Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop PCs, laptops, and workstations, and peripheral devices, e.g., printers, facsimile devices, and scanners, networked together across a local area network (LAN) and/or wide area network (WAN) in a wired and/or wireless fashion.
A given network architecture may wish to treat a certain part of a network, e.g., edge devices, differently from core network devices. Additionally, a given network architecture may wish to treat certain users of the network differently from others in order to maintain integrity of the network.
One way to maintain integrity of a network includes use of an integral intrusion prevention and/or detection system (IPS/IDS) that serves to detect unwanted intrusions/activities to the computer network. Unwanted network intrusions/activities may take the form of attacks through computer viruses and/or hackers, among others, trying to access the network. An intrusion system (IS), e.g., an IPS and/or IDS, may identify different types of suspicious network traffic and network device usage that may not be detected by a conventional firewall. Thus an IS may identify network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, denial of service attacks, port scans, unauthorized logins and access to sensitive files, viruses, Trojan horses, and worms, etc. As used herein “IS” is used to indicate intrusion system(s), i.e., both the singular and plural.
Such integral hardware and software IPS/IDS tools, are expensive. Thus, in previous approaches, to identify suspicious network traffic, an IPS/IDS would only be loaded to a switch, router, hub, etc., in a core part of the network. Moreover, the integral IPS/IDS would only be implemented at the core in an effort to capture the greatest amount of network traffic since data traffic needs to pass through a point of the network where the IPS/IDS is located in order to detect suspicious activity on the network. If an IPS/IDS is not included as part of a switch, router, hub, etc., attacks passing through that network device cannot be detected. Hence, in previous integral approaches the ability to selectively detect such suspicious network traffic within particular parts of a network was either compromised by not having an IPS/IDS local to each device or would effectively require placement of an IPS/IDS at each device location. For large network systems, however, making an IPS/IDS integral to each network device is both expensive to implement and complex to maintain.
In addition to use of an IPS/IDS device, previous approaches have included the use of network appliances that are not truly part of the network. These network appliances are essentially plugged into the network to monitor network traffic at a particular location in the network. Since network appliances are not part of the network infrastructure, they may not be able to selectively monitor traffic in-line with a given network path.