Inline intrusion detection using a single physical port
First Claim
1. A method for inline intrusion detection, comprising:
- receiving a packet at a physical interface of an intrusion detection system, wherein the packet is tagged with a first VLAN identifier associated with an external network;
buffering the packet at the physical interface;
communicating a copy of the packet to a processor;
analyzing the copy of the packet at the processor to determine whether the packet includes an attack signature;
communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature; and
if the packet does not contain an attack signature;
re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network; and
communicating the re-tagged packet to the protected network.
1 Assignment
0 Petitions
Accused Products
Abstract
In accordance with one embodiment of the present invention, a method for inline intrusion detection includes receiving a packet at a physical interface of an intrusion detection system. The packet is tagged with a first VLAN identifier associated with an external network. The network further includes buffering the packet at the physical interface, communicating a copy of the packet to a processor, and analyzing the copy of the packet at the processor to determine whether the packet includes an attack signature. The method also includes communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature. If the packet does not contain an attack signature the buffered copy of the packet is re-tagged with a second VLAN identifier associated with a protected network and re-tagged packet is communicated to the protected network.
-
Citations
17 Claims
-
1. A method for inline intrusion detection, comprising:
-
receiving a packet at a physical interface of an intrusion detection system, wherein the packet is tagged with a first VLAN identifier associated with an external network; buffering the packet at the physical interface; communicating a copy of the packet to a processor; analyzing the copy of the packet at the processor to determine whether the packet includes an attack signature; communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature; and if the packet does not contain an attack signature; re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network; and communicating the re-tagged packet to the protected network. - View Dependent Claims (2, 3, 4, 5)
-
-
6. Logic embodied in a computer-readable medium operable to perform the steps of:
-
receiving a packet at a physical interface of an intrusion detection system, wherein the packet is tagged with a first VLAN identifier associated with an external network; buffering the packet at the physical interface; communicating a copy of the packet to a processor; analyzing the copy of the packet at the processor to determine whether the packet includes an attack signature; communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature; and if the packet does not contain an attack signature; re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network; and communicating the re-tagged packet to the protected network. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system, comprising:
-
means for receiving a packet at a physical interface of an intrusion detection system, wherein the packet is tagged with a first VLAN identifier associated with an external network; means for buffering the packet at the physical interface; means for communicating a copy of the packet to a processor, wherein the processor is operable to analyze the copy of the packet at the processor to determine whether the packet includes an attack signature; means for communicating a reply message from the processor to the interface indicating whether the packet includes an attack signature; and means for re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network if the packet does not contain an attack signature; and means for communicating the re-tagged packet to the protected network. - View Dependent Claims (12)
-
-
13. An intrusion detection system, comprising:
-
an interface operable to; receive a packet, wherein the packet is tagged with a first VLAN identifier associated with an external network; buffer the packet at the interface; communicate a copy of the packet to a processor; re-tag the packet with a second VLAN identifier associated with a protected network; and communicate the packet to the protected network; and the processor operable to; analyze the copy of the packet to determine if it includes an attack signature; and communicate a reply message to the interface indicating whether the packet includes an attack signature, wherein the interface re-tags and communicates the packet only if the reply message indicates that the packet does not include an attack signature. - View Dependent Claims (14, 15, 16, 17)
-
Specification