In a remote desktop environment, a computer, referred to herein as a “thin client,” is connected to a server, referred to herein as a “client blade,” via a network (e.g., local area network, wide area network). A “thin client” may refer to a user's computer that performs no application processing. The thin client functions like an input/output terminal, processing only keyboard and mouse input and screen output, and all application processing is performed on a server, such as a client blade. A “client blade” may refer to a typical server that does not include a storage unit (e.g., hard disk drive, floppy disk drive). Typically, a group of client blades are housed in one location, which may be referred to as a “BladeCenter™.” Each client blade in the BladeCenter™ may plug into a single cabinet or individual port card that adds connectivity to a switch which is used for switching control to a particular client blade. Out of the group of client blades in the BladeCenter™, one or more of them may be designated for servicing particular information (e.g., human resource information, financial data, engineering data).
Once a user of a thin client is connected to a designated client blade to service particular information, the connection may later be compromised by an intruder. There are many types of attacks or intrusions (e.g., Internet Protocol (IP) spoofing, denial of service attacks, denial of service spoofing, SYN flooding) to break the connection between the user of the thin client and the designated client blade. Once the connection between the user of the thin client and the designated client blade is broken, the intruder may essentially act as the user of the thin client thereby maintaining a connection between the client blade and the intruder. The intruder may then have the opportunity to access information that may be personal, such as financial information.
The following are some examples of different types of attacks or intrusions. These are not meant to be exhaustive. One example of an attack involves someone “sniffing” or “snooping” the data traffic within a network. Even though the data payload may be encrypted, the Transmission Control Protocol/Internet Protocol (TCP/IP) headers and routing information are not. Using the snooping technique, the intruder can determine the unique Media Access Control (MAC) physical address and couple it to the user's assigned IP address. Once the targeted MAC and IP addresses are known, the intruder can then send a message to the unsuspecting user and have the TCP/IP protocol route the return packet to the intruder. This method of intrusion is known as “IP spoofing.” The intruder spoofs the connection thereby later breaking the current connection and is therefore able to access the targeted client blade.
Another type of attack is called a denial of service spoof. In this scenario, a user types in the name of a domain, such as computerlanguage.com. The network converts the domain name into an IP address. Since each network routing point contains cached entries in a routing table, an intruder may be able to obtain the domain name/IP relationship from this table once the connection has been made. The denial of service attack intruder spoofs the response to the request and sends the response directly to the intruder rather than the user requesting the information. Once this information is obtained, an Ethernet packet is sent to that user and the response is redirected or “spoofed” to the intruder.
Yet another method of network attack that allows an intruder access to an unsuspecting user is a source routing option for Ethernet TCP/IP traffic. When a message is broadcast to a number of users, the response traffic is routed to a specific user using a certain path. The intruder then has access and a connection to that endpoint because the intruder is able to determine the network route.
These attacks or intrusions break the connection to the end user of the thin client and the end user is unable to communicate or contact the client blade. If the client blade is left connected with the intruder, theft or some malicious attack on the client blade may occur as discussed above. If, however, the intrusion was detected, then appropriate actions may be enacted to thwart the theft or a malicious attack.
Therefore, there is a need in the art for detecting an intrusion in the connection between the end user of the thin client and the client blade and taking appropriate actions thereby ensuring, at least in part, the security of the connection.