Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service; and so forth.
Network security risk-assessment tools, i.e. “scanners,” may be used by a network manager to simulate an attack against computer systems via a remote connection. Such scanners can probe for network weaknesses by simulating certain types of security events that make up an attack. Such tools can also test user passwords for suitability and security. Moreover, scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses.
Prior art FIG. 1 illustrates a network architecture 100 in which a scanner may be implemented, in accordance with the prior art. As shown, a remote source 102 is provided which is coupled to a network such as the Internet 104 for scanning purposes. Also included is a plurality of target devices 106, i.e. computers, coupled to another network such as a virtual local area network (VLAN) 108, or some other type of “switched” network. In use, it is very difficult for the remote source 102 to access the target devices 106 due to a firewall 110 coupled between the Internet 104 and the LAN 108, thus frustrating the scanning procedure.
The firewall 110 is adapted for isolating the VLAN 108 and the target devices 106 from access through the Internet 104 attached thereto. The purpose of the firewall 110 is to allow the VLAN 108 and the target devices 106 to be attached to, and thereby access, the Internet 104 without rendering them susceptible to hostile access from the Internet 104. If successful, the firewall 110 allows for the VLAN 108 and the target devices 106 to communicate and transact with the Internet 104 without rendering them susceptible to attack or unauthorized inquiry over the Internet 104. One technique that may be used by the firewall 110 to protect the target devices 106 is known as an “access control list”. An access control list investigates address information contained in a data packet to determine whether the remote source 102, from which the packet originated, is on a list of disallowed addresses. If the address is on the list, the packet is not allowed to pass. Yet another method of restricting access involves “packet filtering”. Packet filtering examines data traversing the firewall 110 to determine if the port or protocol in use is subject to various restrictions that may be specified by the user. If the port or protocol in use is restricted, the packet is not allowed to pass.
The firewall 110 also may use an application gateway, or proxy system. Such systems operate on the basis of an application, or a computing platform's operating system (OS), monitoring “ports” receiving incoming connection requests. A port is a numerically designated element contained in the overhead of a packet. A port number indicates the nature of a service associated with a packet. For example, a packet associated with the Telnet service has a port number of 23, and the HTTP service is assigned port number 80. These port number designations are merely industry suggested. A packet containing a port designation of 23 need not necessarily be associated with Telnet services. When the OS or monitoring application receives a request on a particular port, a connection is opened on that port. A program for managing the connection is then initiated, and the firewall 110 starts a gateway application, or proxy, that validates the connection request.
Firewalls 110 typically restrict access based only on address/port/protocol information. Further, proxying firewalls 110 validate communications merely to ensure that requests conform to known standards (e.g. HTTP/1.x). Unfortunately, firewalls 110 do not typically examine content of communications for security purposes. There is thus a need for a firewall 110 that validates conforming communications to determine if the content of such communications could be part of an attempt to carry out an attack.