1. Field of the Invention
Embodiments of the invention relate generally to the switching of data in network traffic. More particularly, an embodiment of the invention dynamically updates policies used to determine how data received at a switch is to be selectively redirected for security threat inspection.
2. Background Art
The volume and variety of malware poses an ever-increasing threat to switched networking systems. Protection of switched networking systems is enhanced by intelligent network switches capable of collecting and evaluating data on incoming network traffic for modification of switching behavior. The benefits of intelligent switching are enhanced still further by leveraging intrusion prevention systems (“IPSs”) to provide security services to a network switch without being physically in-line with a network traffic flow. “IPS” is understood in the networking arts to refer to a mechanism which may exercise access control to protect devices from security threats.
A network flow, also referred to herein as simply a “flow,” is a sequence of network packets sharing certain characteristics. A common means of characterizing a flow is through use of an “n-tuple,” where n is some number. For example, a 5-tuple is a common way for distinguishing the packets in a given flow based on the common source and destination address, source and destination port, and protocol (5 values total, hence the “5-tuple” label.) Other combinations of flow characteristics may also be used in defining a network flow.
A “tiered service” (also referred to herein as a “network service” or, simply, a “service”) is a term used to indicate a type of network traffic (e.g., mail traffic, web traffic, Structured Query Language (SQL) traffic, etc.). Typically, these different types of traffic, or services, communicate using standard port numbers. For example, the standard port number for Simple Mail Transfer Protocol (SMTP) traffic is port 25, using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). As another example, the standard TCP/UDP port number for File Transfer Protocol (FTP) traffic is port 21. In addition to using a port number, services can be identified based on other characteristics other such as source or destination address, protocol or combinations of port numbers, source and destination addresses, and/or protocol.
Network switches and/or other network devices can filter, redirect, block, and/or forward network traffic based on the traffic's type of service. For example, a switch may be configured to redirect a particular type of traffic, such as mail traffic, to an external device such as an IPS for inspection. In the context of network switching, tiered services are often implemented statically using fixed user configurations. As used herein, “implementing a service” refers to adding or deleting a service in a table, list, etc. of services that is referenced to determine whether to take an action (e.g., blocking, forwarding, redirecting, etc.) on packets flowing through a switch or network device. Methods exist to modify such a table or list of services dynamically—i.e. without the need a network administrator or other authority to perform these tasks manually. One example of such a method makes these dynamic modifications based on the volume of traffic in a switch (and/or the rate of change in said volume) which is being filtered, redirected, blocked, etc.
However, these modifications are often determined in reference to a set of policies which are themselves static and require manual configuration—e.g. by a network administrator. Static system security policies do not take into account changing network conditions. When network conditions change, an administrator may want to add, delete or modify a system security policy in response to the changed conditions. Manual addition/deletion of system security policy can be burdensome to an administrator and contributes to delays in reacting to the changing network conditions.