Automated containment of network intruder
First Claim
1. A system for containing traffic in a data communications network, the system comprising:
- one or more switching devices;
an intrusion detection system to determine the identity of an intruder; and
a server, operatively coupled to the intrusion detector, adapted to automatically;
generate an isolation rule associating the identified intruder with an isolation action; and
install the isolation rule on each of the one or more one or more switching devices;
wherein each of the one or more switching devices executes the isolation action upon receipt of a protocol data unit (PDU) from the identified intruder.
0 Assignments
0 Petitions
Accused Products
Abstract
The invention in the preferred embodiment features a system (200) and method for automatically segregating harmful traffic from other traffic at a plurality of network nodes including switches and routers. In the preferred embodiment, the system (200) comprises an intrusion detection system (105) to determine the identity of an intruder and a server (130) adapted to automatically install an isolation rule on the one or more network nodes (114, 115, 116) to quarantine packets from the intruder. The isolation rule in the preferred embodiment is a virtual local area network (VLAN) rule or access control list (ACL) rule that causes the network node to route any packets from the intruder into a quarantine VLAN or otherwise isolate the traffic from other network traffic. In large networks, the isolation rule may be installed on a select plurality of network nodes under the gateway router (104) associated with the node at which the intruder first entered the network (100).
189 Citations
16 Claims
-
1. A system for containing traffic in a data communications network, the system comprising:
-
one or more switching devices;
an intrusion detection system to determine the identity of an intruder; and
a server, operatively coupled to the intrusion detector, adapted to automatically;
generate an isolation rule associating the identified intruder with an isolation action; and
install the isolation rule on each of the one or more one or more switching devices;
wherein each of the one or more switching devices executes the isolation action upon receipt of a protocol data unit (PDU) from the identified intruder. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for containing a client device in a network comprising one or more routers including a first router associated with a network segment including the client device, the system comprising:
-
one or more switches operatively connected to the network segment associated with the first router; and
a central management node adapted to;
receive an intrusion detection with a source address from an intrusion detection entity, the source address associated with the client device;
identify the first router from among the one or more routers;
generate a rule to map PDUs having the source address associated with the client device to an penalty virtual local area network (VLAN) separate from other network traffic; and
transmit the rule to each of said one or more switches;
wherein each of the one or more switches causes PDUs having the source address associated with the client device to the penalty VLAN.
-
-
11. A method for containing traffic in a data communications network having one or more switching devices, the method comprising the steps of:
-
identifying an intruder in a network;
automatically generating an isolation rule associating the identified intruder with an isolation action; and
installing the isolation rule on each of the one or more one or more switching devices;
wherein each of the one or more switching devices executes the isolation action upon receipt of a PDU from the identified intruder. - View Dependent Claims (12, 13, 14, 15, 16)
-
Specification