1. Field of the Invention
This invention relates generally to the field of network communication systems and, more particularly to security systems for use with network communication systems.
2. Related Art
A set of inter-connected computer networks that spans a relatively large geographical area is called a wide area network (WAN). Typically, a WAN consists of two or more local-area networks (LANs). Computers connected to a WAN are often connected through public networks, such as the telephone system. They can also be connected through leased lines or satellites. The largest WAN in existence is the Internet.
The Internet is a public, world-wide WAN defined by the IP (Internet Protocol) suite of protocols, which has in recent years gone from being a tool used primarily in scientific and military fields to become an important part of the missions of a wide variety of organizations. Organizations often run one or more LANs and connect their LANs to the Internet to share information with the cyber world in general, and with other organization-run LANS that may be remotely located. However, along with providing new levels of connectivity and sources of information, connection to the Internet or to a private WAN has brought security risks in the form of adversaries seeking to disrupt or infiltrate the organization's mission by interfering with or monitoring the organizations' networks.
Several security devices that exist today are designed to keep external adversaries from obtaining access to a LAN. Firewalls, for example, protect the LAN against unauthorized access by allowing only communications data (commonly called datagrams or “packets”) from known machines to pass. This is accomplished by monitoring network IP addresses on these packets, which correspond uniquely to a particular machine, and TCP service ports, which usually map into a specific type of software application such as mail, ftp, http and the like. The firewall then determines whether to allow or disallow entry of the packet into the LAN as it deems appropriate.
Virtual Private Network (VPN) and other Internet Protocol Security (IPsec) devices protect against unauthorized interception of transmitted data by encrypting the entire packet. For example, a VPN (in tunnel mode) wraps outgoing datagrams with its own header and sends the encrypted packet to a destination VPN. A limitation of VPNs, however, is that adversaries can determine where the VPN devices are located in the network, since each VPN has a specific IP address. Accordingly, a VPN does not hide its location in the network, and is therefore vulnerable to an attack once its location is known. Similarly, other security technology, such as configured routers, Secure Socket Layer (SSL) and host-based Internet Protocol Security (IPsec) fail to obscure the location of nodes inside a network.
Although prior art techniques are generally good for their intended purposes, they do not address the problem of detecting intrusion attempts against the network. To alert against possible intrusion attempts, network administrators have turned to intrusion detection sensing (IDS) technology. IDS technology is used to ascertain the level of adversary activity on the LAN and to monitor the effectiveness of other security devices, such as those discussed above. IDS products work by looking for patterns of known attack, including network probes, specific sequences of packets representing attacks (called known intrusion patterns, or KIPs), and the like. An administrator uses IDS technology primarily to determine the occurrence of any adversarial activity, information useful in evaluating the effectiveness of current security technology and justifying additional commitment to network security.
In addition to protecting transmitted data, an organization may wish to prevent unauthorized parties from knowing the topology of their LANs. Existing security techniques do not completely secure a network from adversaries who employ traffic mapping analysis. Data packets exchanged across networks carry not only critical application data, but also contain information that can be used to identify machines involved in the transactions.
Today's sophisticated adversaries employ network-level “sniffers” to passively monitor freely transmitted network traffic and thereby gather critical network topology information, including the identities of machines sending and receiving data and the intermediate security devices that forward the data. The sophisticated adversary can use this identity information to map internal network topologies and identify critical elements such as: roles of the servers, clients and security devices on the network, classes of data associated with specific servers, and relative mission importance of specific machines based on network traffic load. The adversary can then use this network map information to plan a well-structured, network-based attack.
Recently, a network security technique has been developed that addresses this problem by concealing the identities of machines and topology in the LAN. The technology was developed by the assignee of the present application, and is described in U.S. patent application Ser. No. 09/594,100, entitled Method and Apparatus for Dynamic Mapping and hereby incorporated by reference. The Dynamic Mapping technique hides machine identities on IP data packets by translating source and destination addresses just prior to transmitting them over the Internet. When packets arrive at an authorized destination, a receiving device programmed with the Dynamic Mapping technique restores the source and destination addresses (according to a negotiated scheme) and forwards the packets to the appropriate host on its LAN.
While the Dynamic Mapping technique represents a significant advancement in the field of network security, a fundamental limitation of the technique is that it is a time-based, fixed-key system, i.e., all packets matching a given destination address are consistently translated, or mapped, to a fixed “other” destination address for a given interval of time. When that time interval expires, the mapping is changed to something else. Thus, the time-based nature of the technique requires strict synchronization between endpoints, and can make operations difficult.
Besides the operational difficulties with a time-based system, the length of each translation time interval is sufficient for an adversary to extrapolate information from observed communications, even though observed addresses are false. Furthermore, adversaries are able to enact active attacks by sending forged packets to the false addresses knowing that they will reach their true destination. A further limitation is that the Dynamic Mapping technique was designed as a fixed-association security system, requiring fixed keys to be established between the client and server. This effectively binds clients to a specific server, limiting the flexibility of the system and preventing autonomous negotiations with other servers.
There exists, therefore, a great need for a method of concealing the identities of LAN machines and topology that takes an entirely fresh approach, departs from the time-dependant systems of the past, and provides a security technique that is more robust and more difficult to defeat. The technique should ideally allow for construction of network access devices, such as routers, that offer the benefits of Dynamic Mapping to protect an enclave of computers. In addition, these devices should be flexible enough to be self-discovering, able to negotiate mapping parameters with one another on a need-based, authorized basis.