1. Technical Field
The present invention relates generally to a network apparatus and a selective information monitoring method using the network apparatus and, more particularly, to a network apparatus and a selective information monitoring method using the network apparatus, which can monitor only selective information.
2. Description of the Related Art
Present networks are exposed to many security threats due to a large number of services. In order to solve this problem, security equipment is added to and operated in existing networks.
In order to prevent external attacks, networks are protected using a firewall, and attempts to intrude on external systems and hacking attempts are detected and prevented in real time using an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS).
However, attacks on present networks cause not only hacking attempts on a specific host, but also errors in network equipment, and thus networks are also exposed to security threats inducing network disabling. In order to defend networks against such attacks, technology for analyzing and detecting network packets in real time have been developed.
In order to monitor an internal network, all traffic passing through a network switch must be monitored. For this, methods that can be currently used include a network switch mirroring technique and a tapping technique.
A network switch mirroring technique is a scheme in which software in a network switch copies a monitoring target packet and transmits the copied packet to a switch interface desired to be monitored. This technique may cause a problem in the performance of a network switch itself because a large amount of network switch resources (Central Processing Unit (CPU) or the like) are used when there is a large amount of traffic.
A tapping technique is a scheme for installing tapping equipment in each switch interface desired to be monitored and electrically copying packets. In this case, in order to monitor 24 ports, 24 pieces of equipment must be installed. Further, in order to collect traffic desired to be monitored through 24 ports into a single port and monitor the collected traffic, additional equipment called a traffic aggregator is required. That is, it is realistically difficult to manage the equipment due to the complicated wiring thereof, and it is also difficult to introduce additional equipment due to the very high price thereof.
The most serious problem of the conventional schemes is that, when the amount of traffic desired to be monitored is large, packet loss (drop) is inevitably caused.
When a single traffic analysis system desires to monitor all packets input through 24 1-Gigabit (G) ports, data at a maximum of 24 Gbps must be collected through a single port and must be transmitted to the traffic analysis system. However, since the maximum capacity that can be processed by a switch interface is 1 Gbps, it is impossible to collect all of 23 Gbps traffic mirrored by 23 interfaces.
Such a phenomenon appears similarly even in a traffic aggregator, so that a large-capacity port such as a 10 Gigabit port may also be supported according to the price, but the situation of such a physical limitation inevitably occurs.
As related preceding technology, Korean Patent No. 10-0814546 (entitled “Apparatus and method for collecting and analyzing communication data”) discloses technology for collecting and analyzing communication data.
As another related preceding technology, Korean Patent No. 10-0671044 (entitled “Harmful traffic analysis system and method in an internal network”) discloses technology for supporting the internal network so that harmful traffic in the internal network can be discovered in real time and can be suitably handled.