Intrusion detection in a data center environment
First Claim
1. In a network environment having a plurality of traffic sources, a system for monitoring traffic on at least a portion of said plurality of traffic sources comprising:
- means for copying traffic from each of said plurality of traffic sources;
a plurality of intrusion detection systems, at least one of which is associated with each of said plurality of traffic sources; and
means for redirecting the copied traffic from each of said plurality of traffic sources to said associated one of said plurality of intrusion detection systems.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion detection system (IDS) is capable of identifying the source of traffic, filtering the traffic to classify it as either safe or suspect and then applying sophisticated detection techniques such as stateful pattern recognition, protocol parsing, heuristic detection or anomaly detection either singularly or in combination based on the traffic type. In a network environment, each traffic source is provided with at least one IDS sensor that is dedicated to monitoring a specific type of traffic such as RPC, HTTP, SMTP, DNS, or others. Traffic from each traffic source is filtered to remove known safe traffic to improve efficiency and increase accuracy by keeping each IDS sensor focused on a specific traffic type.
-
Citations
20 Claims
-
1. In a network environment having a plurality of traffic sources, a system for monitoring traffic on at least a portion of said plurality of traffic sources comprising:
-
means for copying traffic from each of said plurality of traffic sources;
a plurality of intrusion detection systems, at least one of which is associated with each of said plurality of traffic sources; and
means for redirecting the copied traffic from each of said plurality of traffic sources to said associated one of said plurality of intrusion detection systems. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. In a network having at least three subnets, a system for selectively monitoring traffic on each of said subnets comprising:
-
a plurality of intrusion detection systems;
a switch adapted to identify traffic to be copied;
a VLAN adapted to receive said copied traffic; and
a switch associated with said VLAN adapted for performing a hierarchal determination the traffic source and the traffic type and for selectively sending said traffic to a selected one of said intrusion detection systems based on the traffic source and the traffic type. - View Dependent Claims (13, 14, 15)
-
-
16. In a network having at least three subnets, a method for selectively monitoring traffic on each of said selective comprising:
-
configuring a first switch for copying traffic from each of said subnets;
sending a copy of said copied traffic to a virtual local area network;
determining the source and destination of said traffic;
determining traffic type (layer 4 protocol and layer 4 port);
based on said determining steps, filtering said traffic to remove safe traffic; and
redirecting the filtered traffic to an intrusion detection system. - View Dependent Claims (17, 18, 19, 20)
-
Specification