In a secure network environment, secure transport services provide message traffic transport over trusted connections that offer assurances against interception, tampering or other unauthorized interference. Secure transport services begin and terminate at trust points in the network. The trust point defines a network location, typically a computing node, beyond which traffic is secure until exiting the trusted network at another trust point. A set of trust points effectively define a trust boundary into a network. The computing nodes defining a trust point may include routers, switches and gateways operable to interface the network with applications or processes attempting to communicate via the network. In particular configurations, a particular process or application executes on a computing node to define the trust point. Such a process or application is operable to oversee each connection into the network and provide assurances to the network that message traffic through the trust point is trusted.
In conjunction with secure transport, modern networks typically employ so-called “differentiated service” mechanisms to ensure that network traffic is appropriately classified according to the type of traffic and requirements of the user. Such differentiated service mechanisms provide different Quality of Service (QoS) levels to different connections and/or streams of packets. The different QoS levels are generally recognized by intermediate switching nodes for prioritizing network traffic appropriately. Thus, preferential users and/or types of traffic receive a higher priority while less exigent network traffic is carried at a lower priority.
In particular, network device vendors are deploying network devices operable according to a differentiated services model. Differentiated Services (DiffServ) is a new model in which traffic is treated by intermediate systems with relative priorities based on a type of services (ToS) field within an IP message packet. Defined in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2474 and RFC 2475, the DiffSery standard. increases the number of definable priority levels by reallocating bits of an IP packet for priority marking.
The DiffSery architecture defines the DiffSery (DS) field, which supersedes the ToS field in IPv4 to make per-hop behavior (PHB) decisions about packet classification and traffic conditioning functions, such as metering, marking, shaping, and policing. Particular vendors implement queuing techniques that can base their PHB on an IP precedence or Differentiated Services Code Point (DSCP) value in the IP header of a packet. Based on DSCP or IP precedence, traffic can be put into a particular service class. Packets within a service class are treated in a similar manner.
By way of technical background, the six most significant bits of the DiffSery field is called as the DSCP. The last two Currently Unused (CU) bits in the DiffSery field were left for future expansion in the DiffSery field architecture; these are now used as Explicit Congestion Notification (ECN) bits. Routers at the edge of the network classify packets and mark them with either the IP Precedence or DSCP value in a Diffserv network. Other network devices in the core (i.e. non-edge devices) that support Diffserv use the DSCP value in the IP header to select a PHB behavior for the packet and provide the appropriate QoS treatment.
Network administrators often employ trust and identity systems to implement secure transport mechanisms to ensure that only trusted users and devices adhering to corporate security policy can connect to an organization's network and send and receive data. Quality of Service (QoS) designations are included in this policy. For example, Network Admission Control (NAC) is an industry-wide collaboration led by Cisco Systems®, Inc., of San Jose, Calif., to proactively limit damage from worms and viruses, often referred to as “Malware.” NAC ensures that every endpoint complies with network security policies before being granted network access. NAC program participants are typically leading security vendors in antivirus software and desktop management. NAC allows noncompliant endpoints to be denied access, placed in a quarantined area, or given restricted access to resources. The NAC approach allows network switching devices to implement a threat defense system according to the corporate security policy. Such a threat defense system ensures networks are designed to resist both external and internal attacks, and can recover quickly in the event an attack is launched. The threat defense system includes several technologies relevant to preventing outbreaks. For example, the Cisco Security Agent (CSA) product, marketed commercially by Cisco Systems®, Inc., of San Jose, Calif., employs behavior-based assessment to identify known and unknown attacks, and prevent malicious behavior targeted at endpoints.