The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
In the past, network security sometimes has been implemented by deploying a plurality of static security perimeters around a protected computing system. These static security perimeters may be situated in a concentric manner, so that some of the perimeters completely surround others of the perimeters. One of the goals behind situating multiple perimeters concentrically in this manner is to maintain multiple lines of defense against security breaches. If an outer security perimeter is breached by a threat, then one or more inner security perimeters may yet protect the innermost computing system from the threat.
For example, a network-connected computer might execute virus protection software (referred to herein as “anti-virus software”). The anti-virus software continuously monitors the computer for the presence or arrival of viruses and seeks to eradicate any viruses detected. The anti-virus software may be viewed as a perimeter of defense surrounding the data and application programs stored on the computer. Additionally, the sole mechanism through which the computer receives data from the network might be a network router (simply referred to as a “router” herein) or firewall that examines data packets that are destined for the computer, and prevents data packets with certain specified characteristics from being forwarded on to the computer. The router may be viewed as another perimeter of defense surrounding the data stored on the computer. Still other additional defensive mechanisms may be situated beyond even the router.
Assuming that all of the defensive mechanisms work as planned, a virus must evade both the defensive mechanisms provided by the router and the defensive mechanisms provided by the anti-virus software before the virus can affect the data stored on the computer. Indeed, because the router might actually prevent a data packet that contains a virus from being forwarded on to the computer in the first place, some viruses might never even reach the anti-virus software. Because the router may eliminate some threats before those threats ever reach the anti-virus software, the router may be viewed as being part of an “outer” security perimeter, and the anti-virus software may be viewed as being part of an “inner” security perimeter that is completely surrounded by the “outer” security perimeter. If, for some reason, a virus evades the router, the virus still may be thwarted by the anti-virus software.
Concentrically situated security perimeters, such as those described in the example above, may be visualized as a series of walls and ramparts that concentrically surrounded a castle's keep in medieval times. Even if the castle's attackers breached the castle's outermost wall, the attackers would still need to breach one or more other inner walls surrounded by the outermost wall before the attackers could gain access to the innermost keep. Maintaining multiple concentric security perimeters provides greater security than a single perimeter by itself could provide.
As is discussed above, there may be some benefit in having a router inspect data packets before forwarding those data packets on toward computers that are connected to the router. Unfortunately, where many computers are connected to a router, and where the router receives data packets at a high rate and needs to forward those data packets on at a high rate, the router may have little time to inspect each data packet. Data packet inspection can be a computationally expensive task. Designing a router so that the router can inspect a sufficient number of data packets at a sufficiently high rate can significantly increase the monetary expense of the router.
One approach to reducing the expense of a router might entail omitting data packet inspection and other security functions from the router. As a result, the burden of security would fall entirely upon the computers toward which the router was forwarding data packets. This approach would lessen the workload on the router. This approach would also tend to divide the workload among multiple computers, so that each computer would carry less of a workload than the router otherwise would have carried.
However, under such an approach, if the security mechanisms on a particular computer failed, then that computer would be rendered at least partially defenseless against incoming threats. Under such an approach, there might be little or no redundancy or backup plan in the case of failure. Additionally, the individual computers might not be in a position to detect certain kinds of security threats that the router might have been able to detect and prevent by virtue of the router's position within the network and by virtue of the diverse information that passes through the router.
Based on the foregoing, there is a clear need for techniques that reduce the workload on network elements and also provide multiple layers of security to compensate for potential failure at a single layer.