Conventional layered network security is often implemented using a combination of intrusion detection and prevention systems. Intrusion detection (ID) is the process of monitoring events occurring in a computer system or network and analyzing them for signs of possible violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Therefore, an intrusion detection system (IDS) is a network security device or application that monitors network and/or system activities for malicious activities or policy violations and produces reports. Intrusion prevention (IP), on the other hand, is the process of attempting to stop detected potential intrusion incidents. Therefore, an intrusion prevention system (IPS) is a network security device or application that can react, in real-time, to block or prevent malicious or unwanted network and/or system activities.
Conventional approaches to IPS/IDS have included building independent point solutions to provide security such as placing dedicated devices, each having discrete functionality, at various locations in the network in front of one or more protected devices. For example, conventional methods may surround core call processing devices such as session border controller (SBC), class 4 or class 5 network switches, media gateways, and other elements within the service provider network with security detection devices to provide maximum coverage. In the conventional approach, deep packet inspection and firewall functions are provided by devices external to an SBC. One such conventional multi-device solution is illustrated in FIG. 1.
FIG. 1 is a network diagram of a conventional solution including separate SBC and DPI/firewall devices. FIG. 1 represents a logical layout of various components and devices that may be used in a service provider network for providing service protection. Typically, security and vulnerability detection devices may be deployed in the service provider network in-line of the packet flow between service provider and public networks.
Referring to FIG. 1, network 100 may include a service provider core communications network connecting various access communications networks, such as signaling system number 7 (SS7)-based networks (e.g., public switched telephone network (PSTN)) and Internet protocol (IP)-based networks (e.g., Internet). Network 100 may include one or more devices for translating communications between network types while maintaining security for protected areas. For example, network 100 may include class 4 switch 102, class 5 switch 104, and PSTN gateway 106. PSTN gateway 106 may include a network node equipped for interfacing with another network that uses different protocols, such as PSTN 108. Network 100 may also include one or more devices for providing layered network security for protected network devices such as class 4 switch 102, class 5 switch 104, and PSTN gateway 106. For example, intrusion prevention system 110, intrusion detection system 112, SBC 114, encryption/decryption device 116, and deep packet inspection (DPI)/firewall 118 may be located between devices 102-106 and public IP networks 122.
SBC 114 may be a device used in a voice over Internet protocol (VoIP) network to exert control over the signaling and media streams associated with setting up, conducting, and tearing down telephone calls or other interactive media communications. SBC 114 may assist policy administrators in managing the flow of session data across these borders. Additionally, SBC 114 may provide measurement, access control, and data conversion facilities for the calls they control. SBC 114 may be inserted into the signaling and/or media paths between calling and called parties in a VoIP call, such as those using session initiation protocol (SIP), H.323, or media gateway control protocol (MGCP) call signaling protocols.
DPI/firewall 118 may include any IP network equipment which is not an endpoint, such as a separate device communicatively coupled with SBC 114, for using non-header packet information (e.g., payload) to for search for protocol non-compliance, viruses, spam, intrusions, or other predefined criteria to decide what actions to take on the packet, including collecting statistical information. DPI/firewall 118 may also block unauthorized access while permitting authorized communications. For example, DPI/firewall 118 may be connected to public IP network 122 which may include an integrated access device (IAD) (not shown). IAD (not shown) may be a customer premises device that provides access to wide area networks and the Internet. Specifically, IAD (not shown) may aggregate multiple channels of information including voice and data across a single shared access link to a carrier or service provider point of presence (PoP). The access link may be a T1 line, a DSL connection, a cable television (CATV) network, a broadband wireless link, or a metro-Ethernet connection. Public IP network 122 may also include IP phones, 3G phones, dual-mode phones, and IP private branch exchanges (PBX). An IP PBX may include a telephone system designed to deliver voice or video over network 100 and interoperate with PSTN 108.
It may be appreciated that the approach shown in FIG. 1 does not provide for early detection of intrusion incidents or minimizing exposure to key network elements. Therefore, with the conventional approach, it is possible for malicious users to proliferate attacks into key parts of the service provider network. For example, FIG. 1 illustrates a scenario in which malicious user 120 transmits packets containing vulnerabilities that are detectable only via IDS 112. According to the conventional approach shown in FIG. 1, detection of this vulnerability does not occur until the packet has traversed firewall 118, encryption/decryption device 116, and SBC 114. By doing so, malicious user 120 may potentially corrupt or disrupt key devices in the packet processing path (e.g., devices 114-118) before the vulnerability is detected and/or a corrective action can be performed. Because the affected devices (e.g., devices 114-118) are key entry points in network 100, this may also disrupt service for other legitimate users in network 100.
One problem associated with conventional layer 3 DPI/firewall devices is that it does not support early detection nor does it minimize exposure to key network elements. For example, with the conventional approach it is possible for malicious users to proliferate attacks into key parts of the service provider network.
Another problem with the conventional approach shown in FIG. 1 is that they lack the ability to analyze traffic flow from a session layer perspective (e.g., layer 5). As a result, conventional layer 3 DPI/firewall devices are unable to identify behavioral vulnerabilities based on service usage, session layer protocol vulnerabilities (e.g., SPIT/SPAM in SIP signaling), or service fraud and theft of service. As a result, conventional layer 3 DPI/firewall devices do not fully protect service provider network against all known vulnerabilities.
Another problem associated with conventional layer 3 DPI/firewall devices (i.e., combined solutions) is that coordinating across multiple devices is necessary to protect against some vulnerabilities. In order to rapidly close a vulnerability discovered by the IDS module, coordination is required. However, coordination across multiple devices is often not achievable, thereby exposing the network to security vulnerabilities for possibly extended periods of time.
Another problem associated with conventional layer 3 DPI/firewall devices is that they do not scale well. In the conventional approach encryption/decryption task is typically performed on a dedicated device. Further, packet inspection and vulnerability detection stages have to be placed after the encryption/decryption module as these modules won't be able to function on encrypted packets. The issue with this is that encrypt/decrypt module would need to process all traffic including those that include potential vulnerabilities.
Accordingly, in light of these difficulties, a need exists for improved methods, systems, and computer readable media for providing layered network security for detecting and blocking attempted network intrusions or other security policy violations as early as possible at the edge of the network.