With the ever-increasing popularity of the Internet, particularly the World Wide Web (“Web”) portion of the Internet, more and more computers are connected to networks, including Local Area Networks (“LANs”) and Wide Area Networks (“WANs”). The explosive growth of the Internet has had a dramatic effect on how people communicate and engage in many business opportunities. More and more, people require access to the Internet in order to facilitate research, competitive analysis, communication between branch offices, and send e-mail, to name just a few.
As a result, corporate information technology (“IT”) departments, for example, now face unprecedented challenges. Specifically, such departments, which have to date operated largely in a clearly defined and friendly environment—i.e., a private secure computer network, are now confronted with a far more complicated and hostile situation. As more and more computers are now connected to the Internet, either directly (e.g., over a dial-up connection with an Internet Service Provider or “ISP”) or through a gateway between a LAN and the Internet, a whole new set of challenges face LAN administrators and individual users alike: these previously-closed computing environments are now opened to a worldwide network of computer systems. In particular, systems today are vulnerable to attacks by practically any perpetrators or hackers having access to the Internet.
For a long time, firewalls alone acted as security gateways for data that flowed through or into a network. Firewalls are applications that intercept data traffic at the gateway to a WAN, for example, and try to check the data packets (i.e. Internet Protocol packets or “IP packets”) being exchanged for suspicious or unwanted activities. In addition, a firewall may intercept data traffic at a computer connected to a LAN. Initially, firewalls have been used primarily to keep intruders from the LAN by filtering packets. Gradually, firewalls have evolved to shoulder more security functions, such as scanning network traffic for protocol validity and for content. A modern firewall, acting as a network gateway, implements a wide variety of security technologies such as anti-virus (“AV”), anti-spam, protocol anomaly detection, content filtering, and intrusion detection system (“IDS”), in order to secure many different network applications. Examples of network applications include web browsers, electronic mail (“e-mail”), instant messenger (“IM”), and database access.
A modern network is likely to have multiple network devices, which includes security devices (e.g. IDS scanners, AV scanners, and e-mail scanners) and technologies deployed, and host-based security software installed on server and desktop endpoints. Depending on the route of a particular flow of network traffic, the traffic may be scanned by a particular security technology once or many times. In fact, desktop and laptop computers are taking on a large part of the burden of securing network data streams via host-based security devices such as firewalls, AV programs, spam scanners, and IDS software. This redundant scanning of network traffic places unnecessary load on burdened security devices and network hosts, and increases the likelihood of network bottlenecks or device failures.
With multiple security devices in a network to secure a particular traffic stream, ensuring that the network is securing its traffic stream efficiently becomes an issue. Currently, each device scans all traffic to its best capability, therefore traffic flowing through multiple gateways, devices, and desktops within a network may be scanned multiple times in order to ensure that the network traffic gets scanned at all. For example, a network administrator can configure an AV scanner to scan network traffic for viruses if the traffic is coming from a specific security gateway known not to scan for viruses. However, the AV scanner does not have visibility behind that gateway, and it is possible that another device behind the gateway has already scanned the traffic for viruses. Furthermore, as networks become more complex and contain more security devices, the task of effectively configuring individual devices to create secure but efficient networks becomes impossibly difficult. Consequently, in all likelihood, each security device will be configured to scan all traffic to its best capability. While this setup ensures the security of the network traffic, such setup is an inefficient of network resources.
Accordingly, there is a need for systems and methods that orchestrate data security scanning in a network comprising multiple security devices and technologies. It is desirable that such systems and methods ensure that all network traffic through and into the network is secured to the level configured by the network administrator, while sharing the burden of securing network traffic across the many devices capable of providing that security.