Providing user network access often requires some form of security to prevent malicious attacks. Many current application-aware firewalls and intrusion detection systems/intrusion prevention systems (IDS/IPS) systems are intended to prevent malicious attacks. For example, a security protocol typically implements access security for the network by putting in place and managing network access policies or rules. Currently known methods of access security, when configured properly, can usually protect both the user devices and the network itself from malicious attacks and abuses.
Various approaches have been taken to implement access security. One approach sets common filtering rules for the entire enterprise or operator network. These rules or policies may be specific for the type of traffic, the specific services to be provided, the user location, the identity of the user in the protected network, the type of access technology being used for access as in the case of a multimodal device that use any one of a number of access technologies.
In some multimodal networks, separate access networks or specific access technologies have unique corresponding IP subnets assigned to them. For these networks the application-aware firewalls are configured to have a specific security policy per subnet of IP addresses.
Another approach to managing security is to set security policy depending upon the identity of the user and/or the user's duties. In a network often there are different roles, functions or privileges assigned to each user. An authorized device may be utilized by any one of a number of various users for network access. Each user is subject to the network security policy determined by his or her identity. Consequently, it is possible to implement access security such that when a user accesses the network, the user is identified and authenticated and then the policies associated with the assigned role, function or privileges assigned to the user are used to provide control over the user's access to resources. An example of this type of approach is the use of access control lists (ACLs), for role-based or user-based access controls.
FIG. 1A shows a user 10, a user 12, a user 14 using a device 16 to access a network 20 through the access point 18. Each user has a different identity and may have different roles or privileges. The device 16 accesses the network 20 through an access point 18 which typically is a security proxy which controls access and traffic in both directions.
FIG. 1B shows a user 22 accessing any one of the devices 24a, 24b, and 24c to access a network 26 using an access point 28. No matter which device 24 the user 22 utilizes to access the network 26, since the user 26 always uses the same identity, the same role and the same privileges, the same security policies will be applied.
Known networks are generally built based on an assumed fixed access technology being used. The resulting security mechanisms to secure the network (for example, filtering rules, access control, intrusion detection criteria, traffic management) therefore are tailored to the characteristics of the assumed fixed access technology being used.
Fixed/mobile converged networks support multimodal devices having multiple wireless and fixed network interfaces, such as UMTS, WLAN, WiMax, CDMA2000, and Ethernet, each having their own unique access security requirements. Multimodal devices can use any one of a number of different types of access technologies to connect to the access network that could have uniquely different protocols, standards, and hence unique potential vulnerabilities to specific exploits and attacks. The different access technologies could have very different physical layer characteristic requirements such as bandwidth, delay, packet loss, and handoff parameters, and could have very different requirements for access to network connections, authentication, encryption, and integrity of data. The normal performance capabilities and capacities may also be quite different from one another. This dictates that security requirements, criteria, and mechanisms in UMTS, WLAN, WiMax, fixed networks, etc. are all different. The natural background traffic, capabilities, and traffic characteristics (bandwidth, delay, error-rates, etc.) also vary for different technologies.
In a multimodal converged network, security mechanisms that are to be effective cannot make the assumption that a single access technology will be used because no single fixed set of mechanisms specific to a single access technology will be sufficient to provide security to the multimodal converged network. A fixed/mobile converged network which provides support for multimodal device mobility provides for end-user access to the network using any access technology of the multimodal device and provides dynamic security to a user's access when the user changes the access technology of the multimodal device while maintaining the same user identity registered on the security policy enforcement point.
Generic rules and policies or those based on the user's identity and his credentials of known systems do not provide an appropriate level of security according to the distinctive characteristics of the various different access technologies of the multimodal device. For example, firewall/filtering or IDS/IPS rules even when being specific per user's identity (and corresponding credentials) do not take into account the situation when an attacker has obtained network access information. When an attacker uses real, but stolen, network access information and the network receives the access information, the network will allow the attacker access to the network. Also, the attacker's behavior and actions are not available to nor considered by the network. Known networks or systems that control access to networks do not track the behavior of an attacker.
For example, for wireless network access the threshold number of packets for setting off a “malicious scan indication” is generally lower than the same thresholds for fixed network access. In a fixed network, a high number of packets, which in a wireless network would usually be an indication of a malicious attack such as a flooding attack, are nothing more than rather neutral conditions in the fixed network.
Therefore, what is needed is a system and method for interrogating multiple source of information across a network to determine a risk score for a requestor seeking access to a device or a network.