Many networks are under various sorts of threats including external attacks that put the security of the network, transported data, applications, or other networked-entities under risk. If a network becomes compromised, then applications running behind the network, or within the network, become exposed to risk. Applications can range from office productivity solutions to server-based applications, or any type of application. Examples include storage arrays, databases, printer or printing services, web services, copy or scanning machines, VOIP solutions, virtual PBX systems, cloud-based applications, search engines, or other types of applications. If any one of these applications becomes compromised, a substantial loss could be incurred.
Threats to a network can take on many different forms. One type of external threat comprises “spoofing”, a technique often used by hackers. Spoofing is an intrusion technique where an attacker mimics a remote entity by replicating the remote entity's identification information (e.g., network address) so the local application considers the attacker as a valid or authorized user. Once the attacker successfully spoofs a valid or authorized entity, the attacker can cause damage to the network.
Unfortunately, applications are only as robust as the security of their network interfaces. Better security measures would include protecting applications behind the networking fabric by forming a virtual network interface for the application through which remote entities can access the application. Supplying a virtual or distributed network interface allows for isolating an application from a hostile entity, possibly by creating application-specific network interfaces.
Known efforts directed to protecting networks or applications from threats include the following references.
U.S. Pat. No. 7,561,571 to Lovett et al. titled “Fabric Address and Sub-Address Resolution in Fabric-Backplane Enterprise Servers”, filed Feb. 12, 2005, describes a switch architecture capable handling IP address or a MAC address failover due to module failure.
U.S. Pat. No. 7,760,717 to Atkinson titled “Interface Switch for Use with Fibre Channel Fabrics in Storage Area Networks”, filed Oct. 25, 2005, describes a switching environment where traffic address mapping between virtual and physical addresses are mediated and translated at wire speed.
U.S. Pat. No. 7,761,923 to Khuti et al. titled “Process Control Methods and Apparatus for Intrusion Detection, Protection and Network Hardening”, filed Mar. 1, 2005, describes networking techniques based on stateful inspection to help protect against IP spoofing or port scanning.
U.S. patent application publication 2007/0091907 to Seshadri et al. titled “Secured Media Communication Across Enterprise Gateway”, filed Oct. 2, 2006, describes establishing a communication between a media server and a client device where the media service is protected through the use of network address translation (NAT).
Unless the context dictates the contrary, all ranges set forth herein should be interpreted as being inclusive of their endpoints and open-ended ranges should be interpreted to include commercially practical values. Similarly, all lists of values should be considered as inclusive of intermediate values unless the context indicates the contrary.
Interestingly, it has yet to be appreciated that one could provide an application protection system by distributing a network interface for an application across nodes of a network fabric. When the roles and responsibilities of the application's network interface are resident in the nodes, many opportunities become available. For example, the network interface can spoof or cloak the application in a manner where a remote entity is unaware of intermediary counter measures. Upon detection of the threat, the network interface can be configured to route traffic to a monitoring location while protecting the application from the threat.
Thus, there is still a need for methods of protecting applications within or on a networking fabric.