Fast network security utilizing intrusion prevention systems
First Claim
1. A computer-implemented method for providing intrusion protection for a unique packet flow of network data traffic, comprising the steps of:
- receiving at a switch a first portion of the unique packet flow;
transmitting a congestion message to an intrusion prevention system in response to a table of packet flow information on the switch approaching its maximum capacity and transmitting a list of one or more packet flows to the intrusion prevention system that can be deleted from the table;
determining at the switch whether a second portion of the unique packet flow has previously been received at the switch;
in response to determining that the second portion of the unique packet flow has not been received at the switch, analyzing the first portion of the unique packet flow at the intrusion prevention system; and
in response to determining that the second portion of the unique packet flow has been received at the switch, checking a value of a single status field corresponding to the unique packet flow, and based on the value, performing one of;
blocking the first portion of the unique packet flow at the switch without communicating information relating to the unique packet flow to a security device; and
transmitting the first portion of the unique packet flow from the switch to its intended destination without communicating information relating to the unique packet flow to the security device.
3 Assignments
0 Petitions
Accused Products
Abstract
Intrusion Prevention Systems (“IPSs”) are used to detect and/or prevent intrusion events from infiltrating a computer network. However, in large computer networks the IPSs cannot conduct their analysis on network data traffic quickly enough in the network core to meet the demand placed on them by the computer networks, thereby causing delays in the transmission of network data traffic from a source to a destination. To prevent this delay, the IPSs can be configured to intelligently communicate with a high-capacity network switch. The IPSs conduct the initial inspection of the network data traffic flows to determine if an intrusion event is present. However, after the initial inspection, the IPS can inform the switch of what actions to take for future traffic flows including determining which future traffic flows are inspected by the IPSs and which future traffic flows are allowed to be blocked or transmitted to their destination by the switch.
197 Citations
32 Claims
-
1. A computer-implemented method for providing intrusion protection for a unique packet flow of network data traffic, comprising the steps of:
-
receiving at a switch a first portion of the unique packet flow;
transmitting a congestion message to an intrusion prevention system in response to a table of packet flow information on the switch approaching its maximum capacity and transmitting a list of one or more packet flows to the intrusion prevention system that can be deleted from the table;determining at the switch whether a second portion of the unique packet flow has previously been received at the switch; in response to determining that the second portion of the unique packet flow has not been received at the switch, analyzing the first portion of the unique packet flow at the intrusion prevention system; and in response to determining that the second portion of the unique packet flow has been received at the switch, checking a value of a single status field corresponding to the unique packet flow, and based on the value, performing one of; blocking the first portion of the unique packet flow at the switch without communicating information relating to the unique packet flow to a security device; and transmitting the first portion of the unique packet flow from the switch to its intended destination without communicating information relating to the unique packet flow to the security device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for providing intrusion protection for a unique packet flow of network data traffic, comprising:
-
a switch operative to; receive a first portion of the unique packet flow and determine whether a second portion of the unique packet flow has previously been received;
transmit a congestion message to an intrusion prevention system in response to a table of packet flow information on the switch approaching its maximum capacity and transmit a list of one or more packet flows to the intrusion prevention system that can be deleted from the table; andin response to determining that the second portion of the unique packet flow has been received at the switch, check a value of a single status field corresponding to the unique packet flow, and based on the value, perform one of; block the first portion of the unique packet flow at the switch without communicating information relating to the unique packet flow to a security device; and transmit the first portion of the unique packet flow from the switch to its intended destination without communicating information relating to the unique packet flow to the security device; and one or more intrusion prevention systems operative to analyze the first portion of the unique packet flow in response to a determination that the second portion of the unique packet flow has not been previously received at the switch. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification