Computer networks are vulnerable to a number of types of attacks and compromises to security. Intruders attempt to break into networks in order to cause damage or to steal data. Network security can also be compromised by a virus or a worm, for example, deliberately placed in the network or as part of a file downloaded by a legitimate user. Any of these network invaders, intruders, viruses, or worms can degrade network performance by, for example, creating packet storms, can compromise network edge security by exposing critical internal IP addresses and can attempt to infect other hosts both inside and outside the private network.
A particularly difficult network security problem is the trojaned host. A trojaned host is a network node that is not secured properly because it is, for example, not running the latest anti-virus software update or perhaps is not running anti-virus software at all. Another way a node on the network can become a trojaned host is when the node has a defective firewall. The damage to a network, such as a private corporate network, that can be accomplished by a trojaned host can be extensive.
The basic goals of a network security system are to keep data and access secure while minimizing the consumption of network resources. A number of different types of network security systems have been developed in an attempt to accomplish this basic goal. Ideally, a network security system provides three aspects of security. That is, a network security system prevents, or at least hinders, intrusions to the network; the network security system also detects intrusions when prevention fails; and finally, the network security system responds to security failures.
Currently existing solutions to network security include a first network security system for a private network in which the routers are configured as a default-free routing zone. In other words, the routers do not know how to forward packets addressed to nodes outside the private network. In some arrangements of the first network security system, some nodes on the network, such as a web (HTTP) proxy or a SOCKS proxy, are configured to gateway traffic addressed to restricted-access data centers and also traffic destined for the public Internet. The gatewaying approach has the benefit of the ability to apply application-level security policies. This first network security system is referred to as the “no-default-routes and restrictive gateways” security design. This design has the advantages of (1) preventing unauthorized traffic to the Internet; (2) preventing unauthorized traffic from consuming internal network resources or border/firewall capacity; and (3) preventing penetrated internal nodes from easy wide-area network exploration within the private network.
In a second prior art network security system, some of the nodes on the private network are configured to gateway data traffic in a manner similar to the first network security system. The routers in the private network, however, contain default routes that lead to the network perimeter. At the perimeter, there are firewalls implementing extremely restrictive packet filters. This approach often involves multiple layers of firewalls around the gateway machines. This second network security system is referred to as the “normal restrictive gateways” security design. This system has the advantages of (1) preventing unauthorized traffic to the Internet (like the system described above) and (2) detecting unauthorized traffic attempts at the perimeter.
Some currently implemented network security systems are primarily detection systems rather then prevention systems. An example of a detection system for network security is a honeypot. A honeypot is a system configured specifically to be probed, attacked, or compromised, usually for the purpose of the detection of unauthorized activity in a network or in a network node. Examples of honeypots are systems that emulate other systems, systems that emulate known vulnerabilities, and systems that create jailed environments.
A honeynet is a network configured to be probed or compromised for the purpose of detection of unauthorized activity. Generally, a honeynet is used as a research tool. The honeynet typically sits behind a firewall where all inbound and outbound data is contained, captured and controlled. This captured information is then analyzed to learn the tools, tactics, and motives of network attackers.