Electronic commerce (eCommerce) in today's global economy demands greater access to information and avenues of communication among customers, business partners, suppliers, employees, and friends. Any person or business that uses the Internet to achieve global communication must implement significant safeguards to protect digital information assets available in a secured computer network, or else risk leaving private stores of digital information in the secured computer network vulnerable to intrusion.
Currently, conventional safeguards for secured computer networks typically include stand-alone firewalls manufactured by a first party that can route information to one or more stand-alone intrusion detection systems (IDSs) and one or more anti-virus systems (AVSs). The stand-alone IDSs and AVSs are usually designed by second parties that are not affiliated with the firewall manufacturer. Such a conventional safeguard utilizing a combination of firewalls IDSs and AVSs for a secured computer network typically processes packets of information in either a parallel manner or a serial manner. That is, for serial processing, a packet of information sent to or originating from a secured network 270 can be first processed by a firewall, then processed by an IDS and/or an AVS before the packet is allowed to enter or leave the secured computer network.
Opposite to the serial configuration, another conventional safeguard can be set up such that the stand-alone firewall, the stand-alone IDS, and the stand alone AVS each process the packet at the same time or in a parallel manner. However, regardless of whether a packet is processed in a parallel manner or in a serial manner by a firewall, an IDS, and an AVS, the conventional art typically requires an independent decision from the firewall, the IDS, and the AVS before the packet is allowed to pass into or out of a secured computer network. Such a design that waits for separate processing to be completed by a stand-alone firewall, a stand-alone IDS, and a stand alone AVS consumes invaluable time that is critical to any type of distributed computer network where speed is both a priority and a necessity.
The processing speed of the conventional safeguards can be hampered by the interfaces needed to link stand-alone firewalls and stand-alone IDSs. Since conventional safeguards comprise stand-alone firewalls and stand-alone IDSs are manufactured by different vendors, rather complex interfaces are needed to pass packets entering a firewall destined for an IDS. Further, in such an environment, each stand-alone system, whether it be a firewall or an IDS, will typically have its own packet acquisition engine. Communication between the stand-alone firewalls and the stand-alone IDSs can be achieved through a combination of published application programming interfaces (APIs), industry standard protocols, and high-level scripting languages.
Beneath the APIs needed to connect the firewalls to IDSs are often intricate protocols and networking made by the stand-alone application developers. In addition to requiring rather complex interfaces and communications to be established between stand-alone firewalls, stand-alone IDSs, and stand alone AVSs, conventional systems do not permit simple or rapid upgrades for simultaneous harmonious configuration of both a stand-alone firewall, a stand-alone IDS, and a stand alone AVS. In other words, the conventional art does not promote simple and efficient upgrade configurations to optimize an interfaced security solution that can comprise a stand-alone firewall, a stand-alone IDS, and a stand alone AVS. Often, separate configurations will be required for each stand-alone system because stand-alone systems will typically have different protocols, command languages, and hardware components.
Related to the problems of the rather complex communication interfaces needed between a stand-alone firewall, IDS and AVS is that each stand-alone system is typically unaware of the calculations or decisions made by the opposing stand-alone system. In other words, a stand-alone IDS or AVS are typically not aware of the calculations or decisions made by its complimentary stand-alone firewall. Frequently, a stand-alone IDS or AVS will not receive any information such as packets from a stand-alone firewall if the stand-alone firewall determines that the packet violates one or more of its rules. When packets are not evaluated by each stand-alone system, potential important information about a particular packet may not be discovered by the security manager of a secured computer network because one stand-along system may prevent information from reaching another, respective stand-alone system.
Stated differently, when a stand-alone firewall drops a packet, this packet is typically dropped completely and not forwarded to the stand-alone IDS or AVS. Because the packet is not processed by the stand-alone IDS or AVS, a security manager of a secured computer network may never know or learn that the dropped packet may have also matched an intrusion detection signature or virus. Such a potential match that could be discovered by an IDS or AVS, could be an important element in the evaluation of packets for security threats. For example, it could be determined that a particular packet may be part of a larger security incident such as an integrity attack, a confidentiality attack, a denial of service attack, a multi-stage attack, or another similar attack on the secured computer network from users outside or inside of the secured computer network.
Accordingly, there is a need in the art for a method and system for managing security information for an entire secured computer network. That is, there is a need in the art for a computer security management system that can integrate a firewall with an IDS or AVS or combination thereof. There is also a need in the art for a firewall, an IDS and an AVS that can communicate with each other regarding the process or status information of packets. There is a further need in the art for a firewall, an IDS, and an AVS that can be centrally controlled and that can increase the speed at which packets are passed between a secured computer network and one or more external networks.
An additional need exists in the art for a method and system for managing security information with parallel processing, serial processing, or singular processing by a firewall, an IDS and an AVS that can be selected by a user. A further need exists in the art for a method and system for managing security information where the firewall, IDS and AVS can be configured and optimized efficiently with centralized control.
Similarly, another need exists in the art for a method and system for managing security information that enables a firewall to communicate firewall status information to an IDS and an AVS. A further need exists in the art for a method and system for managing security information such that the firewall can be configurable for situations when the IDS or AVS are unavailable. A further need exists in the art for a method and system for managing security information where the IDS can be configured to perform only passive intrusion detection. An additional need exists in the art for a method and system for managing security information such that the IDS in some instances is not permitted to block packets being communicated through a firewall. And lastly, a further need exists in the art for a method and system for managing security information that comprises a virus scanning device that can function similarly to an IDS and which can be managed centrally along with an IDS and a firewall.
The firewall, IDS, and AVS of the present disclosure can be designed to communicate process or status information and packets with one another. The present disclosure can facilitate centralized control of the firewall, the IDS, and the AVS which can increase the speed at which packets are passed between a secured computer network and an external network. Increased packet processing speed can be achieved in several ways. One way can be to eliminate processing of a packet by the IDS before the packet is sent if a “monitor mode” configuration is selected for the IDS. With such a configuration, the IDS can still process a copy of the packet and can generate an alert if a signature match exists.
Another way to increase speed at which a packet is processed can be to let the firewall interact with the IDS and based on that communication and availability of the IDS, make a decision whether to send a packet to the IDS or the secured network 270. Alternatively, if an “ignore” verdict is reached by the firewall for a given packet being evaluated, then the IDS can be completely ignored. That is, processing by the IDS can be skipped entirely by the firewall and a packet can be sent if it does not violate any firewall rules.
The computer security management system can respond to and track computer security incidents that can be targeted at or that can occur in a networked computer system. Computer security incidents can include, but are not limited to, integrity attacks, confidentiality attacks, denial of service attacks, multi-stage attacks, or other similar attacks on computers or computer networks from users outside or inside of a secured computer network.