The primary method for protecting a computer network from attacks is by employing an entity known as a screening device (e.g., a firewall or similar multi-component screening systems). The majority of modern screening devices protect a network by limiting what communication channels or “ports” are available to outside users wishing to connect with the protected network by inspecting the layer 3 and/or layer 4 protocol headers of incoming packets. In a standard (stand-alone) screening device, no additional investigation of the incoming communications is done beyond confirming that the incoming message is going to an allowed or authorized port that has been made available to known or unknown visitors alike by the network administrator. Other ports are considered closed and no communication is allowed through.
A common method of abusing this means of network protection is cloaking attack data within packets that may be labeled differently so that the screening device allows the data to pass through an authorized port to the protected network. The cloaked communications then reach an unhardened server and service within the protected network and use weaknesses in the design of that service to continue to abuse or damage the server or other nodes within the network.
Other more powerful and expensive types of firewalls go further by interrogating the incoming information, however this is an expensive, time consuming and highly customized application of screening device technology and as a result is not widely used on the Internet as a security method for small to medium sized organizations and some larger organizations. Accordingly, there is a need for a network security system that overcomes the above-described disadvantages of screening devices and known communication security techniques.