Inline intrusion detection using a single physical port

US 7,555,774 B2
Filed: 08/02/2004
Issued: 06/30/2009
Est. Priority Date: 08/02/2004
Status: Active Grant

First Claim

Patent Images

1. A method for inline intrusion detection, comprising:

receiving a packet at a physical interface of an intrusion detection system, wherein the packet is tagged with a first VLAN identifier associated with an external network;

buffering the packet at the physical interface;

communicating a copy of the packet to a processor;

analyzing the copy of the packet at the processor to determine whether the packet includes an attack signature;

communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature; and

if the packet does not contain an attack signature;

re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network; and

communicating the re-tagged packet to the protected network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one embodiment of the present invention, a method for inline intrusion detection includes receiving a packet at a physical interface of an intrusion detection system. The packet is tagged with a first VLAN identifier associated with an external network. The network further includes buffering the packet at the physical interface, communicating a copy of the packet to a processor, and analyzing the copy of the packet at the processor to determine whether the packet includes an attack signature. The method also includes communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature. If the packet does not contain an attack signature the buffered copy of the packet is re-tagged with a second VLAN identifier associated with a protected network and re-tagged packet is communicated to the protected network.

Citations

17 Claims

1. A method for inline intrusion detection, comprising:
- receiving a packet at a physical interface of an intrusion detection system, wherein the packet is tagged with a first VLAN identifier associated with an external network;
  
  buffering the packet at the physical interface;
  
  communicating a copy of the packet to a processor;
  
  analyzing the copy of the packet at the processor to determine whether the packet includes an attack signature;
  
  communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature; and
  
  if the packet does not contain an attack signature;
  
  re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network; and
  
  communicating the re-tagged packet to the protected network.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - receiving the packet from the external network at a network gateway;
      
      tagging the packet with the first VLAN identifier at the network gateway; and
      
      communicating the packet to the interface.
  - 3. The method of claim 2, wherein the step of communicating the re-tagged packet to the protected network comprises:
    - communicating the re-tagged packet to a first port of the network gateway; and
      
      communicating the re-tagged packet to the protected network using a second port of the network gateway.
  - 4. The method of claim 2, wherein communicating the packet to the interface comprises:
    - generating a copy of the packet for each of a plurality of ports of the network gateway, wherein one of the ports is coupled to the interface; and
      
      communicating one of the copies of the packet from each of the ports.
  - 5. The method of claim 1, wherein the size of the reply message is less than the size of the packet.

6. Logic embodied in a computer-readable medium operable to perform the steps of:
- receiving a packet at a physical interface of an intrusion detection system, wherein the packet is tagged with a first VLAN identifier associated with an external network;
  
  buffering the packet at the physical interface;
  
  communicating a copy of the packet to a processor;
  
  analyzing the copy of the packet at the processor to determine whether the packet includes an attack signature;
  
  communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature; and
  
  if the packet does not contain an attack signature;
  
  re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network; and
  
  communicating the re-tagged packet to the protected network.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The logic of claim 6, further operable to perform the steps of:
    - receiving the packet from the external network at a network gateway;
      
      tagging the packet with the first VLAN identifier at the network gateway; and
      
      communicating the packet to the interface.
  - 8. The logic of claim 7, wherein the step of communicating the re-tagged packet to the protected network comprises:
    - communicating the re-tagged packet to a first port of the network gateway; and
      
      communicating the re-tagged packet to the protected network using a second port of the network gateway.
  - 9. The logic of claim 7, wherein the step of communicating the packet to the interface comprises:
    - generating a copy of the packet for each of a plurality of ports of the network gateway, wherein one of the ports is coupled to the interface; and
      
      communicating one of the copies of the packet from each of the ports.
  - 10. The logic of claim 6, wherein the size of the reply message is less than the size of the packet.

11. A system, comprising:
- means for receiving a packet at a physical interface of an intrusion detection system, wherein the packet is tagged with a first VLAN identifier associated with an external network;
  
  means for buffering the packet at the physical interface;
  
  means for communicating a copy of the packet to a processor, wherein the processor is operable to analyze the copy of the packet at the processor to determine whether the packet includes an attack signature;
  
  means for communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature; and
  
  means for re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network if the packet does not contain an attack signature; and
  
  means for communicating the re-tagged packet to the protected network.
- View Dependent Claims (12)
- - 12. The system of claim 11, further comprising:
    - means for receiving the packet from the external network at a network gateway;
      
      means for tagging the packet with the first VLAN identifier at the network gateway; and
      
      means for communicating the packet to the interface.

13. An intrusion detection system, comprising:
- an interface operable to;
  
  receive a packet, wherein the packet is tagged with a first VLAN identifier associated with an external network;
  
  buffer the packet at the interface;
  
  communicate a copy of the packet to a processor;
  
  re-tag the packet with a second VLAN identifier associated with a protected network; and
  
  communicate the packet to the protected network; and
  
  the processor operable to;
  
  analyze the copy of the packet to determine if it includes an attack signature; and
  
  communicate a reply message to the interface indicating whether the packet includes an attack signature, wherein the interface re-tags and communicates the packet only if the reply message indicates that the packet does not include an attack signature.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, further comprising a network gateway operable to:
    - receive the packet from the external network;
      
      tag the packet with the first VLAN identifier at the network gateway; and
      
      communicate the packet to the interface.
  - 15. The system of claim 14, wherein:
    - the interface is further operable to communicate the re-tagged packet to a first port of the network gateway; and
      
      the network gateway is further operable to communicate the re-tagged packet to the protected network using a second port of the network gateway.
  - 16. The system of claim 14, wherein the network gateway is further operable to:
    - generate a copy of the packet for each of a plurality of ports of the network gateway, wherein one of the ports is coupled to the interface; and
      
      communicate one of the copies of the packet from each of the ports.
  - 17. The system of claim 13, wherein the size of the reply message is less than the size of the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sirrianni, Joseph M., Wiley, Kevin L., Hall, Michael Lee, Hossain, Munawar
Primary Examiner(s)
SMITHERS, MATTHEW

Application Number

US10/910,194
Publication Number

US 20060023709A1
Time in Patent Office

1,793 Days
Field of Search

726/22, 726/23
US Class Current

726/22
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1416 Event detection, e.g. attac...

Inline intrusion detection using a single physical port

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Inline intrusion detection using a single physical port

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links