1. Technical Field
The present invention relates in general to the field of data processing, and, in particular, to an improved data processing system and method for protecting a server farm from a malicious intrusion.
2. Description of the Related Art
Server farms are service providing entities consisting of clusters of data processing systems, often referred to as “machines.” Each machine typically has identical software and hardware configurations, and thus the machines are often referred to as “clones.” Customer service requests are distributed across the machines in a “machine pool,” thus distributing the request load across the machine pool.
Server farms are often used to provide mission sensitive services for high-end enterprise businesses where security of information and system integrity is of utmost concern. However, server farms are inherently insecure, since all machines in the server farm share the exact same configuration, thus making them susceptible to the same attack. That is, since the machines are identical, they each have the same vulnerability that makes each machine able to be compromised by an intrusion software, such as a hacking program or a virus. Thus, once one machine in a farm is compromised, then all other machines in the farm can quickly be compromised.
There are many forms of intrusion software. However, most follow seven basic steps after accessing the server farm through an unsecured port, typically an Internet Protocol (IP) port connection.
First, the server farm is scanned to identify any operating systems (OSs) and/or applications are running. This allows the intrusion software to be configured to attack known vulnerabilities of the operating OSs and other programs.
Second, the intrusion software enumerates the server farm. This enumeration includes learning the network topology, including details of the hardware configuration of the machines and their peripherals as well as how the machines interface with one another as well as outside the machine farm. Enumeration also includes learning what users/groups use the server farm, and what the overall purpose of the server farm is.
Third, the intrusion software penetrates the security of the server farm. That is, with the information obtained in the first two steps, the intrusion software capture passwords by guessing, sniffing and cracking, including both user as well as administrator passwords. As the terms suggest, “guessing” involves random attempts using common passwords (current date, common names, etc.), “sniffing” involves monitoring software traffic and capturing passwords in headers, and “cracking” involves deciphering passwords using various decryption techniques.
Fourth, the intrusion software escalates the attack by attacking the operating system and named pathways using the access provided by the stolen passwords obtained in step three. Control of the system is seized by the intrusion software, allowing the intrusion software to perform mischief.
Fifth, the intrusion software, now having control of the operating system and associated applications and pathways, begins to pillage the server farm. This pillaging includes taking whatever the intrusion software desires subject to its ability. Pillaging includes obtaining deeper level security information such as system decryption keys, registry keys, finding deeper hidden passwords, auditing all available files, such as payroll information and other proprietary information, vandalizing logs, distributing denial of service, etc.
Sixth, the intrusion software becomes interactive, seizing control of remote interfaces and shells, giving the intrusion software the ability to further intrude on and/or corrupt other remotely connected systems.
Seventh, the intrusion software expands its influence using the interactive ability developed in step six, but spreading viruses, auditing other secure networks/server farms, etc.
The usual response to isolate an intrusion is to isolate the attack as much as possible. The system administrator reconfigures a firewall to block future messages originating from the attacker's Internet Protocol (IP) address, thus preventing future attacks from that address. The attacked machine is assumed to be compromised, and thus is isolated, since a single compromised (hacked) machine can have disastrous consequences, as the security breach of the single machine can bring down the entire server farm if not dealt with.
To isolate the compromised machine and avoid bringing down the entire server farm, the compromised machine is communicatively disconnected from both other machines in the server farm as well as outside networks by disabling the compromised machine's IP address. However, this approach alerts the hacker that the malicious intrusion has been detected, and any attempt to capture the hacker by keeping him on line and learning more about him (such as his originating IP address) is thwarted by the hacker's likely disconnection of the session with the compromised machine. Further, the hacker usually has other IP addresses for the server farm at his disposal, and simply will hack into the server farm using the IP address for one of the other machines in the server farm.
Another response known in the prior art for fighting intrusions involves the use of a “honeypot.” A honeypot is a server that contains data, which is typically false, that is designed to attract the attention of the person or program that initiated the intrusion such data may include an ersatz list of passwords, payroll information, security protocols, trade secrets and other information that would be attractive to a hacker. However, honeypots used in the prior art have two main disadvantages. First, honeypots used in the prior art are dedicated servers that are isolated from a server farm. That is, the honeypot never processes real work, since the real work could be detected and compromised by the intrusion. Thus, the honeypot server is non-productive while waiting for an intrusion to occur, which might never happen. If an intrusion is never detected, then resources are wasted by buying and maintaining the honeypot. Second, most honeypots are designed to not only handle an intrusion directly, but to receive an intrusion that has been received by a non-honeypot machine in the server farm. When such a hand-off to the honeypot occurs, the hacker is able to detect the re-routing of the intrusion, thus tipping him off that the new server is likely a honeypot.
Therefore, there is a need for a method and system for handling an intrusion to a server farm without requiring the use of a full-time dedicated server for receiving the intrusion, either directly or indirectly. Preferably, the method and system does not alert the hacker that the intrusion has been detected, or that the server being hacked contains anything by real and valuable data.