1. Technical Field
The present invention relates to an intrusion protection system (IPS) switch system and a processing method thereof. More specifically, it relates to an IPS switch system forwarding traffic inserted from a switch to a destination port, simultaneously copying and storing the traffic output to an internal port by a port mirroring method of the switch, detecting maleficence inspection of stored packets based on a protocol/pattern, providing a blocking control policy (e.g., Access Control List (ACL)) to an output port of the switch based on internet protocol (IP) or media access control (MAC) information of a terminal detected of maleficence to prevent expansion of maleficent packets, and transmitting traffic whose destination is outside to an IPS processor to transmit only normal packets to the outside after conducting detection/blocking of the maleficence based on the protocol/pattern, and a processing method thereof
2. Background Art
The conventional security equipment such as firewall/IPS/anti DDos/web application firewall, etc. is installed in the gateway section of a network and used as an equipment for detecting and blocking maleficent packets transmitted from an external network.
However, although mobile terminals (e.g., laptop computers, PDAs, smartphones) for business use increase and these mobile terminals access an internal network in a state contaminated from the outside or continuously expand after contaminating the terminal of the internal network through an advanced target attack, since such problems are caused by internal communication of the internal network, the maleficence of the security equipment installed in the gateway section cannot be determined.
A product such as security switch which mounts a security function on a switch equipment has been released to detect maleficence expanding between such internal terminals/equipment. However, since the security switch adopts a system detecting maleficence based on network statistics information, the accuracy of detecting maleficent packets is low, and various abnormal protocols and maleficent patterns included in a payload cannot be detected, like the case for security equipment.
Security equipment developers also attempted to develop security equipment incorporating a switching function into security engines and apply it to the internal network. However, there were problems that too many system resources were required to perform security inspection on all traffic transmitted between internal terminals and it had a structure forwarding packets after security inspection is complete, and thus the entire service was delayed.