Firewalls and intrusion detection systems are devices that may be used to protect a computer network from unauthorized or disruptive users. A firewall can be used to secure a local area network from users outside the local area network. A firewall checks, routes, and frequently labels all messages sent to or from users outside the local area network. An intrusion detection system (IDS) can be used to examine information being communicated within a network to recognize suspicious patterns of behavior. Information obtained by the IDS can be used to block unauthorized or disruptive users from accessing the network. An intrusion prevention system (IPS) is an in-line version of an IDS. An IPS can be used to examine information as it is being communicated within a network to recognize suspicious patterns of behavior.
A flow-based router (FBR) can allow network administrators to implement packet forwarding and routing according to network policies defined by a network administrator. FBRs can allow network administrators to implement policies that selectively cause packets to be routed through specific paths in the network. FBRs can also be used to ensure that certain types of packets receive differentiated, preferential service as they are routed. Conventional routers can forward packets to their destination address based on available routing information. Instead of routing solely based on the destination address, FBRs can enable a network administrator to implement routing policies to allow or deny packets based on several other criteria including the application, the protocol, the packet size and the identity of the end system.
A packet filter can operate on the data in the network layer to defend a trusted network from attack by an untrusted network. For example, packet filters inspect fields of the Transmission Control Protocol/Internet Protocol (TCP/IP) header including, the protocol type, the source and destination Internet Protocol (IP) address, and the source and destination port numbers. Disadvantages of packet filters include, slow speed and difficult management in large networks with complex security policies.
A proxy server can operate on values carried in the application layer to insulate a trusted network from an untrusted network. In an application proxy server, two Transmission Control Protocol (TCP) connections may be established: one between the packet source and the proxy server, another between the proxy server and the packet destination. The application proxy server can receive the arriving packets on behalf of the destination server. The application data can be assembled and examined by the proxy server, and a second TCP connection can be opened between the proxy server and the destination server to relay permitted packets to the destination server. Proxy servers can be slow because of the additional protocol stack overhead required to inspect packets at the application layer. Furthermore, because a unique proxy can be required for each application, proxy servers can be complex to implement and difficult to modify for supporting new applications. In addition, because proxy servers only examine application packets, proxy servers may not detect an attempted network security intrusion at the TCP or network layers.