This invention relates in general to computer network security systems and in particular to systems and methods for detecting and preventing intrusion into a campus local area network by an unauthorized user.
As local area networks (LANS) continue to proliferate, and the number of personal computers (PCs) connected to LANs continue to grow at a rapid pace, network security becomes an ever increasing problem for network administrators. As the trend of deploying distributed LANs continues, this provides multiple access points to an enterprise's network. Each of these distributed access points, if not controlled, is a potential security risk to the network.
To further illustrate the demand for improved network security, an IDC report on network management, "LAN Management: The Pivotal Role of Intelligent Hubs", published in 1993, highlighted the importance of network security to LAN administrators. When asked the importance of improving management of specific LAN devices, 75% of the respondents stated network security is very important. When further asked about the growing importance of network security over the next three years, many respondents indicated that it would increase in importance.
More recently, a request for proposal from the U.S. Federal Reserve specified a requirement that a LAN hub must detect an unauthorized station at the port level and disable the port within a 10-second period. Although this requirement will stop an intruder, there is an inherent weakness in this solution in that it only isolates the security intrusion to the port of entry. The rest of the campus network is unaware of an attempted break-in. The detection of the unauthorized station and the disabling of the port is the first reaction to a security intrusion, but many significant enhancements can be made to provide a network-wide security mechanism. Where the above solution stops at the hub/port level, this invention provides significant enhancements to solving the problem of network security by presenting a system wide solution to detecting and preventing security intrusions in a campus LAN environment.
In today's environment, network administrators focus their attention on router management, hub management, server management, and switch management, with the goals of ensuring network up time and managing growth (capacity planning). Security is often an afterthought and at best administrators get security as a by-product of employing other device functions. For example, network administrators may set filters at router, switch, or bridge ports for performance improvements and implicitly realize some level of security as a side effect since the filters control the flow of frames to LAN segments.
The problem with using filters is that their primary focus is on performance improvements, by restricting the flow of certain types of network traffic to specified LAN segments. The filters do not indicate how many times the filter has actually been used and do not indicate a list of the media access control (MAC) addresses that have been filtered. Therefore, filters do not provide an adequate detection mechanism against break-in attempts.
Another security technique that is commonly employed in hubs is intrusion control. There are token ring and Ethernet managed hubs that allow a network administrator to define, by MAC address, one or more authorized users per hub port. If an unauthorized MAC address is detected at the hub port, then the port is automatically disabled. The problem with this solution is that prevention stops at the hub and no further action is taken once the security intrusion has been detected. This solution does not provide a network-centric, system-wide solution. It only provides a piecemeal solution for a particular type of network hardware namely, the token ring and Ethernet managed hubs. The result is a fragmented solution, where security may exist for some work groups that have managed hubs installed, but not for the entire campus network. At best, the security detection/prevention is localized to the hub level and no solution exists for a network-wide solution.
Other attempts to control LAN access have been done with software program products. For example, IBM Corporation's Lan Network Management (LNM) products LNM for OS2 and LNM for AIX both provide functions called access control to token ring LANs. There are several problems with these solutions. One problem with both of these solutions is that it takes a long time to detect that an unauthorized station has inserted into the ring. An intruder could have ample time to compromise the integrity of a LAN segment before LNM could take an appropriate action. Another problem with the LNM products is that once an unauthorized MAC address has been detected, LNM issues a remove ring station MAC frame. Although this MAC frame removes the station from the ring, it does not prevent the station from reinserting into the ring and potentially causing more damage. Because these products do not provide foolproof solutions, and significant security exposure still exists, they do not provide a viable solution to the problem of network security for campus LAN environments.
Thus, there is a need for a mechanism in the managed devices of a computer network that enables a comprehensive solution and that not only provides for detection of security intrusions, but also provides the proactive actions needed to stop the proliferation of security intrusions over the domain of an entire campus network.