USOO7359962B2
`
`(12)
`
`United States Patent
`Willebeek-LeMair et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,359,962 B2
`Apr. 15, 2008
`
`(54) NETWORK SECURITY SYSTEM
`INTEGRATION
`(75) Inventors: Marc Willebeek-LeMair, Austin, TX
`(US); Craig Cantrell, Austin, TX (US);
`Dennis g Austin,TX (US). John
`McHale, Austin, TX (US); Brian
`Smith, Fort Worth, TX (US)
`
`(73) Assignee: 3Com Corporation, Marlborough, MA
`(US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 714 days.
`
`(*) Notice:
`
`(21) Appl. No.: 10/136,889
`(22) Filed:
`Apr. 30, 2002
`9
`Prior Publication Data
`US 2003/0204632 A1
`Oct. 30, 2003
`
`(65)
`
`(51) Int. Cl.
`(2006.01)
`G06F 5/73
`(52) U.S. Cl. ...................... 709/223; 709/224; 709/229;
`726/23: 726/24; 726/25
`(58) Field of Classification Search
`709/203
`- - - - - - - -
`709/223-224, 226 229, 249,227, 228; 713/201202;
`726/22, 23, 24, 25
`See application file for complete search history.
`References Cited
`U.S. PATENT DOCUMENTS
`
`(56)
`
`9, 1998 Bennett
`5,813,001 A
`5,835,726 A * 11/1998 Shwed et al. ............... 709,229
`5,878,231 A * 3/1999 Baehr et al. ................ 709/245
`6,134,591 A * 10/2000 Nickles ...................... 709,229
`6,219,706 B1
`4/2001 Fan et al.
`6.269.447 B1 *
`7/2001 Maloney et al. ............ T13 201
`6.279,113 B1* 8/2001 Vaidya ....................... T13 201
`6,279,173 B1* 8/2001 Denzin et al. ................. 4,213
`6,453,345 B2
`9, 2002 Trcka et al.
`6,477,651 B1 * 1 1/2002 Teal ............................ T26/23
`
`12/2002 Gleichauf et al.
`6,499,107 B1
`6.513,122 B1* 1/2003 Magdych et al. ........... T13 201
`6,519,703 B1
`2/2003 Joyce ......................... T13 201
`oyce
`6,550,012 B1 * 4/2003 Villa et al. ............
`... 713,201
`6,553,377 B1 * 4/2003 Eschelbeck et al. .......... 707/10
`6,611,875 B1
`8/2003 Chopra et al.
`6,651,099 B1
`1 1/2003 Dietz et al.
`6,654,882 B1 * 1 1/2003 Froutan et al. ............. T13,153
`6,711,615 B2
`3/2004 Porras et al.
`6,715,084 B2
`3/2004 Aaron et al. .................. T26/23
`6,725,378 B1
`4/2004 Schuba et al.
`6,735,702 B1* 5/2004 Yavatkar et al. ............ T13 201
`6,738,814 B1
`5/2004 Cox et al.
`6,816,973 B1 * 1 1/2004 Gleichauf et al. ............ T26, 13
`6,901,517 B1 *
`5/2005 Redmore ..........
`... 713,201
`6,957.348 B1 * 10/2005 Flowers et al. ............... T26/23
`6,968,377 B1 * 1 1/2005 Gleichauf et al. .......... TO9,224
`7,031,316 B2
`4/2006 Maher, III et al.
`
`(Continued)
`OTHER PUBLICATIONS
`
`Zeltser, et al., “Inside Network Perimeter Security: Stateful Firew
`als,” Que Publishing, on-line article at quepublishing.com, Apr. 29.
`
`(Continued)
`Primary Examiner LaShonda Jacobs
`(74) Attorney, Agent, or Firm Gardere Wynne Sewell LLP
`
`(57)
`
`ABSTRACT
`
`A network discovery functionality, intrusion detector func
`tionality and firewalling functionality are integrated together
`to form a network security system presenting a self-deploy
`ing and self-hardening security defense for a network.
`
`40 Claims, 4 Drawing Sheets
`
`
`
`Signature
`Creation
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 1 of 18
`
`

`

`US 7,359,962 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`7,073,198 B1* 7/2006 Flowers et al. ............... 726/25
`7,084,760 B2 * 8/2006 Himberger et al. ......... 340/540
`2001/0052014 A1* 12/2001 Sheymov et al. ........... 709/225
`2002/0023227 A1* 2/2002 Sheymov et al. ........... 713/201
`2002/0116639 A1* 8, 2002 Chefalas et al. ..... ... 713,201
`2003. O135749 A1* 7, 2003 Gales et al. ...
`... 713,200
`2003. O149888 A1* 8, 2003 Yadav ........
`... 713,200
`2003. O154399 A1* 8, 2003 Zuk et al. ...
`... 713,201
`2003. O159060 A1* 8, 2003 Gales et al. ...
`... 713,200
`2004/0093.513 A1* 5, 2004 Cantrell et al.
`... 713,201
`2004/0098623 A1* 5, 2004 Scheidell .......
`713,201
`2004/025O124 A1* 12/2004 Chelsa et al. ...
`713,201
`2005/0229254 A1* 10/2005 Singh et al. .................. T26/23
`
`
`
`2006/0059558 A1* 3/2006 Selep et al. ................... T26/23
`OTHER PUBLICATIONS
`- -
`d.
`TM
`& 8
`What F.R.S.E.S.E ashots.
`CO Jul. 19, 2005.
`Addressin th Limitati
`f Deep Packet I
`ti
`ith Com
`gne Limitations of LJeep FacKel Inspection W1
`O
`plete Content Protection.” Fortinet, Inc., White Paper, dated Jan.
`2004 www.fortine.com.
`Ido Dubawski “Firewall Evolution—Deep Packet Inspection.”
`on-line article at www.securityfocus.com, Jul. 29, 2003.
`Thomas Porter, “The Perils of Deep Packet Inspection ’’ on-line
`article at www.securityfocus.com Jan. 11, 2005
`J. J.
`
`* cited by examiner
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 2 of 18
`
`

`

`U.S. Patent
`
`Apr. 15, 2008
`
`Sheet 1 of 4
`
`US 7,359,962 B2
`
`Signoture
`Creation
`
`Enterprise
`Resources
`
`
`
`
`
`
`
`
`
`fir?t re
`2. t
`
`40
`(2)
`
`
`
`
`
`
`
`L- NETWORK DEFENSE
`
`-
`
`\-20
`
`
`
`
`
`MONITOR TRAFFIC
`
`RECOGNIZE NEW MACHINE
`
`TRICGER NETWORK SCAN
`
`
`
`
`
`
`
`INSTANTATE DETECTION
`FIG. 5
`
`400
`
`402
`
`404
`
`406
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 3 of 18
`
`

`

`U.S. Patent
`
`Apr. 15, 2008
`
`Sheet 2 of 4
`
`US 7,359,962 B2
`
`
`
`Network
`Discovery
`Functionality
`(NDF)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SECURITY MANAGEMENT AGENT
`Y126
`
`
`
`Intrusion
`Detector
`Functionality
`(IDF)
`
`
`
`Firewalling
`Functionality
`
`FIG. 2
`
`10
`
`THREAT
`AGGREGATION
`
`NETWORK
`ADMIN
`
`142
`
`Protected
`Network
`
`122
`122
`
`
`
`
`
`
`
`
`
`
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 4 of 18
`
`

`

`U.S. Patent
`
`Apr. 15, 2008
`
`Sheet 3 of 4
`
`US 7,359,962 B2
`
`
`
`
`
`SCAN NETWORK
`
`200
`
`
`
`DISCOVER WULNERABILITY
`
`202
`
`
`
`
`
`
`
`NOTIFY ACENT
`
`RETRIEVE DETECTION
`SIGNATURE
`
`
`
`INSTANTATE ON IDF
`AND/OR FIREWALLING
`
`RESPOND
`FIG. 3
`
`204
`
`
`
`206
`
`208
`
`210
`
`212
`
`
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 5 of 18
`
`

`

`U.S. Patent
`
`Apr. 15, 2008
`
`Sheet 4 of 4
`
`US 7,359,962 B2
`
`UNTRUSTED
`
`
`
`14
`
`520
`
`HTTP SERVER
`522
`
`10
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 6 of 18
`
`

`

`US 7,359,962 B2
`
`1.
`NETWORK SECURITY SYSTEM
`INTEGRATION
`
`BACKGROUND OF THE INVENTION
`
`2
`include malicious eavesdropping, which allows a hacker to
`misappropriate confidential communication transmitted
`over the Internet. If confidential communications get into the
`wrong hands, damage to the business of the enterprise or, at
`the very least, damage its reputation may arise. There is also
`a significant cost and negative publicity resulting from
`denial of service attacks. In an attempt to combat all of these
`types of attacks, enterprises have been increasing their
`security budgets to address heightened network vulnerabil
`ity concerns.
`To prevent network security breaches, enterprises have
`deployed firewalls at the access points where their networks
`connect to the Internet or other networks. Firewalls are
`hardware or software devices that filter the content that
`flows into and out of an enterprise's network. The firewall is
`designed to block unauthorized access to the network,
`allowing only connections that are approved by the network
`administrator. However, because of the increased sophisti
`cation of hackers, and the existence of automated attack
`tools, firewalls alone have proven to be inadequate measures
`to fully protect many networks. Consequently, many enter
`prises have been compelled to add additional network Secu
`rity systems, including intrusion detection systems (IDSS)
`and vulnerability assessment scanners (VASs). Both the IDS
`and VAS assess the vulnerability of a network to attack.
`Intrusion detection systems are designed to expose intruders,
`break off the intrusion, examine the intruder's point of entry
`and prevent future intruders from using the same entry point.
`Vulnerability assessment Scanners, on the other hand, are
`designed to discover Vulnerabilities of a network system,
`allowing network managers to find and patch network
`security holes before they are discovered by hackers.
`The first generation of firewalls, intrusion detection sys
`tems and Vulnerability assessment scanners generally were
`designed to secure low bandwidth connections to the Inter
`net. As network connection speeds have increased, these
`early types of security products have created significant
`performance bottlenecks in networks, slowing down con
`nection speeds.
`As the security needs of enterprises continued to evolve,
`the single-function low speed firewall, IDS and VAS prod
`ucts are no longer capable of cost-effectively meeting the
`performance and manageability needs of organizations. To
`deploy a complete firewall, intrusion detection system and
`Vulnerability assessment Scanner Solution, an enterprise
`often must purchase a series of separate, expensive devices
`and license expensive security software, often from multiple
`vendors, which do not communicate with each other and
`cannot be interfaced with one management console system.
`This can result in a network security architecture that is more
`expensive and complex to install and manage and, as a result
`of this increased complexity, potentially less secure than a
`network that is based on a single vendor's products or an
`integrated solution. More specifically, enterprises have
`found it difficult, if not impossible, to integrate the firewall,
`IDS and VAS solutions together. Most security appliances
`require an enterprise to reconfigure network addressing to
`insert the appliances into its network and also require the
`enterprise to compromise network design in ways that
`reduce redundancy and, therefore, network reliability. Many
`times these issues have led to a significant decrease in the
`enterprise's network connection speed as more devices are
`added to the network.
`An enterprise requires abroad array of high-performance,
`cost-effective products to secure their networks. To reduce
`cost and network complexity, the enterprise must increas
`ingly look for high-performance network security solutions
`
`1. Technical Field of the Invention
`The present invention relates to network security and, in
`particular, to an integration of a firewalling functionality,
`intrusion detector functionality and network discovery func
`tionality to provide for a unified network defense structure.
`2. Description of Related Art
`Over the past few years, Internet usage has grown rapidly
`as an increasing number of computer users connect to the
`information Super-highway. With Internet usage becoming
`more prevalent, enterprises are increasingly using the Inter
`net to conduct their business. Enterprises are also exploiting
`the world-wide networking advantages of the Internet by
`connecting their internal networks to the Internet, thereby
`expanding their operations, facilitating communications
`within the enterprise, enabling e-commerce and transaction
`processing, and communicating with customers, Suppliers
`and business partners. Connection to the Internet may be
`made at any one of a variety of access points, including
`major corporate offices, branch offices, remote user loca
`tions, Internet data centers and e-business Web sites.
`While Internet usage is increasing, the access speed at
`which individuals and enterprises connect to the Internet is
`also increasing. Consumers and Smaller enterprises are shift
`ing from dial-up modem connections to broadband connec
`tions, using cable or digital Subscriber line, or DSL,
`modems. These broadband connections enable users to
`access the Internet at speeds up to 20 times faster than a
`dial-up modem. Similarly, larger enterprises are moving
`from T1 connections and T3 connections to higher speed
`OC-3 connections and gigabit Ethernet connections. Web
`site connection speeds are also increasing as many Web
`sites, which were originally operated from an enterprise's
`own facilities, have been outsourced to Internet data centers,
`which deliver higher bandwidth connections.
`As enterprises increasingly use the Internet to conduct
`business, the amount of confidential and sensitive informa
`tion that is delivered over, and is accessible through, the
`Internet is also increasing. Unlike the private, dedicated
`communications networks that enterprises have used for
`business for the last several decades, which were relatively
`secure from outside intruders, the Internet and networks
`connected to an enterprise are Susceptible to security threats
`and malicious eavesdropping due to their openness and ease
`of access. Recently, there has been an increase in the
`frequency of attempted breaches of network security, or
`hacker attacks, intended to access this confidential informa
`tion or to otherwise interfere with network communications.
`Network attacks are becoming not only more prevalent
`but also more Sophisticated and severe, resulting in part from
`the availability of tools and information on how to conduct
`these attacks, an increase in hacker Sophistication, an
`increase in the number of network access points that are
`Vulnerable to attack and an increase in the overall amount of
`confidential information accessible through or delivered
`over the Internet. These attacks include distributed denial of
`service attacks, in which an attacker floods a Web site with
`large numbers of packets or connection requests that over
`whelm the Web site and prevent legitimate users from
`accessing it. Other types of attacks are designed not just to
`prevent access to a Web site, but also to penetrate its security
`and allow a hacker to take control of a server and deface the
`Web site or steal sensitive information. Still other attacks
`
`10
`
`15
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 7 of 18
`
`

`

`US 7,359,962 B2
`
`3
`that can integrate firewall, IDS and Vulnerability assessment
`capabilities into one system or appliance. It is also clear that
`entities desire a comprehensive network security Solution
`from a single vendor that can scale from low-bandwidth
`connections to high bandwidth connections while delivering
`very high-speed network performance and availability. In
`response to this preference, existing security vendors have
`started to include additional capabilities in their single
`function products. However, these products were not origi
`nally designed to deliver multiple functions and, as a result,
`the addition of these functions tends to decrease both
`product and network performance and increase product
`complexity as well as significantly increase cost.
`The present invention addresses the foregoing and other
`concerns with a single vendor Solution that integrates the
`functionalities performed by a firewall, IDS and VAS for
`network security into one system or appliance Supported on
`a single platform.
`
`SUMMARY OF THE INVENTION
`
`Generally speaking, the present invention integrates a
`network discovery functionality, an intrusion detector func
`tionality and a firewalling functionality together Such that a
`self-deploying and self-hardening security defense is pro
`vided for a network. Self-deployed security defense is
`achieved by having the included defense functionalities
`work together to automate threat detection and threat
`response operations. Self-hardening security defense is
`achieved by having the included functionalities implement
`threat detection and threat response operations in an opti
`mized manner that mitigates instances of false detection.
`In accordance with one aspect of the present invention,
`network protection is provided by having an intrusion detec
`tor functionality analyze network traffic to identify entering
`content that is potentially harmful to the network. An alert
`is then generated in response to the detection of Such traffic.
`A firewalling functionality then responds to the alert by
`blocking entrance of the detected traffic that is potentially
`harmful.
`In accordance with another aspect of the present inven
`tion.network protection is provided by having an inspection
`agent extract features (for example, packet features) from
`entering traffic. These features are evaluated by the inspec
`tion agent using threat detection signatures to detect the
`existence of potentially harmful content in the traffic. If
`harmful content is detected, an entrance sentry responds to
`the agent detection by denying the traffic admission to the
`network.
`In an embodiment of the invention, a network discovery
`functionality scans the network being protected to identify
`computer system and network device vulnerabilities. These
`Vulnerabilities are used to tune the detection signature to
`detect those Vulnerabilities in the context of the network
`being protected. The tuned threat detection signature is then
`utilized by the inspection agent to evaluate traffic features.
`This evaluation may be performed either at the packet level
`or session level.
`In accordance with yet another aspect of the present
`invention, network protection is provided by scanning a
`network to identify computer system and network device
`Vulnerabilities. A detection signature is then tailored to
`address the identified vulnerability in the context of a
`configuration of the network being protected. The signature
`is then instantiated on an intrusion detector functionality
`and/or a firewalling functionality. With respect to the intru
`sion detector functionality, network traffic is analyzed in
`
`4
`view of the instantiated detection signature to identify
`entering content that is potentially harmful to the network.
`With respect to the firewalling functionality, network traffic
`is analyzed in view of the instantiated detection signature to
`block entering traffic that is potentially harmful to the
`network.
`In accordance with yet another aspect of the present
`invention, network protection is provided by having an
`intrusion detector functionality recognize, from monitored
`traffic to and from the network being protected, that a new
`network machine is present. Responsive thereto, network
`discovery scanning of the network is triggered to determine
`whether the addition of the new network machine raises a
`Vulnerability concern. If so, a detection signature for that
`Vulnerability concernis instantiated on the intrusion detector
`to protect the new network machine against the Vulnerability
`COC.
`In accordance with still another aspect of the present
`invention, a trusted network is scanned to obtain Vulnerabil
`ity information concerning the network elements therein. As
`a result of this scan, first and second vulnerability informa
`tion is generated concerning the network elements con
`nected to a first and second physical interface, respectively.
`Responsive to the Vulnerability information, first and second
`detection signatures are instantiated to monitor traffic over
`the first and second physical interfaces, respectively, for any
`threats to the trusted network.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`A more complete understanding of the method and appa
`ratus of the present invention may be acquired by reference
`to the following Detailed Description when taken in con
`junction with the accompanying Drawings wherein:
`FIG. 1 is a block diagram for a unified network defense
`system in accordance with the present invention;
`FIG. 2 is a block diagram for an exemplary integrated
`architecture of a unified network defense system in accor
`dance with the present invention;
`FIG. 3 is a flow diagram illustrating an exemplary opera
`tion of the system of FIGS. 1 and 2:
`FIG. 4 is a flow diagram illustrating an exemplary opera
`tion of the system of FIGS. 1 and 2:
`FIG. 5 is a flow diagram illustrating an exemplary opera
`tion of the system of FIGS. 1 and 2; and
`FIG. 6 is a block diagram of a threat prevention appliance
`that utilizes the unified network defense system of FIGS. 1
`and 2.
`
`10
`
`15
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`DETAILED DESCRIPTION OF THE DRAWINGS
`
`Network security systems, generally speaking, are a com
`pendium of three devices: a Vulnerability assessment scan
`ner (VAS); an intrusion detection system (IDS); and a
`firewall. In the prior art, these devices are disparate, often
`Supplied by different vendors, and are rarely designed or
`installed in a way that facilitates collaborative defense
`efforts. This legacy defense system architecture leaves much
`to be desired in terms of dynamic response, dynamic con
`figuration, integration, cooperation and collaboration. The
`present invention addresses the foregoing and other con
`CS.
`Reference is now made to FIG. 1 wherein there is shown
`a block diagram of a unified network defense system 10 in
`accordance with the present invention. The system 10 is
`configured to integrate a network discovery functionality, an
`intrusion detection functionality and a firewalling function
`
`55
`
`60
`
`65
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 8 of 18
`
`

`

`US 7,359,962 B2
`
`10
`
`15
`
`5
`ality together to act as a single, highly intelligent, highly
`adaptive, network-based information security system. The
`system 10 is advantageously self-deploying (i.e., the various
`components of the system work together to automate the
`threat detection and response operation) and self-hardening
`(i.e., the operation of the threat detection and response
`functionality is optimized to mitigate instances of false
`detection).
`The system 10 includes an enterprise resource database 12
`containing enterprise (i.e., a protected network 14) specific
`data 16 identifying machines (hosts) in the network, services
`provided by the hosts, and potential computer system and
`network device Vulnerabilities associated with those
`machines and services in the context of the network con
`figuration. This data 16 may be collected in any one of a
`number of well known ways, including, for example, the use
`of a separate, prior art, Vulnerability assessment Scanner 18
`device (configured internally or externally) that operates to
`assess the protected network 14 in a conventional manner.
`The system 10 further includes a signature database 20
`that stores detection signatures 22 (comprising, for example,
`security rules, policies and algorithms) that are designed to
`mitigate or avert network damage from detected Vulnerabili
`ties. These signatures 22 may be obtained from any one of
`a number of well known sources, including, for example,
`machine (host) manufacturers, service Suppliers, the Inter
`net, and the like. Additionally, the signatures 22 may be
`created by an administrator 24 of the protected network 14.
`Still further, the signatures 22 may be supplied by a entity 26
`in the business of signature creation, where that entity
`operates to collect threat information (for example, worm,
`virus, trojan, DoS, Access, Failure, Reconnaissance, other
`suspicious traffic, and the like) from around the world,
`analyze that information and design detection signatures 22
`that can be used by others to mitigate or avert network
`damage from the collected threats.
`The system 10 still further includes an inspection agent 28
`that operates to inspect traffic 30 that is entering the pro
`tected network 14. The traffic 30 generally comprises packet
`32 traffic, with each packet including a header portion 34 and
`a payload portion 36. The inspection operation performed by
`the inspection agent 28 involves first extracting 38 from the
`traffic 30 certain packet features of interest for inspection.
`More specifically, the extraction of packet features may
`comprise features 38(1) from the header portion 34 (such as,
`45
`for example, destination and Source IP address, destination
`and source ports, and the like) and/or features 38(2) from the
`payload portion 36 (Such as, for example, character Strings,
`regular expressions, and the like).
`The inspection operation performed by the inspection
`agent 28 next involves comparing 40 the extracted packet
`features against the detection signatures 22 obtained from
`the signature database 20. These detection signatures 22,
`generally speaking, include an object defining criteria (for
`example, TCP, HTTP and URI related criteria) that must be
`met by one or more of the extracted packet features in order
`to detect a potential threat to the network 14 posed by the
`inspected traffic 30.
`In the event that the comparison 40 operation performed
`by the inspection agent 28 is satisfied (i.e., there is a criteria
`match), any one (or more than one) of a number of possible
`actions (specified by an object within the detection signature
`22 itself) may be taken by the system 10. For example, the
`inspection agent 28 may issue an alarm report 50 to the
`administrator 24. The identification of the threatened
`machine (host) or service is provided using information
`contained in the report 50. The inspection agent 28 may also
`
`55
`
`6
`move immediately to block the threatening traffic 30 (as will
`be described in more detail herein) or terminate a session
`associated with the threatening traffic 30 (perhaps using a
`TCP reset).
`The detection signatures 22 may be applied by the inspec
`tion agent 28 as they are obtained from the database 20 (i.e.,
`without alteration or change). Alternatively, the detection
`signatures 22 retrieved from the database 20 may be tailored
`by the inspection agent 28 and optimized to the needs and
`configuration of the particular network 14 being protected.
`To that end, the agent 28 considers the enterprise (i.e.,
`network 14) specific data 16 stored in the enterprise
`resources database 12, and modifies the detection signature
`22 to ensure that the detection criteria and response actions
`are tailored to the network 14. More specifically, the enter
`prise specific data 16 is considered by the agent 28 when
`instantiating a detection signature 22 so that the signature
`(either through its criteria or its response instructions) is
`instantiated in a way that minimizes the likelihood that false
`positive alarms will be generated.
`As discussed above, the inspection agent 28 may act,
`following the detection of threatening traffic, to immediately
`block the threatening traffic 30 from entering the network
`14. To accomplish this goal, the system 10 further includes
`a gatekeeping functionality performed by an entrance Sentry
`42. The entrance Sentry 42 is an in-line component of the
`system 10. By “in-line' it is meant that all traffic 30 must
`pass through the entrance Sentry 42 before entering the
`protected network 14. Responsive to the detection of threat
`ening traffic 30, the inspection agent 28 issues a blocking
`command 54 to the entrance sentry 42. This command 54
`includes sufficient information to allow the entrance sentry
`42 to identify the threatening traffic 30 and deny it entry to
`the protected network 14. The sentry 42 then compares 44
`the command 54 information against the traffic 30 (more
`specifically, against each packet 32). In the event there is a
`match, the matching traffic 30/packet 32 is denied entry to
`the network 14 and is discarded. Otherwise, entrance to the
`network 14 is permitted.
`To assist the sentry 42 in being able to stop entry of the
`specific piece of traffic determined by the inspection agent
`28 to be threatening, the system 10 further includes a buffer
`46 to temporarily store the packets 32 and slow their passage
`through the system 10 for a length of time sufficient to allow
`the extraction 38, comparison 40 and issuance of the com
`mand 54 to occur before the packets reach the sentry. It will,
`of course be recognized that other techniques known to
`those skilled in the art for delaying the passage of the
`packets through the system 10 may be employed as needed.
`Additionally, in some applications of the system 10, no
`buffer may be required. Still further, it will be recognized
`that the buffer 46 may be included within the entrance sentry
`42.
`The entrance sentry 42 further functions in another pro
`tection mode. In this mode, detection (blocking) signatures
`22 are downloaded either directly from the database 20 to
`the entrance sentry 42 (see, reference 56) or indirectly
`through the inspection agent 28 (see, reference 58). The
`sentry 42 operates to comparing 44 the packets 32 passing
`in-line therethrough against the downloaded detection
`(blocking) signatures 22. As discussed above, the detection
`(blocking) signatures 22, generally speaking, include an
`object defining criteria that must be matched by the packets
`32 in order to detect a packet 32 in the traffic 30 that should
`be blocked. More specifically, and in a manner similar to that
`performed by the comparison operation 40 of the inspection
`agent 28, the Sentry 42 examines features in the header
`
`25
`
`30
`
`35
`
`40
`
`50
`
`60
`
`65
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 9 of 18
`
`

`

`US 7,359,962 B2
`
`7
`portion of the packets 32 in comparison to the (blocking)
`signature defined detection criteria to make the threat detec
`tion determination and block passage of that packet.
`In the event that the comparison 44 operation performed
`by the sentry 42 with respect to the detection (blocking)
`signature 22' is satisfied (i.e., there is a criteria match), any
`one (or more than one) of a number of possible actions
`(specified by an object within the detection (blocking)
`signature 22' itself) may be taken by the system 10. For
`example, the sentry 42 may issue an alarm report 50 to the
`administrator 24. The identification of the threatened
`machine (host) or service is typically available from the
`information contained in the report 50. The sentry 42 may
`also move immediately to terminate a session associated
`with the threatening traffic 30 (perhaps using a TCP reset).
`Where the detection (blocking) signatures 22 are directly
`downloaded 56, they are applied by the sentry 42 as they are
`obtained from the database 20 (i.e., without alteration or
`change). Alternatively, when indirectly downloaded 58 from
`the database 20, the detection (blocking) signatures 22 may
`be tailored by the inspection agent 28 and optimized to the
`needs and configuration of the particular network 14 being
`protected. To that end, the agent 28 considers the enterprise
`(i.e., network 14) specific data 16 stored in the enterprise
`resources database 12, and modifies the detection (blocking)
`signature 22' to ensure that the detection criteria and
`response actions are tailored to the network 14. More
`specifically, the enterprise specific data 16 is considered by
`the agent 28 when instantiating a detection (blocking) sig
`nature 22" on the entrance Sentry 42 so that the signature
`(either through its criteria or its response instructions) is
`instantiated in a way that minimizes that likelihood that false
`positive alarms will be generated.
`The comparison operation 40 performed by the inspection
`agent 28 on the extracted 38 packets 32 may be implemented
`on either or both the packet level or the session level. On a
`packet level, the inspection agent 28 considers each packet
`32 individually when applying the detection signatures 22.
`On a session level, the inspection agent 28 considers a
`plurality of related packets 32 together when applying the
`detection signatures 22. To assist in session level compari
`son 40, the system 10 further includes a state information
`memory 60 that stores historical packet related data.
`Examples of the types of historical packet related data that
`may be retained by the memory 60 include:
`reassembly of fragmented packets;
`reassembly of TCP session flows:
`maintenance of negotiated ephemeral ports (for example,
`FTP establishes a dynamic port over which to exchange
`data);
`connection establishment state (proper handshake
`between communicating hosts such as, for example, the
`well-defined exchange for TCP in establishing a con
`nection); and
`protocol and application level state information (ensuring
`that applications or protocols are transitioning to well
`defined states that do not violate the specifications of
`those applications or protocols or exploit known Vul
`nerabilities in those applications or protocols). For a
`session level comparison, the agent 28 not only con
`siders the extracted 38 packet features (header and
`payload) for the current packet 32 under examination,
`but also historical packet related data retrieved from the
`memory 60. In the event of a match between the
`signature 22 criteria and the combined extracted packet
`
`40
`
`45
`
`8
`features and historical packet related data, the agent 28
`detects a potential threat to the network 14 posed by the
`traffic 30.
`The system 10 may operate in a scenario (see, also, FIGS.
`3 and 4) where the VAS 18 completes a scan of the network
`14, updates the database 12 and further informs the inspec
`tion agent 28 of a discovered network vulnerability. Respon
`sive thereto, the inspection agent 28 retrieves an appropri