Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop PCs, laptops, and workstations, and peripheral devices, e.g., printers, facsimile devices, and scanners, networked together across a local area network (LAN) and/or wide area network (WAN).
Networks can include an intrusion system (IS), e.g., intrusion prevention system (IPS) and/or intrusion detection system (IDS), that serves to detect unwanted intrusions/activities to the computer network. As used herein, “IS” is used to indicate intrusion system(s), i.e., both the singular and plural. Unwanted network intrusions/activities may take the form of attacks through computer viruses and/or hackers, and mis-configured devices, among others, trying to access the network. To this end, an IS can identify different types of suspicious network traffic and network device usage that can not be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host-based attacks such as privilege escalation, denial of service attacks, port scans, unauthorized logins and access to sensitive files, viruses, Trojan horses, and worms, among others.
In previous approaches, to identify suspicious network traffic, data traffic needs to pass through a point of the network where an IS is located. Previously an IS would have been deployed solely as a standalone in-line device. For large network systems, placing an IS in-line with initial client and/or server attach points, in an intended packet path, can be both expensive to implement and very complex to maintain. If the IS is not “in-line”, e.g., between one port and another in a network packet's intended path, then suspicious activity may not be detected.
More recently, an IS is located integral to a network device, e.g., an IDS integral to a switch, router, etc. However, the integral IDS configuration suffers many of the same drawbacks as the in-line IS configuration where all network devices in a network are not so protected. This scheme still disperses the IS function, and can still be expensive to implement and/or complex to maintain.