The need for network security is pervasive in organizations ranging from large corporate, governmental, and educational institutions to small business and individuals. Pervasive and continuing attacks on large networks, and the considerable costs and damages such attacks can inflict, have provided incentive for researchers in government, industry, and academia to search for methods and apparatus to provide security for these networks.
For example, in U.S. Pat. No. 6,816,973 entitled “Method and system for adaptive network security using intelligent packet analysis” describes a method and system for adaptive network security using intelligent packet analysis by monitoring network data traffic. The network data traffic is analyzed to assess network information. A plurality of analysis tasks are prioritized based upon the network information, the analysis tasks are performed on the monitored network data traffic in order to identify attacks upon the network. The plurality of analysis tasks includes a plurality of comparisons between the monitored network data traffic and a plurality of attack signatures, and disables a particular attack signature based upon an assigned priority of the particular attack signature. This and all other papers, publications, patents, and other references are hereby incorporated into this disclosure in their entirety by this reference.
In U.S. Pat. No. 7,010,700, entitled “Data scanning network security technique” a data security apparatus for use in a computer network for checking data received from an external source is described. In this apparatus, a multiprotocol rule set data scanner capable of scanning the data received for acceptable content and format as determined by a rule set established by a recognized protocol is provided, such that the data is scanned in subdivisions set by the recognized protocol as the data is received. A data translator for translating the data is then provided, and a data network transmitter for transmitting the translated data to a destination node on the computer network. A mail connection detector is then utilized for detecting if an external source is attempting to establish a mail connection with the computer network wherein the computer network is receptive to one or more recognized protocols; and a data receiver is provided for receiving data from the external source.
The forgoing are merely two examples of methods and apparatus for network security in a technical field highly crowded with on going research and inventive activity. One of the key challenges experienced by those having skill in this art is related to innovative research at the frontiers of proteomics, genomics, and bioinformatics. The information associated with these fields has yielded tremendous challenges for the computational sciences to meet significantly elevated network connectivity requirements. Providing effective connectivity to instrumentation and computational resources for such research requires ultra high-speed networks that can sustain petabyte data rates, and relies on development of an integrated advanced infrastructure for performing distributed science. The nature of these networks raises a broad range of security concerns as threats to such networks range considerably. Ultra high-speed networks are likely to be attractive targets for intruders on many levels. As an example, illicit exploitation of ultra networks would aid attackers of any password-based infrastructure.
The Teracrack project at the San Diego Supercomputer serves as an illustration of the effectiveness of petabyte systems utilized as password cracking support. This project showed that it was possible to pre-compute hashes for 50 million passwords in 80 minutes or less, on a 6 petabyte computer as described in Perrine, T. and D. Kowatch. Teracrack: Password cracking using teraFLOP and petabyte resources. which may be accessed online at http://security.sdsc.edu/publications/teracrack.pdf.
Simple use of ultra high-speed networks is not the only possible goal of intruders or external attackers. Disruption of service, compromise of internal data, and interference with computation outcomes are all potential attacks which would adversely affect both those using such networks and potentially also the network providers. It will also be important to prevent attacks originating within a particular component of a high-speed network from affecting other resources, either those that are part of the network or those that are external to (but reachable from) it. Protecting the information security and operation of ultra high-speed networks is clearly crucial if their full value to the research community is to be realized.
Researchers have addressed several aspects of security and survivability for high speed networks. Examples include: file system protection through such projects as Legion, as described in White, B., M. Walker, M. Humphrey, A. Grimshaw. LegionFS: a secure and scalable file system supporting cross-domain high-performance application. Proceedings of the 2001 ACM/IEEE conference on Supercomputing, 2001, resource management and separation of secure authentication and communication and sharing resources “through” firewalls as described in Graupner, S. and C. Reimann. Globus Grid and Firewalls: Issues and Solutions in a Utility Data Center Environment. Technical Report HP Labs. HPL-2002-278. 2002. Multilayer survivability of protocols, such as IP/GMPLS and IP/WDM, have also been the subject of a great deal of research as described in Zhang, H. and A. Durresi. Differentiated Multi-layer Survivability in IP/WDM Networks. 8th IEEE-IFIP Network Operations and Management Symposium (NOMS 2002), pages 681-694 which may be accessed online at http://citeseer.nj.nec.com/zhang02differentiated.html and Vinodkrishnan, K., N. Chandhok, A. Durresi, R. Jain, R. Jagannathan, and S. Seetharaman, Survivability in IP over WDM networks, Journal of High Speed Networks, Vol. 10, No. 2, 2001, pp. 79-90.
Although areas are necessary aspects of security for high speed networks, they do not directly address the problem of the intruder who crosses boundaries. Past history suggests as a near certainty that ultra high-speed networks will be desirable targets for intruders, and that vulnerabilities in their design will be discovered and exploited. Therefore, there is a need to incorporate defensive, mitigating, and response methodologies in the early stages of ultra high speed computing network architecture development.
Early stages of network design have typically emphasized those areas of most value to the target user community, often focusing primarily on improvements in bandwidth and usability. From that perspective designers often consider security a desirable, but secondary, property. In particular, methodologies intended specifically to address intruders are rarely considered to any large extent during the early stages of design, with a few exceptions, such as those described in Lock/Sidewinder reference Badger, L., Sterne, D., Sherman, D., Walker, K. and Haghighat, S. Domain and Type Enforcement UNIX Prototype, Proceedings of the Fifth USENIX UNIX Security Symposium, June 1995. Consequently, security strategies for handling malicious activity that crosses network boundaries are normally realized as “add-on” mechanisms placed at a network's perimeter, such as traditional IDS sensors, firewalls, and other security devices. These are designed to augment the original structure, blocking, detecting, and sometimes responding to malicious activity. Because these mechanisms are not fully integrated, they cannot always be implemented or deployed optimally. The negative consequences include inconsistency of security management, reduced performance (both network speeds and efficiency of security), lag time of response, and difficulties in coordinating with other locales as in a cooperative defense architecture.
Performance is particularly an issue for high speed networks. As networking speed increases, with consequences in traffic volume and rate, the load on these external network protection devices also increases. Even now, perimeter defense devices currently have difficulty keeping up with the scrutiny needed for high volumes of traffic, particularly when CPU-intensive analytical techniques are used, and even when there are large numbers of relatively simple comparisons to be performed. An added difficulty comes in the modern proliferation of new attacks, and the increased tendency for rapid spread seen in modern viruses and worms. Technologically, those charged with protecting these systems are rapidly reaching a threshold in which external security devices cannot function effectively under current architecture models. The consequences of “missing” an incoming known attack, or lacking the capacity to identify a new form of attack, can have major consequences. It is more and more often the case that, if even a single instance of malicious code enters a network system, it can seriously affect the usability of the entire system. Thus, there is a need for a new class of network architecture and infrastructure to address the needs for high bandwidth and the needs to secure and control the corporate Intranet environment.
There are parallels to the issue of protecting cooperating components of an ultra high speed network, such as those proposed by the United States Department of Energy, and issues seen in the commercial networks. Products currently in use to protect network systems are based on traditional network models emphasize perimeter defense strategies, normally focusing upon analysis of data at the entry point of the high speed network connections. This is typically performed in a single, centralized location. This approach does not scale well to ultrahigh bandwidth and computing power, especially when the resources are distributed. Researchers are looking to cooperative systems and highly distributed defense systems for potential solutions. In the interim, field practitioners regularly segment their networks by using protection devices as barriers, for a variety of reasons including the increased capacity to limit spread of malicious code, and to better track, contain, and manage the insider threat.
In the interim, containment via firewall is a common strategy to slow or block the spread of malicious activity. The implied limitations of traffic between networks connected in this way are somewhat in opposition to the goals of ultra network development. This has led some researchers to devise methods for tunneling ultra network traffic through firewalls. Such approaches are useful for achieving connectivity. However, the effect of this is to remove the perimeter control points intended to prevent intrusions and DDOS and other boundary-crossing malicious activity. If existing perimeter defense methods are to be bypassed in order to connect resources, it is even more important to include equivalent functionality as part of the ultra network architecture itself.
The scientific, research and development literature identifies several challenges to the implementation of secure ultra high-speed network connectivity solutions. These may be divided into those that are broad issues with current network infrastructures that must be considered when devising security strategies, and those more specific to the activities of detecting, and responding to, breaches of security.
Broad issues for designing high speed security include
1. Existing network protocols that do not scale well to high bandwidth network connections, as described in Survey of Protocols and Mechanisms for Enhanced Transport over LONG FAT PIPES available online at http://www.evl.uic.edu/eric/atp/Survey.doc
2. New experimental high-speed protocols are not necessarily friendly to existing network protocols such as TCP & UDP as described in Jin, S., Guo, L., Matta, I., and Bestavros, A. A Spectrum of TCP-friendly Window-based Congestion Control Algorithms, Technical Report. BU-CS-2001-015, Computer Science Department, Boston University, July 2001, available online at http://citeseer.nj.nec.com/jin01spectrum.html
3. Current network infrastructure is not necessarily tuned to allow high-speed computing and routing of Intranet data connections as described in Tierney, B. TCP Tuning Techniques for High-Speed Wide-Area Networks, Presentation, Fall 02 and available online at http://bmrc.berkeley.edu/courseware/mig/fall02/tierney.pdf and http://www.doe-sci-comp.info/presentations/blumenthal.pdf.
Broad issues for designing high speed security include detecting and responding to security breaches include, but are not limited to the following:
1. Data rates are quickly outpacing the capability of network security appliances to sensor and secure the network as described in RFC 3473. Generalized Multi-Protocol Label Switching (GMPLS) Signaling Resource ReserVation Protocol-Traffic Engineering (RSVP-TE) Extensions, available online at ftp://ftp.isi.edu/in-notes/rfc3473.txt
2. High Speed Network Infrastructures increase the need for mounting real time responses to network events.
3. Component resources are not centrally owned and policies for allowable activities—and allowable responses—may differ from site to site
The last two challenges are especially pertinent to development of an efficient Intrusion Protection System (IPS). Potentially the latency introduced by an IPS could have a significant detrimental impact on the ability to transfer data efficiently to high speed network links.
Accordingly, there exists a need for new methods and apparatus for intrusion protection systems that can protect ultra high speed networks that overcomes the forgoing considerations.