | Wagner et al. | Aug 1981 | A |
| 4931740 | Hassanzadeh et al. | Jun 1990 | A |
| 4991146 | Ransdell et al. | Feb 1991 | A |
| 5311510 | Moriue et al. | May 1994 | A |
| 5557742 | Smaha et al. | Sep 1996 | A |
| 5963556 | Varghese et al. | Oct 1999 | A |
| 6035405 | Gage et al. | Mar 2000 | A |
| 6279113 | Vaidya | Aug 2001 | B1 |
| 6477651 | Teal | Nov 2002 | B1 |
| 6487666 | Shanklin et al. | Nov 2002 | B1 |
| 6560236 | Varghese et al. | May 2003 | B1 |
| 6584565 | Zamek | Jun 2003 | B1 |
| 6647400 | Moran | Nov 2003 | B1 |
| 6715084 | Aaron et al. | Mar 2004 | B2 |
| 6785821 | Teal | Aug 2004 | B1 |
| 6792546 | Shanklin et al. | Sep 2004 | B1 |
| 6826697 | Moran | Nov 2004 | B1 |
| 6898632 | Gordy et al. | May 2005 | B2 |
| 6928549 | Brock et al. | Aug 2005 | B2 |
| 6950628 | Meier et al. | Sep 2005 | B1 |
| 6996843 | Moran | Feb 2006 | B1 |
| 7032114 | Moran | Apr 2006 | B1 |
| 7051365 | Bellovin | May 2006 | B1 |
| 7076803 | Bruton et al. | Jul 2006 | B2 |
| 7107612 | Xie et al. | Sep 2006 | B1 |
| 7150043 | Brock et al. | Dec 2006 | B2 |
| 7177295 | Sholander et al. | Feb 2007 | B1 |
| 7222366 | Bruton et al. | May 2007 | B2 |
| 7281269 | Sievers et al. | Oct 2007 | B1 |
| 7310815 | Yanovsky | Dec 2007 | B2 |
| 7331061 | Ramsey et al. | Feb 2008 | B1 |
| 20020009078 | Wilson et al. | Jan 2002 | A1 |
| 20020069356 | Kim | Jun 2002 | A1 |
| 20020073337 | Ioele et al. | Jun 2002 | A1 |
| 20020101870 | Chase et al. | Aug 2002 | A1 |
| 20020107961 | Kinoshita | Aug 2002 | A1 |
| 20020143948 | Maher et al. | Oct 2002 | A1 |
| 20030009693 | Brock et al. | Jan 2003 | A1 |
| 20030014662 | Gupta et al. | Jan 2003 | A1 |
| 20030061514 | Bardsley et al. | Mar 2003 | A1 |
| 20030069972 | Yoshimura et al. | Apr 2003 | A1 |
| 20030084318 | Schertz | May 2003 | A1 |
| 20030084321 | Tarquini et al. | May 2003 | A1 |
| 20030084328 | Tarquini et al. | May 2003 | A1 |
| 20030084329 | Tarquini | May 2003 | A1 |
| 20030084344 | Tarquini et al. | May 2003 | A1 |
| 20030110393 | Brock et al. | Jun 2003 | A1 |
| 20030145225 | Bruton, III et al. | Jul 2003 | A1 |
| 20030145226 | Bruton, III et al. | Jul 2003 | A1 |
| 20030149887 | Yadav | Aug 2003 | A1 |
| 20030154399 | Zuk et al. | Aug 2003 | A1 |
| 20030188190 | Aaron et al. | Oct 2003 | A1 |
| 20030188191 | Aaron et al. | Oct 2003 | A1 |
| 20030236992 | Yami | Dec 2003 | A1 |
| 20040030927 | Zuk | Feb 2004 | A1 |
| 20040049596 | Schueler et al. | Mar 2004 | A1 |
| 20040049693 | Douglas | Mar 2004 | A1 |
| 20040059942 | Xie | Mar 2004 | A1 |
| 20040083295 | Amara et al. | Apr 2004 | A1 |
| 20040093513 | Cantrell et al. | May 2004 | A1 |
| 20040117478 | Triuzi et al. | Jun 2004 | A1 |
| 20040202157 | Chase et al. | Oct 2004 | A1 |
| 20040221171 | Ahmed et al. | Nov 2004 | A1 |
| 20040221178 | Aaron et al. | Nov 2004 | A1 |
| 20040255154 | Kwan et al. | Dec 2004 | A1 |
| 20040260945 | Raikar et al. | Dec 2004 | A1 |
| 20050005031 | Gordy et al. | Jan 2005 | A1 |
| 20050018618 | Mualem et al. | Jan 2005 | A1 |
| 20050022018 | Szor | Jan 2005 | A1 |
| 20050044199 | Shiga et al. | Feb 2005 | A1 |
| 20050058132 | Okano et al. | Mar 2005 | A1 |
| 20050071642 | Moghe et al. | Mar 2005 | A1 |
| 20050071643 | Moghe | Mar 2005 | A1 |
| 20050071644 | Moghe et al. | Mar 2005 | A1 |
| 20050076245 | Graham et al. | Apr 2005 | A1 |
| 20050081058 | Chang et al. | Apr 2005 | A1 |
| 20050097358 | Yanovsky | May 2005 | A1 |
| 20050132230 | Miclea et al. | Jun 2005 | A1 |
| 20050157653 | Zeitak et al. | Jul 2005 | A1 |
| 20050185626 | Meier et al. | Aug 2005 | A1 |
| 20050193429 | Demopoulos et al. | Sep 2005 | A1 |
| 20050216770 | Rowett et al. | Sep 2005 | A1 |
| 20050226257 | Mirzabegian et al. | Oct 2005 | A1 |
| 20050229246 | Rajagopal et al. | Oct 2005 | A1 |
| 20050259646 | Smith et al. | Nov 2005 | A1 |
| 20050278178 | Girouard et al. | Dec 2005 | A1 |
| 20050283831 | Ryu et al. | Dec 2005 | A1 |
| 20060007903 | Hammell et al. | Jan 2006 | A1 |
| 20060023709 | Hall et al. | Feb 2006 | A1 |
| 20060085855 | Shin et al. | Apr 2006 | A1 |
| 20060161983 | Cothrell et al. | Jul 2006 | A1 |
| 20070058551 | Brusotti et al. | Mar 2007 | A1 |
