Enterprise computing environments typically consist of host computer systems, individual workstations, and network resources interconnected over intranetworks internal to the organization. These intranetworks, also known as local area networks, make legacy databases and information resources widely available for access and data exchange. These systems can also be interconnected to wide area networks, including public information internetworks, such as the Internet, to enable internal users access to remote data exchange and computational resources and to allow outside users access to select internal resources for completing limited transactions or data transfer.
Unfortunately, enterprise computing environments are also susceptible to security compromises. A minority of surreptitious users, colloquially termed, “hackers,” abuse computer interconnectivity by attempting to defeat security measures and intrude into non-public computer resources without authorization. Hackers pose an on-going concern for system administrators charged with safeguarding data integrity and security.
Hackers often take advantage of flaws and limitations inherent to network architectures. For instance, most internetworks and intranetworks are based on a layered network model employing a stack of standardized protocol layers. The most widely adopted network model is the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described in W. R. Stevens, “TCP/IP Illustrated,” Vol. 1, Ch. 1 et seq., Addison-Wesley (1994), the disclosure of which is incorporated herein by reference. Computers and network resources using the TCP/IP suite implement hierarchical protocol stacks which, at minimum, include link and network layers. End-to-end devices, such as workstations and servers, further include transport and application layers.
The layering and variability of implementation in TCP/IP suites expose numerous opportunities for network compromise and exploitation by hackers. Consequently, most networks employ some form of firewall or intrusion detection system as a first line of defense against hackers. Firewalls employ packet filtering, stateful packet inspection and application proxies while intrusion detection systems typically perform signature or statistical intrusion detection. Both of these forms of security require continuous access to network traffic.
Network packet filters present one prior art solution to providing network traffic to intrusion detection systems and some forms of firewall, such as described in W. R. Stevens, “TCP/IP Illustrated,” Vol. 1, App. A, Addison-Wesley (1994), the disclosure of which is incorporated herein by reference. Packet filters capture and filter data packets obtained from a network interface that has been placed into promiscuous mode, typically by retrieving a copy from the network interface driver. Packet filters, however, suffer from several drawbacks. First, current packet filters are inherently bandwidth limited and cannot scale beyond approximately 10-20 Mbps of traffic. Packet filters also consume computational resources, including memory and processing cycles. Finally, receiving intrusion detection systems and firewalls must demultiplex raw packet traffic retrieved by packet filters into individual data packets corresponding to the individual protocol layers. The demultiplexing consumes further computational resources, duplicates work performed by the protocol stack, and introduces the potential for errors.
Therefore, there is a need for a scaleable solution to providing packet traffic for network intrusion detection and analysis. Preferably, such a solution would avoid duplication of protocol stack functionality and computational resource waste.