Security breaches have become more common in the last decade. There are a variety of techniques that an intruder may use to access and compromise a network. For example, by hijacking, or taking control of, a router or switch in a network, the intruder may be able to monitor all of the network traffic passing through that router or switch.
There are mechanisms that prevent the content, or payload, of a packet from being compromised. For example, in certain embodiments, the payload may be encrypted. Protocols, such as IPSec, have been developed to prevent the compromise of data payloads.
However, even in systems employing payload encryption, the packet header is not encrypted. The network devices, such as gateways, routers and switches, which deliver packets from a source to a destination, must be able to read these packet headers so that these devices may properly route the packet through the network. Encryption of the header would necessarily make the source address and destination address unreadable by these devices, thereby making the packet unroutable.
Unfortunately, the ability to monitor only packet headers in a network still provides an intruder with valuable information. For example, the intruder is able to monitor traffic patterns, such as which nodes communicate with one another, and which nodes are accessed by most of the other nodes. Based on these traffic patterns, it may be possible for an intruder to determine the identity, including IP address, of the various servers in the network. Further, through more sophisticated analysis, an intruder may also be able to identify the operating system used by the clients and servers in the network.
This may be valuable information that provides the intruder with sufficient information to launch a targeted attack on that network.
To date, this vulnerability has not been addressed. Therefore, it would be beneficial if there was a system and method that allowed the packet headers to be encoded or otherwise protected so that an intruder would be unable to detect IP addresses and traffic patterns. Further, it would be advantageous if this system and method could utilize existing network infrastructure and incur minimal overhead.