This patent application is related to a commonly-assigned U.S. patent application, entitled xe2x80x9cSystem And Method For Remotely Identifying An Operating System Based On A Network Layer Stack Implementation,xe2x80x9d filed on Sep. 24, 1999, pending, the disclosure of which is incorporated herein by reference.
The present invention relates in general to providing a network host decoy, and, in particular, to a system and method for providing a network host decoy using a pseudo network protocol stack implementation.
Data information networks interconnecting a wide range of computational resources have become a mainstay of corporate computing environments. Most major corporations presently maintain numerous host computer systems that are interconnected internally over an intranetwork to which individual workstations and network resources are connected. These intranetworks make legacy databases and information resources widely available for access and utilization throughout the corporation. These same corporate resources can also be interconnected to a wide area public information internetwork, such as the Internet, to enable outside users to remotely access select corporate resources for the purpose of completing limited transactions or data transfer.
Due to the inherent risks of making such internal corporate systems available to a wider audience of internal and external users, maintaining network security has become a paramount concern. Network security is particularly crucial where the host systems are accessible by, and therefore vulnerable to, both internal workstations and external systems gaining access through the various intra- and internetwork connections. Protecting a network against attack by illicit users is extremely difficult due to the various machine types, operating systems, software patch levels, and system configurations. The complexity increases dramatically as the number of interconnected systems grows.
One source of complexity arises as a result of the various network protocol implementations used by each system and network device. Most current internetworks and intranetworks are based on the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described in W. R. Stevens, xe2x80x9cTCP/IP Illustrated,xe2x80x9d Vol. 1, Ch. 1, Addison-Wesley (1994), the disclosure of which is incorporated herein by reference. Computer systems and network devices employing the TCP/IP suite implement a network protocol stack, which includes a hierarchically structured set of protocol layers. Each protocol layer performs a set of pre-defined functions as specified by the official TCP/IP standards set forth in applicable Requests for Comment (RFC). Numerous network security concerns arise due to the basic structuring of and differences in how each protocol layer has been implemented.
For instance, firewalls situated between the internal intranetwork and the external internetwork provide some level of active security against externally originating network xe2x80x9cattacks.xe2x80x9d Typically, these systems monitor and detect signature patterns in individual packets in the incoming data stream to identify a potential security threat. However, due to the separation of functionality between the individual network layers, an attack signature can be disguised or distributed over a series of packets to evade detection and thereby defeat the security provided the firewall. Moreover, active security begins to fail as network traffic increases and the active security monitors become overwhelmed and saturated by packet data.
Therefore, there is a need for a passive network security system capable of diverting and tracking potential attacks for use in a system implementing a network protocol stack. Such a system should be capable of intercepting attacks originating from both external sources and illicit internal systems and be capable of simulating the network protocol stack implementation of a plurality of virtual hosts and network devices.
The present invention provides a system and method for providing a network host decoy using a pseudo network protocol stack implementation. Individual nuances particular to a given platform and operating system are introduced in a protocol stack specific manner.
An embodiment of the present invention is a system and method for providing a network host decoy on a virtual host using a pseudo implementation of a network protocol stack. A hierarchical network protocol stack is functionally defined and includes a plurality of communicatively interfaced protocol layers. A request frame originating from a remote host is received. The request frame includes a plurality of recursively encapsulated data segments which each correspond to a successive protocol layer in the network protocol stack. At each protocol layer, processing a header associated with the encapsulated data segment demultiplexes each encapsulated data segment in the request frame. Any requested network service is performed and any recursively encapsulated portion is forwarded to the next successive protocol layer. A plurality of pseudo data segments corresponding to each of the protocol layers in the network protocol stack is formed. Each pseudo data segment includes a header and data portion. The header includes network protocol stack characteristics for a pseudo host different than the network protocol stack characteristics for the virtual host. Each of the pseudo data segments within a response frame is recursively encapsulated. A network address for the pseudo host different than the network address for the virtual host is inserted into the response frame. The response frame is sent to the remote host.
One benefit of the present invention is a better deception. By analyzing the type of destination host sought, the invention provides a network host or device decoy which appears more convincing and realistic to the would-be attacker. Consequently, detection of the pseudo host is minimized.