Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop PCs, laptops, and workstations, and peripheral devices, e.g., printers, facsimile devices, and scanners, networked together across a local area network (LAN) and/or wide area network (WAN).
Networks can include a network appliance (NA), e.g., intrusion prevention system (IPS) and/or intrusion detection system (IDS) that serves to detect unwanted intrusions/activities to the computer network. Unwanted network intrusions/activities may take the form of attacks through computer viruses and/or hackers, among others, trying to access the network. To this end, a NA can identify different types of suspicious network traffic and network device usage that can not be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, denial of service attacks, port scans, unauthorized logins and access to sensitive files, viruses, Trojan horses, and worms, among others. A NA can also include other forms of diagnostic devices, accounting devices, counting devices, etc., operable on network packets of interest.
In previous approaches, to identify suspicious network traffic or to properly account for the traffic, data traffic needed to pass through a point of the network where a NA is located. That is, network appliances used to be solely deployed as in-line devices, and recently have become a shared resource local to one network device, e.g., switch, router, etc. If the NA is not “in-line”, e.g., between one port and another in a network packet's intended path, then suspicious activity may not be detected, or the packets properly counted. For large network systems, placing a NA in-line with all possible network packet intended paths can be both expensive to implement and very complex to maintain.
Network appliances, e.g., IPS/IDSs, counting/accounting, or diagnostic devices, may be slower than other network devices, such as switches and routers. To improve bandwidth it would be useful to determine a subset of network traffic of particular interest to monitor in a manner which does not diminish the functionality of a NA, but allows the NA to operate on a greater number of ports, users, etc.
In previous approaches, IP subnets and virtual local area networks (VLANs), as the same are known by one of ordinary skill in the art, were used to address the above issue. In this approach only data packet traffic crossing a layer 2, e.g., bridged, domain would be sent to the router, which may apply additional security, accounting, or diagnostic checks. However, in today's networks group membership is not always easily divided among subnets or VLANs. More useful group membership is often based on a user's identity (e.g., MAC address, IP address), physical location (e.g., physical connect point within the network), traffic type (e.g., the type of resources being accessed), etc.