Once a private network is connected to an open network or otherwise provides open access to the network, security of the private network becomes a paramount concern. As computer systems and other network devices (e.g., printers, modems, and scanners) have become increasingly interconnected, it is increasingly important to protect sensitive information stored on one network device from unauthorized retrieval by other network devices. The Internet is a global network of connected computer networks. A large number of computers on the Internet provide information in various forms. Anyone with a computer connected to the Internet can potentially tap into this vast pool of information. As the Internet and its underlying technologies have become increasingly familiar, attention has become focused on Internet security and computer network security in general. With unprecedented access to information has also come an unprecedented opportunity to gain unauthorized access to data, change data, destroy data, make unauthorized use of computer resources, interfere with the intended use of computer resources, etc. Unauthorized exposure of such information, and/or unintended or unauthorized use of information may significantly damage organizations and individuals. Thus, appropriate security measures are required in order to protect information from such damaging actions, while still maintaining the availability of such information to authorized individuals and/or organizations. In a networked computer environment, various security services for communications between network nodes may be implemented. For example, security services such as authentication, encryption, and checksumming may be provided for communications across a computer network. Numerous tools have been developed to aid in network management involving capacity planning, fault management, network monitoring, and performance measurement. One example of such tools is the network analyzer. A network analyzer is a program that monitors and analyzes network traffic, detecting bottlenecks and problems. Using this information, a network manager can keep traffic flowing efficiently. A network analyzer may also be used to capture data being transmitted on a network.

There are various ways in which to secure a communication network, all of which deal with mechanisms which prevent unauthorized access to packets of data, such access is often referred to as packet sniffing or packet spoofing. To safeguard against attack, intrusion, and other security threats, network systems in a typical Internet infrastructure may include intrusion detection systems, firewalls, virtual private networks, web servers, anti-virus servers, email servers, authentication (AAA) servers, proxy servers, and network vulnerability assessment devices, among other servers and devices. Because these systems themselves interact with sources outside the network, they also provide access points for an attack or intrusion upon a network. Network security products such as intrusion detection systems (ID systems) and firewalls can use a passive filtering technique to detect policy violations and patterns of misuse upon networks to which the Security products are coupled. The passive filtering technique usually comprises monitoring traffic upon the network for packets of data. Common security mechanisms include use of firewalls implemented in hardware and software (e.g., proxy servers, bastion hosts, filtering routers) and/or authentication systems implemented in solely in software (e.g., passwords and encryption code). Authentication is a security service which verifies that a network user is who he claims to be. Methods of providing authentication include those in which the receiver may query the socket, those using some authentication service, and those using a cryptographic token which is explicitly passed across the connection. Other methods of providing authentication include physical-device-assisted authentication and biometric authentication. Encryption is a type of security service by which communications over a network are encoded to help ensure privacy of sensitive data. The desired result is to scramble the information in such a way that a person cannot read the message without an "encryption key." The encryption key should only be known to the sender and receiver. Computer network security systems such as those employing public key cryptography techniques to encrypt and decrypt data, typically use a certification authority, such as a network server, to generate certificates that are used by network nodes to verify, among other things, that other communications sent by users are valid. The secure socket layer (SSL) is a well known security protocol developed by for transmitting private documents securely over the Internet. The SSL protocol works by using a private key to encrypt data that's transferred over an SSL connection. Many web sites use the SSL protocol to obtain confidential user information, such as a credit card number. The simpler systems provide security, generally by use of a numeric or alphanumeric personal identification number or code (PIN), to an individual machine or other resource on the system. An alphanumeric PIN (AN PIN) is sometimes also referred to as a password.

A firewall is a software program or hardware device which attempts to provide security to an entire network, or to a portion thereof, by filtering all communication which passes through an entry point to the entire network or the portion of the network. Firewalls are intermediate systems that are coupled between a protected network server and the Internet. A firewall is basically a router having filters that pass certain forms of messages and block others. The firewall protects the private intranet by filtering traffic to and from the Internet based on network policies. Typically, the fire wall provides a single check point where network traffic can be audited. Most firewalls can be classified as either a packet filtering firewall or a proxy based application gateway firewall. Firewalls are intended to shield data and resources from the potential ravages of computer network intruders. Firewalls have typically relied on some combination of two techniques affording network protection: packet filtering and proxy services. In a packet-switched network, each packet of a particular message may be sent across different routes of the network at the same time and then reassembled at the proper termination device. Packet filtering is the action a firewall takes to selectively control the flow of data to and from a network. Packet filters allow or block packets, usually while routing them from one network to another. Packet filtering fire walls are typically implemented in routers. The routers use tables to indicate communications protocols allowed into and out of a particular network.  Packet filters do not maintain context or understand the applications they are dealing with. They make decisions purely by looking at internet protocol (IP) headers and interpreting the rules they are programmed to follow. A network-level firewall filters the traffic at the packet level based on the source and destination IP (Internet Protocol) addresses and IP ports of the packets. Another type of firewall masks the internal addresses of the private network, making these addresses appear as firewall addresses. Other firewalls implement elaborate logon and user authentication schemes. A proxy based application gateway firewall runs programs (called proxies or proxy software) that secure information flowing through a gateway. All Internet traffic is funneled through a gateway, controlled by the proxy software. The proxy software transfers the incoming information to an internal network based on the access rights of individual users.

Network intrusion detection is a process that can identify and respond to misuse or policy violations on a network. Because of the increasing reliance on Internet, Intranet and extranet network computer access, intrusion into computer systems by unauthorized users is a growing problem. Intrusion detection technologies are therefore becoming extremely important to improve the overall security of computer systems. Intrusion detection is the process of identifying that an intrusion has been attempted, is occurring or has occurred. By placing sensing enabled devices at determined points on the network, network traffic can be monitored and compared against patterns or "signatures" that represent suspicious activity, misuse, or actual attacks. Host-based intrusion detection monitors activity on a single system while network-based intrusion detection monitors all activity over a given network connection or segment. Host-based intrusion detection systems can be used to protect critical network servers or other individual systems containing sensitive information. Network-based intrusion detection systems can be used to monitor activity on a specific network segment. Where a host-based intrusion detection system resides on a workstation and shares a CPU (central processing unit) with other user applications, a network-based solution is typically a dedicated platform. In most intrusion detection systems, data may be automatically collected and reduced but the analysis of that data usually remains manual. Profiling and pattern recognition techniques also have been used to analyze the data collected and presented to an intrusion detection system. The off-line analysis involves determining normal behavior for a user, application or system. The normal behavior is then used to develop sets of rules. Network intrusion monitors are attached to a packet-filtering router or packet sniffer to detect suspicious behavior on a network as they occur. An intrusion detection system (IDS) can augment an end-to-end security solution as a dynamic security component by detecting, responding to, and reporting unauthorized activity from data derived directly from the network. These devices can send alerts to the security management system and, under appropriate circumstances, send commands directly to network equipment such as routers and firewalls, reconfiguring them to deny access to the attacker. The system can automatically and quickly responds in a user-defined manner to send an alert or take immediate action.