Network security concerns protecting one or more computer systems from hazardous data transmitted to the protected computer systems via a network. In many cases, providing network security services involves installing a special network node between the protected computer systems and a public network.
For example, it is common to install a network node performing a connection firewall function between connected computer systems and a public network such as the Internet. Typical conventional connection firewalls decline risky network connections of one or more kinds, such as outbound network connections to IP addresses known to be dangerous, and some or all types of inbound network connections not initiated by one of the protected computer systems.
Serious network security risks can persist after installing and enabling a connection firewall, however. As one example, a user of a protected computer system may be induced to establish an outbound network connection with an external node that transmits hazardous data, despite having an address not known to be dangerous.
As another example, where a computer system protected by a connection firewall must be able to receive unsolicited connections from external nodes, an administrator may disable the firewall's blocking of externally-initiated connections, at least for certain types of connections and/or certain protected computer systems. Where blocking of externally-initiated connections is disabled, an external node can successfully make an unsolicited connection to a protected computer system and transmit hazardous data to it.
Some of the weaknesses of connection firewalls can be overcome by supplementing a connection firewall with a security device that monitors the data transmitted between protected computer systems and exterior nodes within connections that the connection firewall permits to be established.
One kind of conventional data monitoring security device is an intrusion prevention system. A typical intrusion prevention system monitors data transmitted between protected computer systems and exterior nodes for data that matches a set of intrusion patterns maintained by the intrusion prevention system. When the intrusion prevention system identifies data matching one of its intrusion patterns, the intrusion prevention system closes the connection by which the data was sent.
Conventional intrusion prevention systems have significant disadvantages. First, they provide no protection from attacks that do not match any of the intrusion patterns maintained by the intrusion prevention system. An attack may not match any of the intrusion patterns maintained by the intrusion prevention system, for example, where the attack is of a new type, or where the attack is a new, non-matching expression of an existing type. Further, conventional intrusion prevention systems can only act by closing connection, which may unnecessarily interrupt communications that are useful to a user of a protected computer system.
Another kind of conventional data monitoring security device is an application firewall, which uses a deeper understanding of a particular network application to analyze data contained in network traffic for that application.
Conventional application firewalls likewise have significant disadvantages. First, they typically lack complete transparency. For example, conventional application firewalls typically do not establish sessions in the TCP protocol transparently, causing applications that rely on a strict implementation of the TCP protocol to fail, unless and until they are modified to alter the way in which they implement the protocol. Conventional application firewalls further are typically not extensible or customizable, limiting their usefulness.
In view of the shortcomings of conventional data monitoring approaches discussed above, a data monitoring approach that overcame one or more of these shortcomings would have substantial utility.