A successful Internet presence requires that a company has a web site and the computer resources available to handle a large volume of hits from both customers and employees. E-business is now generally accepted as a valid way to conduct business and is increasingly accounting for a significant portion of commerce worldwide. At the same time, a successful Internet presence means that the company must provide adequate security of customer records, such as credit card numbers, as well as its own proprietary information. However, once the Internet presence is established, the computer resources are exposed to a group, generally referred to as hackers, whose sole intent is to gain unauthorized access to the company's computer resources. Hackers may attempt to obtain information of financial value or they may attempt to infiltrate a company's computer resources for the intellectual or political challenge. Other hackers are simply intent on trouble-making.
Regardless of the hackers' motivation, it is incumbent to identify and prevent unauthorized access to sensitive corporate computer resources. In practice, however, it is not a simple task because it is necessary that the company's employees and customers, not all of whom may be immediately recognized, must be provided access to the very same resources. None the less, the task of identifying an intrusion is a fundamental part of maintaining an on-line presence.
To detect intrusion, businesses with a data centers commonly include an intrusion detection system or IDS. The IDS monitors the data center network by analyzing network packets and looking for signs of other malicious or suspicious anomalies that are indicated by inappropriate, incorrect, or anomalous activity that would indicate that a hacker is attempting to intrude.
The IDS may be a network-based IDS or a host-based intrusion prevention system implementation. A network-based IDS monitors network traffic flowing through a switch or router. A host-based IDS monitors system level events to detect malicious activity on that host. The IDS is the equivalent of a surveillance tool that reports suspicious activity to an IDS management system. To illustrate, one IDS, such as the Cisco IDS-4250 which is commercially marketed by Cisco Systems, utilizes sophisticated detection techniques that include stateful pattern recognition, protocol parsing, heuristic detection, and anomaly detection. These detection techniques provide comprehensive protection from a variety of both known and unknown threats.
In a network environment, IDSs are deployed throughout the network but it is especially important to place IDSs on network segments where attacks are most likely to come through. A network-based IDS protects all devices that are accessible on the segment where they are connected and identifies malicious activities. In a data center environment having multiple subnets, it is desirable that an IDS sensor monitor each subnet. Thus, if a data center has three subnets, traffic on a first subnet should be monitored by a first IDS, traffic on the second subnet should be monitored by a second IDS. Unfortunately, in some networks there is a practical limitation on the number of sessions an IDS sensor can monitor due to the traffic capturing technology. Thus, there is no ability to monitor the third subnet with a third IDS. In such instances, two or more subnets may be lumped together and monitored by a single IDS. In other instances it is desired to selectively monitor traffic on a subnet, such as, for instance, HTTP client-to-server traffic should be monitored by one IDS sensors, SMTP client-to-server traffic should be monitored by another sensor, DNS traffic by yet another sensor while filtering all other traffic originating and terminating on the same subnet.
In accordance with the present invention, a system and method for monitoring multiple subnets and protocols with corresponding multiple IDSs is provided. Advantageously, the present invention reduces false positives of a network attack, eliminates traffic noise within a subnet and provides greater granularity in monitoring network traffic on each subnet by selecting monitoring traffic to optimize performance.
The foregoing and additional features and advantages of this invention will become apparent from the detailed description and review of the associated drawing figures that follow.