Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop PCs, laptops, and workstations, and peripheral devices, e.g., printers, facsimile devices, and scanners, networked together across a local area network (LAN) and/or wide area network (WAN).
Networks can include an intrusion system (IS), e.g., intrusion prevention system (IPS) and/or intrusion detection system (IDS) that serves to detect unwanted intrusions/activities to the computer network. Unwanted network intrusions/activities may take the form of attacks through computer viruses and/or hackers, misconfigured devices among others, trying to access the network. To this end, an IS can identify different types of suspicious network traffic and network device usage that can not be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, denial of service attacks, port scans, unauthorized logins and access to sensitive files, viruses, Trojan horses, and worms, among others.
In previous approaches, to identify suspicious network traffic, data traffic needs to pass through a point of the network where an IS is located. As used herein, “IS” is used to indicate intrusion system(s), i.e., both the singular and plural. An IS can include an intrusion prevention system (IPS) and/or intrusion detection system (IDS), etc. Previously an IS would have been deployed solely as a standalone in-line device (see, FIG. 2A). More recently, the IS has become a shared resource local, e.g., integral, to a network device, e.g., integral to a switch, router, etc. An IDS may be local to a particular network device (see FIG. 2B), however, all network devices in a network may not have an IDS local to the network device. If the IS is not “in-line”, e.g., between one port and another in a network packet's intended path, then suspicious activity may not be detected. For large network systems, placing an IS in-line with initial client and/or server attach points, in an intended packet path, can be both expensive to implement and very complex to maintain.