Some computer communication networks permit only certain authorized traffic to be communicated over the communication network. For example, enterprise networks that are operated by a commercial enterprise may only permit traffic that is sent or received by employees of the commercial enterprise to be communicated over the enterprise network. Regulations that are imposed on the traffic on communication networks are enforced by security systems on those networks.
Security systems may operate by examining network traffic flowing through the network. The security systems of this type may examine characteristics and properties of traffic to determine whether that traffic should be permitted to flow over the network. Such a security system could compare characteristics of individual pieces of data to characteristics of permitted or unpermitted data. In this case, a security system would store characteristics corresponding to known types of attacks and traffic that accompanies those attacks. If the security system detects traffic having characteristics of the attack, then that traffic may be blocked as unauthorized.
For example, the security system could observe a data packet that is flowing across the network and examine the content of that data packet to determine whether to permit the data packet to continue flowing across the network. The security system could examine a header of a data packet to determine whether a sequence number indicated in the packet header identifies the packet as illegitimate and part of a “replay” attack. If so, then the characteristics of the data packet match characteristics of unpermitted data and thus the data packet will be blocked. As another example, if the security system examines the header of a data packet and determines that the source address of the packet has been altered, then the characteristics of the data packet match characteristics of unpermitted data and thus the data packet will be blocked. If, however, the data packet does not match characteristics of unpermitted data, then the data packet will be permitted to traverse the network.
To examine traffic traversing a network, a security system may include many different components spread throughout the network. For example, each client in the network may include components. In this case, increasing the number of such components increases the amount of network traffic these security systems can observe. Each of these components may then observe traffic as described above and individually operate to detect and block unauthorized traffic.