1. Field of the Invention
The present invention relates to a system for monitoring a local area network (LAN) for attacks made by crackers via the Internet, and protecting the network against those attacks.
2. Description of the Related Art
In recent years, many local area networks (LANs) constructed in organizations such as companies are connected to the Internet for exchanging various items of information or communicating with other networks. For such communications, the IP (Internet Protocol) is used as a protocol mainly corresponding to a network layer in a so-called OSI hierarchical model, and communication data are exchanged in the form of IP packets. It is customary to use the TCP (Transmission Control Protocol) or the UDP (User Datagram Protocol) as a protocol mainly corresponding to a transport layer that is higher in rank than the above network layer.
The networks of the type described above are advantageous in that they can exchange a wide variety of different items of information at a low cost with servers and other networks on the Internet. However, since the Internet is highly accessible to the public, the networks connected to the Internet are always subject to attacks from so-called crackers (i.e. ill-willed hackers). Therefore, the networks are required to be protected against such attacks.
One known system for protecting a network against attacks is a firewall (specifically, a computer having the function of a firewall) at the gateway of the network. The firewall serves to prevent communications of the types prescribed by the network administrator from occurring between the network and external networks. The types of such communications can be specified by source IP addresses, destination IP addresses, and destination port numbers that are contained in IP packets, for example.
The firewall is capable of inhibiting hosts (computers) which have certain IP addresses in the network and certain port numbers of the hosts from being accessed from external networks, and also inhibiting the network from being accessed by IP addresses other than certain IP addresses outside of the network. Consequently, if the types of communication data that are to be inhibited from entering the network are rigorously established with respect to the firewall, then it is possible for the firewall to reduce the danger of attacks against the network.
However, in order for the network administrator to establish those types of communication data, the network administrator needs to have a high level of knowledge and understanding about a wide range of network-related technologies, including communication technology, network technology, and cracker's attack schemes, and also to be well knowledgeable about individual network's structures and operating details.
The types of communications to be blocked by the firewall have to be determined in view of what information is to be used and provided to external networks by hosts in the network to be protected, what information is to be protected in the network, and what attacks are expected to be launched on the network. Highly skilled network engineers are required to determine those types of communications to be blocked by the firewall. If the scale of a network to be protected is relatively large or a network to be protected handles a vast variety of information, then it is difficult for even highly skilled network engineers to make appropriate settings for the types of communications to be blocked by the firewall. When the structure of a network is changed, or a network is actually attacked by a cracker, or a newly planned attack is launched on a network, it is often necessary to reconstruct settings for the firewall. To this end, the entire system including the firewall needs to be continuously operated and managed.
Consequently, establishing proper settings for a firewall and continuously operating and managing a firewall require a large expenditure of labor of skilled engineers and a large expenditure of cost.
The conventional firewall of a network is designed to preclude all communications which are possible to attack the network. Therefore, the types of communications that are inhibited by firewall settings are uniformly excluded regardless of whether those communications are due to cracker's attacks. Stated otherwise, the freedom of communications between the network and external networks is unduly limited. Accordingly, a network with a firewall suffers a limitation on information providing services that are available on the Internet. As a result, the network is unable to enjoy many information resources on the Internet.