The proliferation of computing platforms, and their connection to wide area networks such as the Internet, has led to increased susceptibility to malicious actions on the part of people both inside and outside an organization. Hackers and disgruntled employees have demonstrated the ability to penetrate computer resources and then use those resources in attacks on other networks.
For instance, hackers have taken over computer resources within organizations and used those resources to launch denial of service attacks on Internet content providers and on Internet merchants
In the past, control of computer resources has been limited to firewall or other such protection at critical network borders. For instance, a firewall might be placed at an enclave border (such as the network connection to the Internet). The firewall then watches all the traffic coming into the enclave.
A majority of computer security problems are, however, caused by people who are already inside the enclave. Perimeter firewalls are not effective at addressing such problems. In addition, the establishment of a virtual private network between a host computer within the enclave and a computer outside the enclave can be used to frustrate the efforts of the perimeter firewall to review content passing in and out of the enclave.
Furthermore, dedicated firewalls are too expensive for homes and small businesses. Software firewalls have been proposed for providing firewall functionality to home and small business computers. Such systems have the fundamental problem that the security mechanism is built on operating systems which are themselves vulnerable to compromise.
Recently, integrated circuit technology has allowed the distribution of aspects of firewall protection to devices such as network interface cards (NICs), modems, repeaters, switches and routers. U.S. Pat. No. 5,968,176, issued Oct. 19, 1999 to Nessett et al. describes a way of configuring such devices in order to map a security policy restricting access to computer resources within the enclave across a heterogeneous group of security devices within the enclave.
Approaches such as that described by Nessett et al. reduce the load on perimeter firewalls by distributing aspects of the firewall to internal devices. They do this by determining the enclaves topology and mapping rules within the security policy to devices within the enclave. The rules mapped to a device are converted into configuration parameters associated with the device; the configuration parameters are then written to the device in order to implement the rule.
Such approaches do, however, have a drawback. They tend to be static implementations of rules and may, therefore, have difficulty adjusting to changing conditions. What is needed is a system and method of enforcing a security policy by distributing aspects of the security policy across a number of devices while retaining the ability to react to attacks and to changes in the computing environment.