The invention relates to integrated policy enforcement systems for computer networks. In particular the invention provides a method and system for evaluating data packets against configured rules and mapping the packets to the rules that have matched for an integrated policy enforcement system.
The emergence and advancement of networks and networking technologies has revolutionized information exchange between organizations. A network may be defined as a group of computers and associated devices that are connected via communication links. These communication links can be wireless communication links. All the devices connected over a network are capable of communicating (i.e. sending and receiving information) with other devices connected to the network.
A network can range from one that connects a few devices in a single office to one that spans continents and connects several thousand computers and associated devices. Networks are generally classified as Local Area Networks (LANs) and Wide Area Networks (WANs) based on the geographic area they cover. A LAN is a network connecting servers, computers and associated devices within a small geographic area. LANs are widely used to connect servers, computers and devices in organizations to exchange information. A WAN is a network that links at least two LANs, which are spread over a wide geographic area. A network of an organization connecting devices and resources of the organization is called an intranet. The devices and resources in an intranet may be connected over a LAN or WAN. The globally interlinked collection of LANs, WANs and intranets is called Internet. The Internet can thus be called a network of networks. The Internet allows exchange of information between LANs, WANs and intranets that are connected to it.
Most organizations link their intranets with the Internet to allow information exchange with different organizations. Information exchange involves transfer of data packets. Organizations allow legitimate users on the Internet to access their intranets for information exchange. Legitimate users are people outside the organization who have authorization from the organization to access its intranet. Such information exchange poses a security risk as the organization's intranet becomes accessible to outsiders. Illegitimate users can change data, gain unauthorized access to data, destroy data, or make unauthorized use of computer resources. These security issues require organizations to implement safeguards that ensure security of their networks.
Various solutions are available to deal with such security issues. Most of these solutions implement a security policy on network traffic to address security concerns and are known as ‘policy enforcement systems’. Network traffic comprises data packets flowing through the network. The policy comprises a set of rules that checks data packets flowing though the network for irregularities. The rules comprise conditions that are checked based on properties of data packets. Based on this check, the security solution regulates network traffic.
One of the commonly used security solutions that implement a policy is a firewall. Firewalls are installed between an organization's intranet and the Internet. Firewalls, being policy-based security devices, selectively allow or disallow data packets from entering or leaving the organization's intranet.
Firewalls inspect each data packet entering or leaving the intranet against a set of rules. Hence, the performance of a firewall suffers with an increase in the number of rules, because each data packet has to be checked against an increased number of rules. This decreases the number of packets that the firewall can process per unit time. Moreover, an increase in the volume of network traffic increases the number of packets that have to be checked against the rules per unit time. Due to these limitations, conventional firewall systems are capable of implementing only a limited number of rules and can handle only a limited volume of network traffic.
An effort to overcome these problems has been made by US Patent Application No. US 2002/0032773 assigned to SERVGATE Technology, Inc. and titled “System, method and computer software product for network firewall fast policy lookup”. The patent application describes a system and method for faster rule lookup. The method described in the patent application improves the speed of rule lookup in firewalls. Firewalls store all the rules against which the data packets passing though the firewall have to be checked. For implementing security, firewalls perform a table lookup, which involves validating a data packet against rules defined in the policy table. The patent application describes a method that allows for faster rule lookup than conventional firewall systems. This is achieved by simplifying the table lookup process.
Though, most networks are protected by firewalls but firewalls do not provide a complete security solution. This is because firewalls can be circumvented through various techniques such as “tunneling” and “back doors”. Moreover, a firewall alone cannot provide information regarding any attack that is successfully repelled. Such information can be used to block future such attacks. Intrusion Detection Systems (IDS) are thus used as a protection against such attempts to exploit the devices connected over the network.
Intrusion Detection Systems adopt either a network or a host based approach to recognize and stop attacks. In both cases, the IDS looks for attack signatures. Attack signatures are patterns that indicate any harmful intent. If an IDS checks for such patterns in network traffic, then it is said to be following a network-based approach. Whereas, if an IDS searches for attack signatures in log files then it is said to be following a host based approach. Log files contain records of events and activities taking place at individual computers and associated devices. If an attack is detected, the IDS may take corrective measures like administrator notification and connection termination.
Network-based IDS is essentially used for detecting attacks that emanate from outside the organization's intranet. Typically, network-based IDS use two approaches to analyze the network traffic, viz. pattern matching and anomaly detection. Pattern matching involves comparison of network traffic with signatures of known attacks. These signatures are generally stored in a database and serve as a basis of comparison with the network traffic. In anomaly detection, the IDS checks for any unusual activity in the network traffic. An unusual activity is defined as one that deviates to a large extent from the normal state of the network traffic. In case IDS finds any such activity, it generates an alert such as administrator notification.
The above-mentioned security systems may be deployed by Internet Service Providers (ISPs) to ensure safety of their customer's intranets. ISPs provide these security services to their customers in addition to various other services like ‘Quality of Service’. ‘Quality of Service’ refers to the ability of an ISP to provide a customer with the best available services based on the terms and conditions of their agreement. The ISPs need to implement policies in order to take a decision for the same.
The above-mentioned policy enforcement systems have some inherent advantages. For ISPs and big organizations it becomes necessary to integrate two or more of the above systems to provide enhanced security and services. For example, an organization may like to have network-based IDS behind a firewall. This configuration will provide enhanced security as it would raise an alert in case of incoming network packets that may have circumvented the firewall. Thus, integrated systems have the potential of offering enhanced security.
An effort in this direction has been made by U.S. Pat. No. 5,996,077 assigned to Cylink Corporation, of Sunnyvale, Calif., USA, and titled “Access control system and method using hierarchical arrangement of security devices”. The patent describes a system and method for coupling two or more security devices to create an integrated security system that offers enhanced security. The integrated security system is installed between the intranet of an organization and the Internet and receives network traffic consisting of data packets. These data packets are passed through a plurality of security devices that have rules of descending strictness. The first security device receives the data packet and tries to process it by using security rules defined for the first device. If the first security device is not able to process the packet then the packet is passed to the second security device for possible processing using security rules defined for the second device. The process of passing the data packet to the next security device is repeated until the data packet is processed or until the last security device passes the data packet as unprocessed. This system requires a plurality of security devices to have rules of descending strictness. Moreover, processing of data packets by every security device involves rechecking of some conditions defined in the rules. This is because some conditions that were already checked may be rechecked again when the data packet passes through subsequent security devices. This reprocessing will make the above system inefficient if there are a large number of policies to be implemented or if the volume of network traffic increases.
In light of the foregoing, what is required is a network security system that offers the capability of integrating two or more security devices to offer enhanced security. The system should also be capable of implementing a large number of rules over a large volume of network traffic without adversely affecting its performance.