This invention relates to computer networks, and more particularly to prevention of unauthorized access to a local network from computers external to the local network.
Prevention of unauthorized access by outsiders to a computer network is a part of any network management program. This security problem has been complicated by recent trends in internetworking of a previously isolated private networks with value added networks, public networks (such as the internet), and with the networks of other enterprises.
Firewalls are one approach to preventing unauthorized access. Essentially, a firewall is a control layer inserted between an enterprise""s network and the outside. It permits only some traffic to pass through. The firewall is configured by the administrator of the local network based on the enterprise""s security policy. For example, the firewall may block traffic of a certain type, traffic from certain addresses, or traffic from all but a predetermined set of addresses.
Techniques used by network intruders for penetrating network system security have evolved in pace with sophisticated methods for detecting the intruders. Detection methods include software solutions, specifically, software intrusion detection systems, which continually monitor network traffic and look for known patterns of attack.
When an intrusion detection system detects inappropriate activity, it generates appropriate alarms and provides other responses while the attack is occurring. For example, the intrusion detection system might report the attack, log the attack, and terminate the misused connection.
One approach to intrusion detection relies on known patterns of unauthorized activity, referred to as xe2x80x9csignaturesxe2x80x9d. These signatures are stored, and, in real time, compared to the packet flow incoming to the network. If a match is found, the incoming datastream is assumed to be misused.
Many existing intrusion detection systems are hostbased rather than network based. A host-based system resides on a particular host computer and detects only attacks to that host. A network-based system is connected at some point on a local network and detects attacks across the entire local network.
As an example of network-based intrusion detection, one known pattern of unauthorized access is associated with xe2x80x9cIP spoofingxe2x80x9d, whereby an intruder sends messages to a computer with an IP address indicating that the message is from a trusted port. To engage in IP spoofing, the intruder must first use a variety of techniques to find an IP address of a trusted port and must then modify the packet headers so that it appears that the packets are coming from that port. This activity results in a signature that can be detected when matched to a previously stored signature of the same activity.
One aspect of the invention is a method of detecting unauthorized access on a network as indicated by signature analysis of packet traffic on the network. A plurality of intrusion detection sensors are connected at a network entry point associated with an internetworking device, such as a router or switch. The packet load to the sensors is xe2x80x9cload balancedxe2x80x9d, such that said packets are distributed at least at a session-based level. The load balancing may be at a lower (packet-based) level, which tends to more evenly distribute the load on each sensor but requires additional processing external to the sensors or requires sharing of session-level data between sensors. The sensors are used to detect signatures indicated by the packets. Packets indicating a composite signature from multiple sessions are delivered to a network analyzer, which detects the composite signatures. The results of the detection performed by the sensors and the network analyzer are used to determine if there is an attempt to gain unauthorized access to the network.
An advantage of the invention is that it provides a processor-based intrusion detection system that can keep up with the high traffic throughput of today""s networks. Existing sensors may be used, and the solution provided by the invention is easily scalable.