A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a myriad of different services and communication protocols. These services and communication protocols expose the network to security vulnerabilities.
Network administrators deploy security appliances that mitigate vulnerabilities by analyzing inbound and outbound network traffic for known network attack signatures. In addition, such appliances may implement a predetermined set of policies regarding port usage, permissible protocols, access control, and the like. While firewalls are the most common security appliances, the category includes IPSec/VPN devices, proxy servers, and other intrusion detection systems (IDS) and intrusion prevention systems (IPS).
These security appliances are generally implemented as embedded systems, i.e., devices having internal processes, firmware and other computing functions that control the operation of the device. The firmware controlling the operation of a security appliance or other embedded system may contain its own vulnerabilities, such as buffer overrun vulnerabilities, dangling pointers, input validation mishandling, allowing code injection, and others that open the security appliance to exploit. These vulnerabilities, when discovered, must be quickly resolved in order to prevent unintended and unanticipated behavior by the security appliance as a result of an attack. Replacing the firmware with a new release that resolves the vulnerabilities, however, may require taking the security appliance offline to perform the installation. Because the network no longer has the intrusion detection and prevention protection provided by the security appliance during this time, inbound and outbound traffic will likely be halted by the network administrators, frustrating the goal of maximizing network availability.