Remote network access has become critical to most businesses. Businesses simply cannot compete without providing email, internet access, and other remote-access services to employees. Furthermore, many businesses provide access to their respective private networks from external locations through virtual private network (VPN) or other secure connections. This remote use of networks has resulted in tremendous improvements in productivity and flexibility. However, these improvements do not come without risk.
Each of these services requires a network to have at least one interface to external communications connections or networks, most often the internet. Any network that provides an interface to the internet is at risk of attack. Attacks can take any number of forms: attempts to gain access to private information, attacks designed to degrade or hamper the performance of the network or devices (such as servers) therein, and attacks to deny external access, to name just a few. A variety of systems exist that operate to thwart these attacks. For example, many networks employ firewalls to prevent unwanted access. Firewalls operate by blocking internet traffic exhibiting certain predefined characteristics, such as traffic that originates from a particular internet address, traffic that attempts to access a particular network port, or traffic that attempts to access a particular destination within the network. Firewalls are advantageous as they characterize and block internet traffic quickly. Conventional firewalls, however, are limited in the scope of the data that can be analyzed and blocked. For example, firewalls are typically limited in that they can only analyze data at the network layer of the TCP/IP protocol stack, and even advanced firewalls allow only limited analysis at the application layer. Furthermore, firewalls rely on advance knowledge by the network administrator of the type of traffic that should be blocked.
To improve security, some networks add devices known as an intrusion-detection or intrusion-prevention system (referred to collectively herein as an IDS) to make up for some of the failings of a firewall. IDSs are conventionally installed just behind the firewall, and are used to provide further analysis of traffic that is not blocked by the firewall. IDSs typically provide more expansive analysis of incoming traffic (in comparison to a firewall), can often analyze traffic across connections, and can identify traffic from disparate addresses that may be a part of a single attack, such as a distributed denial-of-service attack. Conventional IDSs are also capable of analyzing data on all layers of the network protocol stack. This enhanced functionality is not without cost, however.
To obtain the full benefit of IDSs, IDSs are conventionally installed inline with the firewall in order to be able to block unwanted traffic. Because the additional analysis takes time, the use of an IDS can significantly slow network traffic. IDSs can also be complex, requiring an increased level of expertise for a company's information technology (IT) staff. Furthermore, IDSs can be expensive, not only in the cost of hiring IT staff, consultants, or other service providers with the appropriate expertise, but also in purchasing, implementing, and managing the equipment and software required to support the IDS. Additionally, because poor monitoring of an IDS yields little benefit to the protected network, a much higher level of monitoring activity must take place in a network that employs an IDS, further increasing the cost of the system. For these and other reasons, many companies that would otherwise benefit from an IDS may not install one, thus leaving their network insufficiently protected.
A second problem with existing IDS and firewall technology is that IDSs and firewalls are typically only aware of attacks on the network in which they are installed. Network attacks are rarely performed on a large number of networks at the same time. Accordingly, as one network experiences a new type of attack, other networks cannot protect themselves from the attack unless a network administrator recognizes the attack and publishes the characteristics of the attack—accurately and in sufficient detail—so that other network administrators can configure their firewalls and IDSs to recognize and defend against the new type of attack.
A third problem with conventional IDSs is that they are only capable of blocking known attacks. Specifically, conventional IDSs operate by matching aspects of network traffic with signatures that have been determined to be indicative of a particular attack. Accordingly, IDSs cannot block an attack until that attack has been both launched against at least one network and analyzed by security analysts who generate a signature for that attack. Thus, even the most diligent efforts of network security analysts cannot provide conventional IDSs with the capability to block new attacks.
Accordingly, a need exists for a network protection system that is capable of providing the benefits of an IDS to a network that does not deploy such a system. A need also exists for a network protection system that is capable of receiving updated information identifying attacks that occur on other networks so that the network protection system can prepare for the attack before it occurs. Yet a further need exists for a network protection system that can provide protection against new attacks for which attack signatures have not yet been generated.