Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop PCs, laptops, and workstations, and peripheral devices, e.g., printers, facsimile devices, and scanners, networked together across a local area network (LAN) and/or wide area network (WAN).
Networks can include an intrusion system (IS), e.g., intrusion prevention system (IPS) and/or intrusion detection system (IDS) that serves to detect unwanted intrusions/activities to the computer network. Unwanted network intrusions/activities may take the form of attacks through computer viruses and/or hackers, misconfigured devices among others, trying to access the network. To this end, an IS can identify different types of suspicious network traffic and network device usage that can not be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, denial of service attacks, port scans, unauthorized logins and access to sensitive files, viruses, Trojan horses, and worms, among others.
In previous approaches, to identify suspicious network traffic, data traffic needs to pass through a point of the network where an IS is located. As used herein, “IS” is used to indicate intrusion system(s), i.e., both the singular and plural. An IS can include an intrusion prevention system (IPS) and/or intrusion detection system (IDS), etc. Previously an IS would have been deployed solely as a standalone in-line device (see,
Embodiments of the invention may include network devices, systems, methods, and other embodiments, including executable instructions and/or logic. One embodiment is a network device that includes a network chip having a number of network ports for the device. The network chip may include logic to select original data packets received from or destined to a particular port on the device based on a number of criteria. In some embodiments, the number of criteria can include, the IP source address (IP SA), the source port, an IP flow (defined as packet traffic between a particular source IP address and a particular destination IP address), a media access controller (MAC) source address (MAC SA), a media access controller (MAC) destination address (MAC DA), the source VLAN, a traffic type, etc. In some embodiments, the network chip may include logic to transparently tunnel the selected data packets to a second network device having a different destination address to that of the selected data packets, and back again.
In various embodiments, executable instructions and/or logic, e.g. hardware circuitry on an application specific integrated circuit (ASIC), are provided to receive a network packet, including a media access control (MAC) destination address, from a port on a first network device. The instructions and/or logic are operative to encapsulate the network packet to secure tunnel the network packet to a second network device having a MAC destination address different from the MAC destination address of the network packet in a manner that is transparent to the packet and client and/or network device as well.
In one embodiment, instructions and/or logic on the second network device can decapsulate the network packet and send the original network packet to a network appliance, e.g., an IPS, which is not “in-line” with an original path for the network packet and is unaware that it is not in-line with the original path. The network appliance can execute instructions to perform any necessary packet processing, e.g., an IPS may perform security checks on the original packet, and then return the original packet to the second network device. Instructions and/or logic on the second network device can encapsulate the network packet to tunnel the network packet back to the first network device. Instructions and/or logic on the first network device can decapsulate the network packet and forward the network packet by making a forwarding decision based on its original destination address, e.g., MAC destination address, IP destination address, etc.
In various embodiments, instructions and/or logic can select a network packet for encapsulation based on a set of criteria. According to these embodiments, encapsulating the network packet to secure tunnel the network packet to the second network device is performed without requiring the two network devices to be a part of the same subnet or layer 2 broadcast domain. As such, these embodiments provide a mechanism to monitor network traffic with fewer “in-line” systems, e.g., one or two IS can be used to monitor many ports on the network as compared to previously deploying numerous in-line systems or requiring that all traffic from lower devices be sent (as part of the normal traffic forwarding process) through the few network devices with IS attached.
As used herein, a network can provide a communication system that links two or more computers and peripheral devices, and allows users to access resources on other computers and exchange messages with other users. A network allows users to share resources on their own systems with other network users and to access information on centrally located systems or systems that are located at remote offices. It may provide connections to the Internet or to the networks of other organizations. Users may interact with network-enabled software applications to make a network request, such as to get a file or print on a network printer. Applications may also communicate with network management software, which can interact with network hardware to transmit information between devices on the network.
Although reference is often made to network switches in this disclosure, those skilled in the art will realize that embodiments of the invention may be implemented in other network devices. Examples of other network devices include, but are not limited to, wireless and/or wired routers, switches, hubs, bridges, etc., e.g., intelligent network devices having processor and memory resources.
The example network of
The embodiment of
The designators “N” and “M” are used to indicate that a number of fat or thin clients can be attached to the network 100. The number that N represents can be the same or different from the number represented by M. The embodiment of
As one of ordinary skill in the art will appreciate, many of the network devices (e.g., switches 118-1, 118-2, 118-3, 118-4, 118-5 and/or hubs) can include a processor in communication with a memory and will include network chips having logic, e.g., application specific integrated circuits (ASICs), and a number of network ports associated with such logic. By way of example and not by way of limitation, the network management station 112 includes a processor and memory. Embodiments of the various devices in the network are not limited to a number of ports, network chips and/or the type or size of processor or memory resources.
Additionally as the reader will appreciate, a number of mobile devices, e.g., wireless device 121, can connect to the network 100 via a wireless air interface (e.g., 802.11) which can provide a signal link between the mobile device 121 and an access point (AP) 119. The AP 119 serves a similar role to the base station in a wireless network, as the same will be known and understood by one of ordinary skill in the art. As shown in
As one of ordinary skill in the art will appreciate, each network device in the network 100 can be physically associated with a port of a switch to which it is connected. Information in the form of network packets, e.g., data packets can be passed through the network 100. Users physically connect to the network through ports on the network 100. Data frames, or packets, can be transferred between network devices by means of a network device's, e.g., switch's, logic link control (LLC)/media access control (MAC) circuitry, or “engines”, as associated with ports on a network device. A network switch forwards network packets received from a transmitting network device to a destination network device based on the header information in received network packets. A network device can also forward packets from a given network to other networks through ports on one or more other network devices. As the reader will appreciate an Ethernet network is described herein. However, embodiments are not limited to use in an Ethernet network, and may be equally well suited to other network types, e.g., asynchronous transfer mode (ATM) networks, etc.
As discussed herein, networks can include an intrusion system (IS) that serves to detect and/or evaluate suspicious activity on the computer network, e.g., network 100. In previous approaches an IS would be placed in-line or within a network device on a network packet's intended path. To protect edge ports the IS would have to be located between clients and the ports of the edge network device (defined in connection with
As used herein, the term “network appliance” is used to mean an add-on device, e.g., “plug-in” or “application module” (as defined below), to a network as contrasted with a “network device”, e.g., router, switch, and/or hub, etc., which are sometimes considered more as “backbone” component devices to a network. As the reader will appreciate, a network appliance, e.g., 240 can include processor and memory resources capable of storing and executing instructions to perform a particular role or function. A network appliance can also include one or more network chips (e.g., ASICs) having logic and a number of ports, as the same will be known and understood by one of ordinary skill in the art.
In various embodiments, the network appliance 240 serves as a checking functionality and can be in the form of an intrusion prevention system (IPS), as may be supplied by a third party vendor of network security devices. In certain embodiments, the network appliance 240 can be an intrusion detection system (IDS), or another diagnostic device, accounting device, counting device, etc., as may be supplied by a third party vendor. Embodiments are not limited to the examples given here. The various operations of such different checking functionalities are known and understood by one of ordinary skill in the art.
As the reader will appreciate a network appliance 240, e.g., IS (IPS and/or IDS), can be provided as a program or routine stored in memory and executed on a processor or by logic in association with a network device. An IS can perform functionality to detect suspicious activity, such as denial of service attacks, port scans and attempts to manipulate network devices, by examining network traffic associated with multiple network devices. An IS may do so by reading the incoming and outgoing data packets from a port and performing analyses to identify suspicious data and/or traffic patterns. In some instances, when an IS becomes aware of a potential security breach, it logs the information and can signal an alert to a threat mitigation engine, as the same will be understood by one of ordinary skill in the art. An IS may respond to suspicious activity by dropping suspicious packets, resetting a connection and/or by programming a firewall to block network traffic from a suspicious source. In various IS this may happen automatically or at the command of a network user such as an information technology (IT) administrator.
IS are not limited to inspecting incoming network traffic. Ongoing intrusions can be learned from outgoing or local traffic as well. Some undesirable activity may even be staged from the inside of a network or network segment, and hence the suspicious activity may not be incoming traffic at all. An IS may watch for suspicious activity by examining network communications, identifying heuristics and patterns (often known as signatures) of known suspicious activity types, and providing an alert or taking action when they occur.
As noted above, in previous approaches, in order to fully cover a network an IS would have to be located in-line with network packet traffic. An IS in-line with edge ports could similarly perform the actions described above. Effectively, however, each edge network device would need an IS statically positioned in-line for monitoring network data traffic through the edge ports. For large network systems, having an IS, or other desirable network appliance, in-line at each edge network device to cover network packet traffic through its ports is expensive and complex to maintain.
Embodiments of the present disclosure, in contrast, include network devices, systems, and methods, having executable instructions and/or logic, to tunnel packets on a network. As described next in connection with
According to embodiments, network devices being monitored do not each have to include an in-line network appliance, e.g., in-line IS. That is, rather than having an IS at each of the network devices, or achieving less than full network coverage, embodiments of the present disclosure provide an IS at a selected location, or locations, which can be used to receive tunneled, selected data packets to assess data traffic anomalies associated with packets that are not ordinarily passing through ports on a network device associated with the IS.
As the reader will appreciate, various embodiments described herein can be performed by software, application modules, application specific integrated circuit (ASIC) logic, and/or executable instructions operable on the systems and devices shown herein or otherwise. “Software”, as used herein, includes a series of executable instructions that can be stored in memory and executed by the hardware logic of a processor (e.g., transistor gates) to perform a particular task. Memory, as the reader will appreciate, can include random access memory (RAM), read only memory (ROM), non-volatile memory (such as Flash memory), etc.
An “application module” means a self-contained hardware or software component that interacts with a larger system. As the reader will appreciate a software module may come in the form of a file and handle a specific task within a larger software system. A hardware module may be a separate set of logic, e.g., transistor/circuitry gates, that “plug-in” as a card, appliance, or otherwise, to a larger system/device.
Embodiments of the present invention, however, are not limited to any particular operating environment or to executable instructions written in a particular language or syntax. Software, application modules and/or logic, suitable for carrying out embodiments of the present invention, can be resident in one or more devices or locations or in several devices and/or locations in a network. That is, the embodiments of the present disclosure may be implemented in a stand-alone computing system or a distributed computing system. A “distributed computing network” means the use of multiple computing devices in a network to execute various roles in executing instructions, e.g., application processing, etc. As such,
As described in connection with
As shown in
As shown in the embodiment of
In various embodiments, the network appliance 350 is an intrusion prevention system (IPS), as may be supplied by a third party vendor of network security devices. In various embodiments, the network appliance 350 can be an intrusion detections system (IDS), another diagnostic device, an accounting device, a counting device, etc., as may be supplied by a third party vendor. Embodiments are not limited to the examples given here. Further, the various operations of such devices will be recognized and understood by one of ordinary skill in the art.
In the embodiment of
According to various embodiments, the selected data packets are tunnel encapsulated to tunnel (e.g., “steal”) the selected data packets to a second network device, which may be a central network device, e.g., switch (S3) 318-3, having a location different (e.g., remote) from an original MAC destination address, e.g., MAC destination address (MAC_DA) 560 as shown in
In various embodiments, the instructions and/or logic can extract information from the various fields of packet headers, e.g., header 400, 401, and/or MAC header, e.g., layer 2 header (L2) (shown as 500 in
In various embodiments, the selected data packets are tunnel encapsulated to secure tunnel the network packet without using regular forwarding logic. In various embodiments, the instructions and/or logic can select original data packets according to a set of criteria which may be hard coded into the logic of the network chip, e.g., 340-1. The set of criteria can include information associated with a particular packet and/or particular port or network device selected from the group of packets, (IP) flows, network ports, VLAN membership, MAC SA, MAC DA, etc. In various embodiments, the instructions and/or logic can tunnel the selected data packets to the second network device over a secure tunnel 321-1. One of ordinary skill in the art will appreciate the manner in which a secure tunnel 321 can be realized by executing instructions and/or logic to form the secure tunnel between two network devices, e.g., 318-1 and 318-3. More detail is not provided here so as to not obscure embodiments of the present invention.
According to embodiments, the second network device 318-3 includes logic, e.g., logic on network chip 340-3, to decapsulate the selected data packets, e.g., to decapsulate encapsulated packet 503 shown in
As described above, the network appliance 350 can include processor 351 and memory 352 resources as well as hardware logic (ASIC) 353 and associated ports 354, as the same has been described herein, to operate on original data packets received from the second network device 318-3. As mentioned above, the network appliance 350 can include a network appliance 350 which is an IPS, supplied by a third party vendor of network security devices or otherwise. In various embodiments, the network appliance 350 can be an intrusion detections system (IDS), another diagnostic device, an accounting device, a counting device, etc., as may be supplied by a third party vendor or otherwise. Embodiments for network appliance 350 are not limited to the examples given here. The various operations of such devices will be recognized and understood by one of ordinary skill in the art.
In various embodiments, the second network device 318-3 includes instructions and/or logic which executes to tunnel encapsulate original data packets, e.g., packet 501 in
The network device 318-1 includes instructions and/or logic to decapsulate encapsulated packet 503 shown in
In previous applications for tunneling packets, a network packet would be sent through a tunnel as a part of the normal forwarding process, e.g., layer 2 (L2) bridging, or, more commonly, layer 3 (L3) routing. That is, in the case of IP routing, a next-hop route in the IP routing table would point to a tunnel. In contrast, tunnel embodiments described in the present disclosure are not used to form part of the normal forwarding path. That is, according to embodiments of the present disclosure, this ingress and egress from the tunnel are not a part of the regular forwarding process, and thus could be considered to be “transparent” to the network packet. Again, the original network packet, e.g., 501 in
The description above includes embodiments in which the network appliance 350 is also unaware that the selected data packets have been “stolen” to the network appliance 350. An alternative embodiment includes an embodiment in which the network appliance 350 is aware that the selected data packets have been stolen to the network appliance 350. In this embodiment the network appliance 350 can include instructions and/or logic which can receive the tunnel encapsulated selected data packets from the network device 318-1. In this embodiment the tunnel 321-1 is not terminated on the second network device 318-3, and tunnel 321-2 is not originated on the second network device 318-3, but rather both tunnels 321-1 and 321-2 extend to the network appliance 350.
In this embodiment instructions and/or logic on the network appliance 350 can decapsulate the selected data packets to the original data packets, e.g., 501 in
As described herein, embodiments include instructions and/or logic on a network device, e.g., chip 340-1 on device 318-1 in
As described herein, embodiments also include instructions and/or logic on a network chip of a network device, e.g., chip 340-3 on device 318-3, and/or software and/or logic on a network appliance, e.g., 350 in
Accordingly, embodiments, as the same have been described herein, include instructions and/or logic which can steal a network packet to another network device and/or network appliance, e.g., an IPS, which is not “in-line” with an original path for the network packet in a manner which is transparent to the network packet. That is, the stolen packet does not involve normal forwarding logic in which a network packet would be “aware” of the fact that it was being placed in or had just exited from a tunnel. In some embodiments, a network appliance is also unaware that it is not in-line with the original path. In other embodiments, the network appliance may be aware that the packet has been stolen and operate in concert therewith handling a secure virtualization of the network location from which the packet was stolen. The instructions and/or logic can tunnel the network packet between network devices, e.g., via a secure tunnel. Once returned to the network device to which the network packet was originally received the packet will act, behave, and be operated upon as if it had just been received by the network device on the original port. Instructions and/or logic will also recognize if a given packet has already been checked, i.e., inspected and “cleared”, so as not to return the packet to be checked once again in duplicative fashion.
It is to be understood that the above description has been made in an illustrative fashion, and not a restrictive one. Although specific embodiments have been illustrated and described herein, those of ordinary skill in the art will appreciate that other component arrangements and device logic can be substituted for the specific embodiments shown. The claims are intended to cover such adaptations or variations of various embodiments of the disclosure, except to the extent limited by the prior art.
In the foregoing Detailed Description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that any claim requires more features than are expressly recited in the claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby incorporated into the Detailed Description, with each claim standing on its own as a separate embodiment of the invention.
Number | Date | Country | |
---|---|---|---|
Parent | 11712706 | Mar 2007 | US |
Child | 13237349 | US |