WO2009019701A2 - A network element and an infrastructure for a network risk management system - Google Patents

A network element and an infrastructure for a network risk management system Download PDF

Info

Publication number
WO2009019701A2
WO2009019701A2 PCT/IL2008/001091 IL2008001091W WO2009019701A2 WO 2009019701 A2 WO2009019701 A2 WO 2009019701A2 IL 2008001091 W IL2008001091 W IL 2008001091W WO 2009019701 A2 WO2009019701 A2 WO 2009019701A2
Authority
WO
WIPO (PCT)
Prior art keywords
network
network element
firewall
virtual
clearance
Prior art date
Application number
PCT/IL2008/001091
Other languages
French (fr)
Other versions
WO2009019701A3 (en
Inventor
Asaf Shelly
Original Assignee
Feldman, Moshe
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/834,697 external-priority patent/US20090044270A1/en
Application filed by Feldman, Moshe filed Critical Feldman, Moshe
Publication of WO2009019701A2 publication Critical patent/WO2009019701A2/en
Publication of WO2009019701A3 publication Critical patent/WO2009019701A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present invention relates generally to network risk management, and more particularly, the invention relates to a network element and an infrastructure for a network risk management system.
  • the common network Open System Interconnection (OSI) model has the following 7 layers:
  • a Switch operates on layer Data Link layer of the OSI model (may have level 3 functions); and • A Router operates on layer Network layer of the OSI model.
  • Prior art network defines network security elements such as:
  • Firewall Traffic control and basic network management. Mainly separation of network segments (ex. internal, external, Demilitarized Zone (DMZ), etc.);
  • IPS Intrusion Prevention System
  • Client Control Servers used for login, to install network policies on client computers, and verify that client computers are updated and secured;
  • Client security elements o Personal Firewall: is a Firewall located on the client computer to protect it from any unverified external communication; o Anti Virus: is expected to secure the system by detecting known types of harmful software and removing them; and o Anti Spyware: is expected to find applications that may damage user experience or send information stolen from the computer to external network clients or elements.
  • Fig. 1 is a prior art based schematic block diagram of a prior art network.
  • Information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing one or more switches 160, the information enters the organization personal computers 170.
  • Firewall 130 has to be physically connected to Internet 110 before DMZ switch 140 and before the internal network's switches 160.
  • Fig. 2 is a prior art schematic block diagram of a partial solution.
  • the present invention relates to a system for providing a communication infrastructure in a network, which comprises at least one connected system and at least one network risk management network element.
  • the network acts as a virtual network that comprises at least one virtual network element, at least one virtual network element that takes over the roles of existing network elements.
  • the virtual network works with physical elements to form the network's infrastructure.
  • the communication infrastructure may be based on an active network element that monitors traffic or may be at least one network element that can isolate each connected system from any other connected system or at least one network element that enforces security rules to prevent attacks between different at least one connected systems. At least one network element records traffic logs into the communication infrastructure.
  • the network may be protected by a Firewall that controls and manages the network element system in the protected network.
  • the Firewall and the network element system may comprise a single management system for rule enforcement and log handling.
  • the system may comprise at least an intrusion protection system and an intrusion detection system.
  • the network element may offload tasks at least from the Firewall and the IPS.
  • the Firewall may offload to system and that system may offload to Firewall, can be both or either.
  • the network infrastructure provides Pattern Matching services to applications.
  • the network preferably uses ACL at its core.
  • the network infrastructure provides ACL services to applications.
  • the Security network functions (firewall, antivirus, etc.) may deploy security patterns to the ACL instead or in parallel to the network function doing the filtering.
  • the infrastructure can send an event to a security network function according to a pattern.
  • the network infrastructure and the operating system may be based on the same models.
  • the network element may be a core in a virtual multicore CPU.
  • At least one network element may take the role of the Firewall in order to protect the system.
  • the system may comprise the Firewall and the network element system having a single management and information system.
  • the network element system may offload tasks at least to the Firewall and the IPS.
  • the network element may also report to a management interface about suspicious behavior of the at least one connected system and may be also an anti-virus scanner.
  • At least one management interface may be in communication with a network administrator that allows a configurable network topology.
  • the a Firewall may deploy feature updates and security updates to at least one network element in the internal network, wherein at least one management interface is a dedicated appliance comprising at least one of a computer, an PDA or a cellular phone.
  • the management interface may be a mobile device comprising a cellular or a PDA device, which is notified using one of a SMS and MMS message.
  • the management interface manages the network and network topology using the mobile device, and the SMS/MMS message contains information that will automatically direct the management interface to an appropriate management display.
  • At least one network element may be configured with at least one designated I/O pin to act as an input or an output or a filtered input or a DMZ.
  • the network element can apply Firewall capabilities to each of connected systems.
  • the Firewall capabilities may comprise at least: quarantine, honey pot, and data modification. All of network elements may be managed by the Firewall and the Firewall has the single management and information system.
  • the network element may make routing decisions based on information collected about the at least one connected system. Any network function and any network resource may have a clearance level defined.
  • the network element denies routing for some of the available networks after detection of suspicious behavior, such as port scanning.
  • the system may further comprise Internal network tunneling so that every at least one connected system is encrypted on the first at least one network element and decrypted on the last at least one network element, thereby preventing sniffing of the network for this data and modification of network data.
  • the tunneling may be between each of at least one connected system in the network so that a large set of at least one connected system sharing the same network address space and being virtually connected directly to each other.
  • the system may comprise clearance rings, wherein clearance is according to a model of concentric zones that can be multiple clearance rings models.
  • the system may further comprise Security Rings using virtual networks on the network system and Interest frames which work with the clearance rings.
  • An Interest Frame may have a Head that has special management permissions.
  • Each I/O port of a network element may have a defined clearance level, such that one of an unverified source and an unknown source is at clearance level 0. If the target clearance is higher than the current clearance level, then the network element system checks for the procedure to increase the current clearance level to the target level incrementally.
  • the current clearance level can be incremented, decremented, and voted.
  • At least one network element may be a work unit.
  • the system may provide cooperative network management between at least one network elements.
  • the network may be a virtual network over the physical network or at least one virtual LAN.
  • a management interface may instruct the network administrator how to react to a situation, the instruction comprising at least a checklist that the network administrator preferably is to follow based on predefined rules.
  • All of the network elements in the network may be cores of a single multicore processor, wherein each core adds its own I/O to the multicore processor and the I/O is in the format of the network.
  • the processor can have co-processors acting as at least one of the Firewall, the IPS and the IDS.
  • the system may comprise an Operating System that uses at least one network element as processor. At least one network element may be grouped in clusters and wherein the network further comprises at least one of RAM and cache for sharing data between cluster items.
  • a single multicore processor may be divided dynamically into smaller processors and all internal busses and external busses of single multicore processor are in one network.
  • a single multicore processor may further comprise hierarchies of multicore processors and may have cores attached and removed dynamically or a Plug and Play core.
  • At least two network elements may be connected via an intermediate network regarded as a virtual cable.
  • the processor and the Operating System may run applications, wherein at least one application work as a Firewall, an IPS or an anti-virus and at least one application is a virtual Firewall, a virtual IPS or a virtual anti- virus.
  • the network element applications and Operating System can be distributed between cores.
  • the system may further comprise a network mapping service.
  • a network element may ping at least one connected system to check that the at least one connected system is connected, using lower level communication to perform Keep Alive, thereby bypassing software Firewalls installed on the target machines.
  • the network element system may use the ⁇ Physical Link indicator as part of the network mapping service and may make periodic attempts to connect to specific ports on the at least one connected system and a specific protocol, in order to verify that: the at least one connected system is in fact connected; the at least one connected system is correctly placed and connected to the designated I/O; and - li the specific application on the at least one connected system is up and running.
  • the system may comprise at least one system scanning model usually used by hackers for locating security faults, wherein at least one system scanning model is visible as part of the single management and information system and is used for security decision making, thereby: helping to verify that the at least one connected system is the correct one; helping with Plug and Play connection of network devices so that a new machine connected to the network is questioned in order to identify its nature and hosted applications and services; and becoming a part of the network mapping service.
  • the system may monitor network traffic: as part of the Keep Alive mechanism; as part of the Plug and Play system; for detecting network vulnerabilities and infected systems; and as part of the Network Mapping service.
  • the system may enforce Network Policy that makes the at least one connected system install at least one of the following items: updates, patches, and security helping tools, that the system forces at least one connected system to conform to Network Mapping service before taking security actions.
  • the system may comprise a Clearance Ring management system, wherein installed items are used by Clearance Ring management system that automatically reduces clearance of a given system.
  • Clearance Levels of the Clearance Ring management system may be: zero: meaning at least one of unknown and unverified; positive: higher means more secure and in a more internal ring; and negative: lower means more dangerous/isolated and in a more external ring.
  • the mapping service maps users of the network.
  • the following services may be provided by the system: a Network Mapping service: a management tool helping to define each connected system and every application on connected systems, by one of manual definition and automatic detection; a Keep Alive service: a background service that monitors the presence of at least one connected system, which is used by the network management and information systems, the Network Mapping service, and the below- referenced Plug and Play service; a Plug and Play service: implementation of Plug and Play methodologies on a Network Function, wherein the Plug and Play service has a management interface and is used as a notification system; a Clearance Rings Mapper: provides means of defining Clearance Levels of a Network Function in one of manual and automatic mode; a Policy and Procedures manager: defines the methods of operation, the rules, the procedures and the behavior of the system for given conditions, wherein these comprise the need to clear a data frame from one Clearance level to another, and rules and procedures for handling unordinary situations; a Profiling System: keeps a profile of at least: each of at least one connected system on the network; every available application on at
  • Security may be improved at least by compressing the data before encryption, thereby reducing repetitive data and thereby increasing the strength of the encryption.
  • the network risk management device network element and system for a communication infrastructure may be acting in place of at least one server.
  • the network's OSI 7 layer model is implemented by the network's communication infrastructure so that at least two of at least one network element's implement OSI model layers internally between them regardless of communication between at least two of at least one connected system on the network.
  • the mapping service may further comprise actively investigating network users by interacting with the users.
  • Investigating network users comprises simulating attacks and exploits, such that the user's responses help determine the type of the user.
  • the investigating may comprise at least one of sending a fake email asking for the user's password and asking to install a malicious attachment, thereby helping to determine the user's vulnerability to attacks that require action by the user.
  • the system may further comprise: an operational mode: for active risk management; a simulation mode: where the network actively reacts to artificially injected events in order to verify security and behavior; an investigation mode: for initial mapping of the network and defining expected behaviors and checklists; and an interrogation mode: for detection of faults found in the operational mode and the simulation mode, comprising at least going over logs and running simulations based on recorded data, wherein reference is made to the above- referenced co-pending provisional application: Software for a real-time Infrastructure.
  • All network connected systems may be completely isolated from each other and are connected only to external networks / outside the network. Connected systems may be connected to each other through a security element or communicate with each other through a server. Network infrastructure can run a virtual computer system that can host other operating systems and their applications. AIl the above and other characteristics and advantages of the invention will be further understood through the following illustrative and non-limitative description of preferred embodiments thereof, with reference to the appended drawings; wherein like components are designated by the same reference numerals.
  • - Fig. 1 is a prior art schematic block diagram of a physical network that the client sees
  • - Fig. 2 is a prior art schematic block diagram
  • FIG. 3 is a schematic block diagram of an exemplary logical embodiment of a virtual network, or the topology that the client sees, even though it is not physically so;
  • FIG. 4 is a schematic block diagram of an exemplary physical network that supports these virtual topologies
  • - Fig. 5 is a schematic block diagram of an alternative exemplary logical embodiment of a virtual network
  • - Fig. 6 is a schematic block diagram of another alternative exemplary logical embodiment of a more complex virtual network
  • Fig. 7a is a schematic block diagram of a hypothetical network architecture that is neither reasonable nor secure to use in a prior art network
  • Fig. 7b is a schematic block diagram of a preferred embodiment of the system network architecture, which allows physical connection of any topology, while still maintaining logical separation between network elements;
  • Fig. 8 is a schematic block diagram of an exemplary logical network topology of the system network architecture, which is allowed by the exemplary physical connections of Fig. 7b;
  • FIG. 9 is a schematic block diagram of an exemplary physical network topology of the system network architecture, constructed in accordance with the principles of the present invention, wherein all internal traffic of the virtual system is virtually tunneled;
  • FIG. 10 is a schematic block diagram illustrating application of the logical network configuration so that connected systems 'see' isolated tunnels connecting two systems using a virtual direct cable;
  • FIG. 11 is a schematic block diagram illustrating application of the physical network configuration allowing physical connection of connected systems with different trust levels
  • - Fig. 12a is a schematic illustration of the Clearance Levels for the system of the present invention using a model called the Clearance Ring model;
  • - Fig. 12b is a schematic illustration of an organization hierarchy;
  • FIG. 12c is another schematic illustration of an organization hierarchy
  • - Fig. 13 is a schematic block diagram illustrating movement between Clearance Levels
  • FIG. 14a is a schematic block diagram of an exemplary physical network that supports the virtual topologies of the present invention.
  • Fig. 14b is a schematic block diagram illustrating the virtual processing system seen during operation of the physical network of Fig. 14a;
  • FIG. 15 is a schematic block diagram of a prior art implementation of the system for an exemplary single computer machine having all CPU cores inside a single chip, such as a personal computer with a Pentium processor; and
  • FIG. 16 is a schematic block diagram illustrating the virtual processing system of Fig. 14b in terms of central processing units, co-processing units and peripherals.
  • a network element is an element of the present invention, and replacing a network switch or a network router and having at least one input/output (I/O) port.
  • a connected system is any system that an network element can connect to or communicate with, such as a server, a computer, another network element, a Firewall, an IPS, an IDS or any network component or system.
  • an application is any system a software application or service installed on a network element.
  • a network function is an application or a connected system or a connected system having an application installed, providing services to network clients, whether an appliance or virtual, such as Firewall, Web server, mail server, anti-virus scanner, etc.
  • the present invention relates to a Network Risk Management (NRM) system.
  • NRM Network Risk Management
  • Said NRM system allows better network management, better security and a network topology that is less bound to the physical limitations.
  • the virtual network is comprised of physical elements that work together to form the network's infrastructure.
  • the network topology can be configured using an external management element.
  • a network risk management network element replaces a network switch or a network router and has at least one I/O port.
  • the system includes at least one targeted machine in at least one connected system, which is any system that a network element can connect to or communicate with, such as a server, computer, network element, Firewall, IPS, IDS or any network element or network system.
  • said invention disclosed for a communication infrastructure in a network including at least one connected system and at least one network risk management network element, wherein the network acts as a virtual network comprising at least one virtual network element, and wherein the at least one virtual network element takes over the roles of existing network elements comprising at least one of a switch, a router, a Firewall and an intrusion prevention system, and wherein the virtual network is comprised of physical elements that work together to form the network's infrastructure.
  • the present invention provides a network topology based on a virtual network element that takes over the roles of existing network elements such as switch, router, and possibly Firewall, intrusion prevention system, etc.
  • the virtual network is comprised of physical elements that work together to form the network's infrastructure.
  • the network topology can be configured using an external management element.
  • the invention describes a Network Eisk Management solution.
  • Such a system can utilize the ability of Network Management to the direction of Network Security. Network security is improved with when there is an improvement in the ability to manage the network, monitor the network, define situations and states, and enforce conditions and rules.
  • Fig. 3 is a schematic block diagram of an exemplary logical view of a virtual network, according to an embodiment of present invention.
  • Fig. 3 appears identical to prior art Fig. 1, because it is the topology that the clients see, even though it is not physically in this form.
  • Any network element or functional unit, including servers 150, Firewalls 130, IPS 120, and clients 170 can be configured using a proxy, and can also be virtual as a software element on the system of the present invention.
  • information from the Internet 110 passes into the organization via a Firewall 130.
  • Firewall 130 information enters the IPS 120 and through the logical virtual DMZ switch 310, information enters the server 150. After passing one or more logical virtual switches 320, the information enters the organization personal computers 170.
  • fig. 4 is a schematic block diagram of an exemplary physical network that supports various virtual topologies, such as that of Fig. 3.
  • Information from the Internet 110 appears to pass into all elements of the organization via a network element 410, and from there to other network elements 410, as well as to a Firewall 130, a IPS 120, a server 150 and organization computers 170.
  • Information from Internet 110 does not really get to all network elements because of the Clearance Ring Model, as described below with reference to Fig. 12a and Interest Frames Model, as described below with reference to Fig. 12b.
  • Information from Internet 110 is not going to secure elements directly.
  • Information from Internet 110 goes to Firewall 130, then to other elements etc.
  • FIG. 5 is a schematic block diagram of another embodiment according to the present invention of a logical virtual network.
  • Information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing a logical virtual switch 510, the information enters the organization personal computers 170.
  • Fig. 6 is a schematic block diagram of another alternative exemplary logical embodiment of a more complex virtual network, constructed in accordance with the principles of the present invention.
  • Information from the Internet 110 passes into the organization via a Firewall 130.
  • Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing one or more logical virtual switches 160, the information enters the computers 170.
  • Any network element or functional unit, including servers, Firewalls, IPS 120, and clients can be configured using a proxy, and can also be virtual as a software element on the system.
  • Firewall 130 is configured to function as logical virtual Firewalls 610, 620, 630, 640, 650, 660, 670, and 680.
  • a central Firewall manages the entire network by: • connecting to any network element that will deploy to all other units;
  • any Firewall 130 between the Internet 110 and any internal network and server 150 any DMZ 140 is physically separated from the rest of the network and subnetworks are physically detached.
  • Fig. 7a is a schematic block diagram of an example of a prior art network architecture that is neither reasonable nor secure to use. There is no clear separation between systems connected to the same network switch and any connected system can communicate with another connected system connected to the same switch.
  • Information from the Internet 110 passes into the organization via a switch 160. From the Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. Yet, this is irrelevant here, because this is an undesirable configuration, where Internet 110 is directly connected to the protected network without any security. After passing physical switch 160, the information enters the organization personal computers 170.
  • Fig. 7b is a schematic block diagram of the system network architecture, according to still another embodiment of the present invention.
  • Said system network architecture allows physical connection of any topology while still maintaining logical separation between network elements.
  • Information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing a network element 710, the information enters the organization personal computers 170.
  • fig. 8 is a schematic block diagram of a logical network topology of the system network architecture which is allowed by the exemplary physical connections of Fig. 7b.
  • Information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing a logical virtual system 810, the information enters the organization personal computers 170. Separation between elements does not have to be physical, thereby providing more flexibility in physical network design.
  • every system physically connected via a network element can be encrypted on entry and decrypted just before arrival at a destination, so that all internal traffic of the virtual system is encrypted, or virtually tunneled.
  • fig. 10 is a schematic block diagram illustrating application of the logical network configuration so that connected systems see isolated tunnels connecting two systems using a virtual direct cable.
  • virtual tunneling connections are shown by thick arrows via a virtual direct cable. These are shown from the Internet 110 to the Firewall 130, from Firewall 130 to the IPS 120, from IPS 120 to the DMZ Server 720 and from DMZ Server 720 to a PC 170.
  • Said isolation increases security, control over the traffic and improves network management.
  • These direct connections can be predefined by the network administrator or automatically whenever data is moved between the two systems or on connection initiation.
  • the system also can employ known network security practices, which are commonly used to secure the internal network from attackers that come from an external network, i.e., the Internet, for example, quarantine, honey-pot, data inspection and modification, etc.
  • an external network i.e., the Internet
  • the entire system can employ network security practices on internal clients and trusted connected systems. This can be achieved without the need for installation on the client or servers in the network.
  • the system can perform basic Network Management functionalities such as monitoring traffic and notifying the administrator on predefined or extreme conditions and statuses.
  • the system can also perform advanced Network Risk Management functionalities such as detection of suspicious connected system, suspicious communication, suspicious user, etc.
  • the system can also take means to secure the system accordingly. This may include reconfiguration or adjustment of routing rules and system topology.
  • the system of the present invention can listen to network traffic or interfere with the network traffic, for example for cancellation, modification or delay of communication.
  • the system can also actively produce traffic for several different reasons, such as client identification, detection of harmful software installed on a client, detection of disconnection, etc. This can also include practices such as penetration testing and port scanning, which can be performed by the system as part of the Network Risk Management methodology.
  • Fig. 11 is a schematic block diagram illustrating the physical connection of connected systems with different trust levels. Every network connection, i.e., input/output port 1110, has an identity that also defines its Clearance Level. This does not apply for connections between network elements, since these may operate in any common protocol such as Internet Protocol (IP) or Internet Control Message Protocol (ICMP) to proprietary protocols that are internal to the network. Generally speaking the network elements 710 should act together to form a single entity. For example, the Internet 110 and a DMZ server 720 can be directly physically connected to different network element units, but logically connected directly, and traffic between them is completely isolated from other connected systems anywhere on the network. Connected system which can by i.e.
  • IP Internet Protocol
  • ICMP Internet Control Message Protocol
  • Fig. 12a is a schematic illustration of exemplary Clearance Levels for the entire system using a model called the Clearance Ring model, according to some embodiments of the present invention.
  • the highest numbers define the most trusted connected system, such as Virus Free (12) 1260, Spam Scanned (5) 1250 and After Firewall (1) 1240.
  • Zero defines an unverified or unknown system, such as the Internet (0) 1230.
  • the lowest numbers (negative in Fig. 12) define the most dangerous connected system, such as Quarantined (-3) 1210 and Suspicious (-1) 1220.
  • the system of the present invention may degrade a connected client from any Clearance Level to a lower one for many reasons such as Firewall or IPS recommendation, threat detected, administrator's request, predefined rules, etc.
  • Any data on the network has a destination.
  • the system compares the target Clearance Level to the source Clearance Level and if they match then the communication may continue. If the Clearance Level of the source is higher than the target, for example, a trusted computer connecting to the Internet, then the communication can continue on the regular route. On the other hand if the Clearance Level of the source is lower then the target's, for example, a source from the Internet is trying to communicate with a trusted machine, then the Clearance Level of the data frame has to be upgraded to at least match the Clearance Level of the target.
  • n Interest Frame is a hierarchical model organizing Network Functions and Users according to their functional role and expected behavior such as position in the organization, relation to projects, and services provided to and by.
  • Fig. 12b and 12c shows examples of such hierarchies.
  • Fig. 12b and 12c shown examples of hierarchies.
  • An Interest Frame can be defined per Resource, Network Function, User, etc.
  • Fig. 12b is an example of an organization hierarchy 1280.
  • CEO 1281 works with the CTO 1282 and the V.P. Marketing 1283.
  • CTO 1282 and the V.P. Marketing 1283 are working together.
  • An Interest Frame is defined and included CEO 1281, CTO 1282 and V.P. Marketing 1283. They can share data and resources securely without risks to disseminate information to others organization's members.
  • CTO 1282 works with the teams leaders 1284 and 1285.
  • An Interest Frame is defined and included CTO 1282, the team leaders 1284 and 1285. They can share data and resources securely without interfering with others organization's members.
  • fig. 12c shows a modified hierarchy of an organization in order to be able to work in a temporary situation.
  • all generated Interests frames are temporary one and are removed when they are no more needed.
  • CEO 1281 works with Marketing Managers 1286 and 1287; an Interest frame including these three organization members is generated.
  • Another Interest Frame including Marketing Manager 1 1286, Devi 1288, Dev2 1289, and QA 1291 is also generated.
  • Yet another Interest Frame is created and including Marketing Manager 2 1287, Team Leader 1 1284, Dev3 1290, and QA 1291.
  • fig. 13 is a schematic block diagram illustrating movement between Clearance Levels.
  • the system defines a Procedure Set that helps determine how to move between Clearance Levels.
  • the system will check the appropriate procedure level that may, for example, involve passing via the Firewall and two IPS systems, delay for 25 minutes, and require Network Administrator's permission.
  • the computer 170 of CEO 1380 will send data to Web server 1330. Since the Clearance Level of the Web site is zero 1350 the data may go to Web server 1330. Server 1330 replies with a data frame that has the Clearance Level of zero 1350, so the source Clearance Level is (0) 1350 and the target Clearance Level is (8) 1370.
  • the system will go over the conversion procedure from (0) to (8) to find that the procedure defines that going from (0) to (8) requires going from (0) to (1), from (1) to (5) and from (5) to (8). Going from (1) to (5) defines going from (1) to (2) and from (2) to (5).
  • the system will then check to see the procedure for going from (0) to (1) and will find that it requires going through the Firewall 130. After the data is returned form Firewall 1330 it is upgraded to Clearance Level (1).
  • the procedure may vary according to system implementation, procedures and rules defined by the network administrator, particularly for Interest Frames management.
  • a Clearance Level Modifier to upgrade or downgrade the Clearance Level of a data frame, machine, application and service on the connected system, etc., according to the mandate given by the entire system. It is also possible for a Clearance Level Modifier to block, quarantine or even deny Clearance Level or levels by any other Clearance Level Modifier.
  • the Anti Spam may upgrade the Clearance Level from (1) to (2) but deny the Anti Virus from upgrading the Clearance Level from (2) to (5), or re-enqueue for later inspection within a given period.
  • Fig. 14a is a schematic block diagram of an example of a physical network that supports the virtual topologies, according to another embodiment of the present invention.
  • Information from the Internet 111 passes into all elements of the organization via a network element 160, and from there to other network elements 1460, as well as to the Firewall 1430, the IPS 120, the DMZ server 150 and the organization personal computers 170.
  • Fig. 14b is a schematic block diagram illustrating the virtual processing of the system of the present invention seen during operation of the physical network of Fig. 14a, according to an embodiment of the present invention.
  • the network elements 710 of the entire system 810 work cooperatively and system 810 is divided into Work Units. Each work unit can process a task. The tasks in system 810 are produced by other tasks.
  • a Work Unit can be external, such as an external Firewall 130 and an IPS120 connected to system 810, or internal like a network element 710.
  • Network elements 710 have a Task Queue managed by a Network / Streaming Operating System / Software for a real-time Infrastructure.
  • the network connection between network elements 710 is considered as the internal CPU bus 1410 and the network connection from network elements 1465 to other connected systems is considered the external CPU bus / I/O port or ports.
  • said system can have an operating system that runs on all the network elements, using them as work units. These work units behave as Cores in a multicore CPU on one layer. On another layer, each work unit has I/O ports that are part of the large virtual CPU.
  • This virtual CPU runs an operating system on which it is possible to run applications.
  • the virtual CPU can be a multi-core CPU.
  • Fig. 15 is a schematic block diagram of a prior art implementation of the system of the present invention. As an example, a single computer having all CPU cores 1505 inside a single chip 1605, such as a computer 170 with a Pentium processor 1503. Chip 1503 is able to manage peripherals 1513 1515 1517 1519 1521 1523 using a bus 1525.
  • fig. 16 is a schematic block diagram illustrating the virtual processing system of Fig. 14b in central processing units, co-processing units and peripherals.
  • CPU Central Processing Unit
  • the Operating System regards external Work Units as co-processors 1630 and network elements as CPU Cores 1620.
  • an Operating System's element called OS Core
  • ACL Access Control Layer
  • OS cores taking place in a system and each said OS core is efficient to exchange data with other operating system cores and applications programs.
  • Each OS core is more efficient to deal with a particular kind of data.
  • AGL identifies the interaction between the elements and every such resource may be accessed under restrictions.
  • ACL is responsible for all access permissions and security filtering. According to this embodiment, interaction between an OS Core and an ACL allows to provide secured transaction between network elements.
  • Network elements are connected to one another using a network connection and all other machines and connected systems are connected to the network elements using a network connection.
  • CPU external stratum The network communication between the network elements and the other units connected to them provides an external I/O bus for the virtual entire system processor.
  • every network component is a port extender that has several (network) I/O's, so on this level regardless of the ability of a network component to process information or handle tasks, a network element can also extend the external CPU bus and I/O ports. It is possible that some network elements will only do processing or only be port extenders.
  • the external Firewall, IPS, IDS and other security elements perform as co-processors to the virtual entire system CPU.
  • Virtual Processor Flow Manager Handles Task scheduling and dispatching between Work units (network elements, external processors, etc.), Task generation and enqueuing, Hardware exception handler, Cache management, Work unit enumeration and profiling and other Kernel Operating System services such as synchronization. Shares responsibility of breaking down tasks into smaller tasks and of exception handling with the Operating System.
  • Operating System Kernel responsible for management of the Virtual Processor, enumeration and profiling of systems connected externally to the Virtual Processor. Shares responsibility of breaking down tasks into smaller tasks and of exception handling with the Virtual Processor.
  • This stratum provides Hardware Abstraction Stratum (HAS) for the Operating System. It is possible to implement the task scheduling, distribution and management on this stratum in cooperation with, in parallel to, or instead of the Virtual Processor Flow Manager.
  • HAS Hardware Abstraction Stratum
  • Operating System Services responsible for providing Hardware Abstraction Stratum (HAS) for running applications, synchronization support, Exception handling, and other Operating System services and features that running applications may use.
  • HAS Hardware Abstraction Stratum
  • Application stratum This stratum comprises applications running on the virtual entire system processor and system. These can be management applications that manage the network and the entire system or any other general purpose application. It is also possible to run a Virtual Firewall element as an application that will take the role of the external physical Firewall that is connected as an external co-processor.
  • the system offloads units such as the Firewall and IPS, or handle or process tasks generated by such external units. It is also possible in the other way around, that connected units offload system generated tasks.
  • the virtual entire system network processor supports dynamic attachment and detachment of processing cores and co-processors.
  • the entire system can implement Plug and Play paradigms. These may include the following: • Communication Timeouts: The system can listen to connected systems and monitor communication so that it is aware of the time of last communication with a connected system. This way the system can know that the connected system is in fact still connected.
  • AEP and MAC based lower stratum communications on layer 3 of the OSI model can be used to verify connected system's connectivity.
  • Signaling The system can be physically connected to the connected units so layer 2 of the OSI model can be used to verify connected system's connectivity.
  • the system may also use indication of physical connection such as a physical electronic sensor that can sense cable attachment and detachment, or by using electrical sensors that can sense electrical conductivity, activity, and / or wire capacitance.
  • Applicative Level It is possible for the system to monitor and communicate with a connected unit using a higher level protocol that such as HTTP, FTP, SOAP, RPC, etc., or mid level protocol such as opening a TCP socket specifically for the response.
  • the system can use higher layers of the OSI model to communicate with a connected system. This can help the system detect connected systems and installed services on connected systems.
  • Optional mapping strata include:
  • Physical Device map devices connected to ports on the network elements.
  • Connected Systems connected sub-systems to the main system of the present invention.
  • Functional Systems map functional units such as Firewall, IPS, servers, etc. These can be hardware devices, but can also be software applications on the system.
  • mapping purposes the system can use any of the following methodologies :
  • Non-penetration scans can initiate communication on different levels of protocol, such as run over ports, run over web site files, attempt communication with an assumed host (assuming the host is there, this can also detect back doors and worms), etc.
  • Penetration scans may actively attack a connected system, host, user, service, application, etc.
  • the goal of such an attack is to detect the behavior of the target in order to identify the target, as well as make sure that the target is in fact secure as its current mapping indicates.
  • mapping the network and remapping the network can happen for many reasons such as:
  • Mapping methodologies can help detect the network mapping as well as mapping faults, such as a misplaced unit, wrong unit, error in manual mapping, etc.
  • system network of the present invention can be a Plug and Play network, detecting connection and disconnection of units and detecting a connected system's profile and characteristics.
  • the network itself can enforce a connected system to update its software / firmware to accommodate network security restrictions. This is performed by the network, and no action is required by an application server connected to the network. ".
  • the network's infrastructure for the present invention does what is done in the prior art using a server.
  • the computer logs in to the server and the server enforces special rules if the computer wants to login.
  • the present invention does not need a server for it, because the network itself verifies computer security and compatibility. This function can also be performed by the domain server to which all clients log in.
  • the system may use encryption between end points, or internally between network elements in the network complex.
  • the system may compress data before encryption and decompress after decryption. This increases data security and reduces exposure of encryption keys because compression (such as ZIP) reduces repeating elements and produces a unique identifier to the compressed data, so the encryption operates on three unique elements instead of two primary numbers (that are unique) and a non-primary number as the data (that is a multiple of many weak primary numbers).

Abstract

System for providing a communication infrastructure in a network, which comprises at least one connected system and at least one network risk management network element. The network acts as a virtual network that comprises at least one virtual network element, at least one virtual network element that takes over the roles of existing network elements. The virtual network works with physical elements to form the network's infrastructure.

Description

A NETWORK ELEMENT AND AN INFRASTRUCTURE FOR A
NETWORK RISK MANAGEMENT SYSTEM
Field of the Invention
The present invention relates generally to network risk management, and more particularly, the invention relates to a network element and an infrastructure for a network risk management system.
Background of the Invention
The common network Open System Interconnection (OSI) model has the following 7 layers:
1. Physical layer
2. Data Link layer
3. Network layer
4. Transport layer
5. Session layer
6. Presentation layer
7. Application layer
Prior art networks commonly have the following elements, allowing connection between network elements (clients and network segments):
• A Hub operates on Physical layer of the OSI model;
• A Switch operates on layer Data Link layer of the OSI model (may have level 3 functions); and • A Router operates on layer Network layer of the OSI model. Prior art network defines network security elements such as:
• Firewall: Traffic control and basic network management. Mainly separation of network segments (ex. internal, external, Demilitarized Zone (DMZ), etc.);
• Application Firewall: Inspection of traffic on the application level. Such Firewall knows the application and its behavior;
• Intrusion Prevention System (IPS): Filters the network for detection of malicious communications. Between different forms we find a filter device between network elements, a device that connects to network elements (switch, router, etc.), and a device that connects to other network security elements. Connecting to network elements means asking these elements to send the traffic passing through them or parts of it;
• Intrusion Detection System (IDS) system designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems;
• Client Control Servers: used for login, to install network policies on client computers, and verify that client computers are updated and secured;
• Client security elements: o Personal Firewall: is a Firewall located on the client computer to protect it from any unverified external communication; o Anti Virus: is expected to secure the system by detecting known types of harmful software and removing them; and o Anti Spyware: is expected to find applications that may damage user experience or send information stolen from the computer to external network clients or elements.
Fig. 1 is a prior art based schematic block diagram of a prior art network. Information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing one or more switches 160, the information enters the organization personal computers 170.
The prior art network topology is bound to the physical elements and every switch connected to other network elements must have physical ports allowing physical wires to connect to it. In such a configuration Firewall 130 has to be physically connected to Internet 110 before DMZ switch 140 and before the internal network's switches 160.
Management of such networks is extremely difficult and lacking. It is very hard for the network administrator to supervise internal traffic, since the main control point is Firewall 130.
Any communication between two clients 170 directly is not going via Firewall 130, thus making such communication completely unsafe. It is possible that a single internal network 150 has a few thousands clients 170 connected without a Firewall 130 between them. This is posing a bigger threat than the immediate threat from Internet 110 itself.
Thus it would be desirable to provide communication between two or more clients 170 directly via a Firewall 130, thus making such communication completely safe and to provide a network topology that is less bound to physical limitations.
Fig. 2 is a prior art schematic block diagram of a partial solution. Once information from the Internet 210 passes the Firewall 230 into the IPS servers 220 and into the internal network 250 and DMZ servers 240, one relies on the connected computers to handle themselves. For example, if the security policy does not allow an application file or ZIP file to be let in via email, a client may use an FTP server to download the same file, or send it using Instant Communication, such as Messenger, ICQ, etc. Once the file is inside the network, it is hoped that the client has an Anti Virus application that can scan the file to verify that it is absolutely secure.
It is an object of the present invention to provide a system allowing communication between two or more clients directly via a Firewall, thus making such communication completely safe. It is another principal object of the present invention to provide better network management and better security.
It is yet another principal object of the present invention to provide a network topology that is less bound to physical limitations.
Further purposes and advantages of this invention will appear as the description proceeds.
Summary of the Invention
The present invention relates to a system for providing a communication infrastructure in a network, which comprises at least one connected system and at least one network risk management network element. The network acts as a virtual network that comprises at least one virtual network element, at least one virtual network element that takes over the roles of existing network elements. The virtual network works with physical elements to form the network's infrastructure.
The communication infrastructure may be based on an active network element that monitors traffic or may be at least one network element that can isolate each connected system from any other connected system or at least one network element that enforces security rules to prevent attacks between different at least one connected systems. At least one network element records traffic logs into the communication infrastructure. The network may be protected by a Firewall that controls and manages the network element system in the protected network. The Firewall and the network element system may comprise a single management system for rule enforcement and log handling.
The system may comprise at least an intrusion protection system and an intrusion detection system. The network element may offload tasks at least from the Firewall and the IPS. The Firewall may offload to system and that system may offload to Firewall, can be both or either. The network infrastructure provides Pattern Matching services to applications.
The network preferably uses ACL at its core. The network infrastructure provides ACL services to applications. The Security network functions (firewall, antivirus, etc.) may deploy security patterns to the ACL instead or in parallel to the network function doing the filtering. The infrastructure can send an event to a security network function according to a pattern. The network infrastructure and the operating system may be based on the same models. The network element may be a core in a virtual multicore CPU.
At least one network element may take the role of the Firewall in order to protect the system. The system may comprise the Firewall and the network element system having a single management and information system. The network element system may offload tasks at least to the Firewall and the IPS. The network element may also report to a management interface about suspicious behavior of the at least one connected system and may be also an anti-virus scanner. At least one management interface may be in communication with a network administrator that allows a configurable network topology.
The a Firewall may deploy feature updates and security updates to at least one network element in the internal network, wherein at least one management interface is a dedicated appliance comprising at least one of a computer, an PDA or a cellular phone. The management interface may be a mobile device comprising a cellular or a PDA device, which is notified using one of a SMS and MMS message. The management interface manages the network and network topology using the mobile device, and the SMS/MMS message contains information that will automatically direct the management interface to an appropriate management display.
At least one network element may be configured with at least one designated I/O pin to act as an input or an output or a filtered input or a DMZ. The network element can apply Firewall capabilities to each of connected systems. The Firewall capabilities may comprise at least: quarantine, honey pot, and data modification. All of network elements may be managed by the Firewall and the Firewall has the single management and information system. The network element may make routing decisions based on information collected about the at least one connected system. Any network function and any network resource may have a clearance level defined. The network element denies routing for some of the available networks after detection of suspicious behavior, such as port scanning.
The system may further comprise Internal network tunneling so that every at least one connected system is encrypted on the first at least one network element and decrypted on the last at least one network element, thereby preventing sniffing of the network for this data and modification of network data. The tunneling may be between each of at least one connected system in the network so that a large set of at least one connected system sharing the same network address space and being virtually connected directly to each other.
The system may comprise clearance rings, wherein clearance is according to a model of concentric zones that can be multiple clearance rings models. The system may further comprise Security Rings using virtual networks on the network system and Interest frames which work with the clearance rings. There can be multiple Interest Frames and that an Interest Frame can have a clearance level as a group. An Interest Frame may have a Head that has special management permissions. Each I/O port of a network element may have a defined clearance level, such that one of an unverified source and an unknown source is at clearance level 0. If the target clearance is higher than the current clearance level, then the network element system checks for the procedure to increase the current clearance level to the target level incrementally. The current clearance level can be incremented, decremented, and voted. At least one network element may be a work unit.
The system may provide cooperative network management between at least one network elements. The network may be a virtual network over the physical network or at least one virtual LAN. A management interface may instruct the network administrator how to react to a situation, the instruction comprising at least a checklist that the network administrator preferably is to follow based on predefined rules. All of the network elements in the network may be cores of a single multicore processor, wherein each core adds its own I/O to the multicore processor and the I/O is in the format of the network. The processor can have co-processors acting as at least one of the Firewall, the IPS and the IDS.
The system may comprise an Operating System that uses at least one network element as processor. At least one network element may be grouped in clusters and wherein the network further comprises at least one of RAM and cache for sharing data between cluster items. A single multicore processor may be divided dynamically into smaller processors and all internal busses and external busses of single multicore processor are in one network. A single multicore processor may further comprise hierarchies of multicore processors and may have cores attached and removed dynamically or a Plug and Play core.
At least two network elements may be connected via an intermediate network regarded as a virtual cable. The processor and the Operating System may run applications, wherein at least one application work as a Firewall, an IPS or an anti-virus and at least one application is a virtual Firewall, a virtual IPS or a virtual anti- virus.
The network element applications and Operating System can be distributed between cores. The system may further comprise a network mapping service. A network element may ping at least one connected system to check that the at least one connected system is connected, using lower level communication to perform Keep Alive, thereby bypassing software Firewalls installed on the target machines. The network element system may use the Physical Link indicator as part of the network mapping service and may make periodic attempts to connect to specific ports on the at least one connected system and a specific protocol, in order to verify that: the at least one connected system is in fact connected; the at least one connected system is correctly placed and connected to the designated I/O; and - li the specific application on the at least one connected system is up and running.
The system may comprise at least one system scanning model usually used by hackers for locating security faults, wherein at least one system scanning model is visible as part of the single management and information system and is used for security decision making, thereby: helping to verify that the at least one connected system is the correct one; helping with Plug and Play connection of network devices so that a new machine connected to the network is questioned in order to identify its nature and hosted applications and services; and becoming a part of the network mapping service.
The system may monitor network traffic: as part of the Keep Alive mechanism; as part of the Plug and Play system; for detecting network vulnerabilities and infected systems; and as part of the Network Mapping service.
The system may enforce Network Policy that makes the at least one connected system install at least one of the following items: updates, patches, and security helping tools, that the system forces at least one connected system to conform to Network Mapping service before taking security actions. The system may comprise a Clearance Ring management system, wherein installed items are used by Clearance Ring management system that automatically reduces clearance of a given system.
Clearance Levels of the Clearance Ring management system may be: zero: meaning at least one of unknown and unverified; positive: higher means more secure and in a more internal ring; and negative: lower means more dangerous/isolated and in a more external ring.
The mapping service maps users of the network.
The following services may be provided by the system: a Network Mapping service: a management tool helping to define each connected system and every application on connected systems, by one of manual definition and automatic detection; a Keep Alive service: a background service that monitors the presence of at least one connected system, which is used by the network management and information systems, the Network Mapping service, and the below- referenced Plug and Play service; a Plug and Play service: implementation of Plug and Play methodologies on a Network Function, wherein the Plug and Play service has a management interface and is used as a notification system; a Clearance Rings Mapper: provides means of defining Clearance Levels of a Network Function in one of manual and automatic mode; a Policy and Procedures manager: defines the methods of operation, the rules, the procedures and the behavior of the system for given conditions, wherein these comprise the need to clear a data frame from one Clearance level to another, and rules and procedures for handling unordinary situations; a Profiling System: keeps a profile of at least: each of at least one connected system on the network; every available application on at least one connected system, the internal parts of the network system itself, the users and external systems, and applications; a Protocol Mapper: negotiates between two connected systems to find the most appropriate mutual protocol, the negotiation comprising at least an attempt to load a Protocol Converter, when required, that work in background; a Bouncer service: in charge of handling attackers, attacking systems, infected systems, and other security vulnerabilities on the personal machine level, the bouncer service comprising at least demanding updates as part of the security policy, quarantine, penetration tests, system scanning and system/application repairs; and a Sentinel service: in charge of securing the network from systems in the responsibility of the Bouncer service, a Sentinel service comprising at least rerouting a Cleared at least one Network Function through at least one of the Firewall and a security inspector before passing on the data to the Cleared network, even though both the at least one Network Function and the network has the same Clearance Level, wherein the Sentinel service is responsible for sending a suspicious one of at least one Network Function to the Bouncer service, for quarantine, and wherein the Sentinel service also decrements security via Clearance Level and 'detach' at least one of t least one Network Function from the network and a specific one of the applications on the at least one Network Function from the network, and wherein the at least one the Sentinel Service tunnels at least one Network Function directly to the external network and create a Virtual Network that is private for the given one of at least one Network Function's.
Security may be improved at least by compressing the data before encryption, thereby reducing repetitive data and thereby increasing the strength of the encryption. The network risk management device network element and system for a communication infrastructure may be acting in place of at least one server. The network's OSI 7 layer model is implemented by the network's communication infrastructure so that at least two of at least one network element's implement OSI model layers internally between them regardless of communication between at least two of at least one connected system on the network.
The mapping service may further comprise actively investigating network users by interacting with the users. Investigating network users comprises simulating attacks and exploits, such that the user's responses help determine the type of the user. The investigating may comprise at least one of sending a fake email asking for the user's password and asking to install a malicious attachment, thereby helping to determine the user's vulnerability to attacks that require action by the user.
The system may further comprise: an operational mode: for active risk management; a simulation mode: where the network actively reacts to artificially injected events in order to verify security and behavior; an investigation mode: for initial mapping of the network and defining expected behaviors and checklists; and an interrogation mode: for detection of faults found in the operational mode and the simulation mode, comprising at least going over logs and running simulations based on recorded data, wherein reference is made to the above- referenced co-pending provisional application: Software for a real-time Infrastructure.
All network connected systems may be completely isolated from each other and are connected only to external networks / outside the network. Connected systems may be connected to each other through a security element or communicate with each other through a server. Network infrastructure can run a virtual computer system that can host other operating systems and their applications. AIl the above and other characteristics and advantages of the invention will be further understood through the following illustrative and non-limitative description of preferred embodiments thereof, with reference to the appended drawings; wherein like components are designated by the same reference numerals.
Brief Description of the Drawings
In order to understand the invention and to see how it may be carried out in practice, a preferred embodiment will now be described, by way of a non- limiting example only, with reference to the accompanying drawings, in which:
- Fig. 1 is a prior art schematic block diagram of a physical network that the client sees;
- Fig. 2 is a prior art schematic block diagram;
- Fig. 3 is a schematic block diagram of an exemplary logical embodiment of a virtual network, or the topology that the client sees, even though it is not physically so;
- Fig. 4 is a schematic block diagram of an exemplary physical network that supports these virtual topologies;
- Fig. 5 is a schematic block diagram of an alternative exemplary logical embodiment of a virtual network; - Fig. 6 is a schematic block diagram of another alternative exemplary logical embodiment of a more complex virtual network;
- Fig. 7a is a schematic block diagram of a hypothetical network architecture that is neither reasonable nor secure to use in a prior art network;
- Fig. 7b is a schematic block diagram of a preferred embodiment of the system network architecture, which allows physical connection of any topology, while still maintaining logical separation between network elements;
- Fig. 8 is a schematic block diagram of an exemplary logical network topology of the system network architecture, which is allowed by the exemplary physical connections of Fig. 7b;
- Fig. 9 is a schematic block diagram of an exemplary physical network topology of the system network architecture, constructed in accordance with the principles of the present invention, wherein all internal traffic of the virtual system is virtually tunneled;
- Fig. 10 is a schematic block diagram illustrating application of the logical network configuration so that connected systems 'see' isolated tunnels connecting two systems using a virtual direct cable;
- Fig. 11 is a schematic block diagram illustrating application of the physical network configuration allowing physical connection of connected systems with different trust levels;
- Fig. 12a is a schematic illustration of the Clearance Levels for the system of the present invention using a model called the Clearance Ring model; - Fig. 12b is a schematic illustration of an organization hierarchy;
- Fig. 12c is another schematic illustration of an organization hierarchy;
- Fig. 13 is a schematic block diagram illustrating movement between Clearance Levels;
- Fig. 14a is a schematic block diagram of an exemplary physical network that supports the virtual topologies of the present invention;
- Fig. 14b is a schematic block diagram illustrating the virtual processing system seen during operation of the physical network of Fig. 14a;
- Fig. 15 is a schematic block diagram of a prior art implementation of the system for an exemplary single computer machine having all CPU cores inside a single chip, such as a personal computer with a Pentium processor; and
- Fig. 16 is a schematic block diagram illustrating the virtual processing system of Fig. 14b in terms of central processing units, co-processing units and peripherals.
Detailed Description of Preferred Embodiments
Herein below:
• a network element is an element of the present invention, and replacing a network switch or a network router and having at least one input/output (I/O) port.
• a connected system is any system that an network element can connect to or communicate with, such as a server, a computer, another network element, a Firewall, an IPS, an IDS or any network component or system.
• an application is any system a software application or service installed on a network element.
• a network function is an application or a connected system or a connected system having an application installed, providing services to network clients, whether an appliance or virtual, such as Firewall, Web server, mail server, anti-virus scanner, etc.
The present invention relates to a Network Risk Management (NRM) system. Said NRM system allows better network management, better security and a network topology that is less bound to the physical limitations.
The network topology of the present invention is based on a virtual network element that takes over the roles of existing network elements such as Switch, Router and possibly Firewall, IPS, etc.
The virtual network is comprised of physical elements that work together to form the network's infrastructure. The network topology can be configured using an external management element.
According to an embodiment of the present invention, a network risk management network element replaces a network switch or a network router and has at least one I/O port. The system includes at least one targeted machine in at least one connected system, which is any system that a network element can connect to or communicate with, such as a server, computer, network element, Firewall, IPS, IDS or any network element or network system.
According to yet another embodiment of the present invention, said invention disclosed for a communication infrastructure in a network including at least one connected system and at least one network risk management network element, wherein the network acts as a virtual network comprising at least one virtual network element, and wherein the at least one virtual network element takes over the roles of existing network elements comprising at least one of a switch, a router, a Firewall and an intrusion prevention system, and wherein the virtual network is comprised of physical elements that work together to form the network's infrastructure.
According to still another embodiment of the present invention, it provides a network topology based on a virtual network element that takes over the roles of existing network elements such as switch, router, and possibly Firewall, intrusion prevention system, etc. The virtual network is comprised of physical elements that work together to form the network's infrastructure. The network topology can be configured using an external management element. The invention describes a Network Eisk Management solution. Such a system can utilize the ability of Network Management to the direction of Network Security. Network security is improved with when there is an improvement in the ability to manage the network, monitor the network, define situations and states, and enforce conditions and rules.
According to an embodiment of the present invention, the infrastructure of the entire network monitors traffic, logs activity, identifies attacks between internal network clients and applies any network security methodology and technology that can be used between internal networks and one or more external networks. All this is provided without the need to enforce the security on the servers or clients.
Fig. 3 is a schematic block diagram of an exemplary logical view of a virtual network, according to an embodiment of present invention. Fig. 3 appears identical to prior art Fig. 1, because it is the topology that the clients see, even though it is not physically in this form. Any network element or functional unit, including servers 150, Firewalls 130, IPS 120, and clients 170 can be configured using a proxy, and can also be virtual as a software element on the system of the present invention.
According to a further embodiment of the present invention, information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the logical virtual DMZ switch 310, information enters the server 150. After passing one or more logical virtual switches 320, the information enters the organization personal computers 170.
The prior art network topology is bound to the physical elements and every switch connected to other network component must have physical ports to allow physical wires to connect to it. In such a configuration the Firewall has to be physically connected to the Internet before the DMZ switch and before the internal physical network's switches.
According to some embodiments of the present invention, fig. 4 is a schematic block diagram of an exemplary physical network that supports various virtual topologies, such as that of Fig. 3. Information from the Internet 110 appears to pass into all elements of the organization via a network element 410, and from there to other network elements 410, as well as to a Firewall 130, a IPS 120, a server 150 and organization computers 170. Information from Internet 110 does not really get to all network elements because of the Clearance Ring Model, as described below with reference to Fig. 12a and Interest Frames Model, as described below with reference to Fig. 12b. Thus, information from Internet 110 is not going to secure elements directly. Information from Internet 110 goes to Firewall 130, then to other elements etc. Fig. 5 is a schematic block diagram of another embodiment according to the present invention of a logical virtual network. Information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing a logical virtual switch 510, the information enters the organization personal computers 170.
Fig. 6 is a schematic block diagram of another alternative exemplary logical embodiment of a more complex virtual network, constructed in accordance with the principles of the present invention. Information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing one or more logical virtual switches 160, the information enters the computers 170. Any network element or functional unit, including servers, Firewalls, IPS 120, and clients can be configured using a proxy, and can also be virtual as a software element on the system. In the context of fig. 6 Firewall 130 is configured to function as logical virtual Firewalls 610, 620, 630, 640, 650, 660, 670, and 680.
According to previous embodiments and figures, the network risk management system of the present invention can be applied by several means. As an example, a central Firewall manages the entire network by: • connecting to any network element that will deploy to all other units;
• connecting to any network element separately; and
• connecting to an application running on the virtual CPU, etc.
The system of the present invention can simply apply routing rules, but can also produce routing rules by itself, according to different network states and statuses or in response to network threats.
Oppositely, classic networks isolate connected systems with different trust levels by physical separation. For example, there is any Firewall 130 between the Internet 110 and any internal network and server 150, any DMZ 140 is physically separated from the rest of the network and subnetworks are physically detached.
Fig. 7a is a schematic block diagram of an example of a prior art network architecture that is neither reasonable nor secure to use. There is no clear separation between systems connected to the same network switch and any connected system can communicate with another connected system connected to the same switch. Information from the Internet 110 passes into the organization via a switch 160. From the Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. Yet, this is irrelevant here, because this is an undesirable configuration, where Internet 110 is directly connected to the protected network without any security. After passing physical switch 160, the information enters the organization personal computers 170.
Fig. 7b is a schematic block diagram of the system network architecture, according to still another embodiment of the present invention. Said system network architecture allows physical connection of any topology while still maintaining logical separation between network elements. Information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing a network element 710, the information enters the organization personal computers 170.
According to one another embodiment of the present invention, fig. 8 is a schematic block diagram of a logical network topology of the system network architecture which is allowed by the exemplary physical connections of Fig. 7b. Information from the Internet 110 passes into the organization via a Firewall 130. From Firewall 130 information enters the IPS 120 and through the DMZ switch 140, information enters the server 150. After passing a logical virtual system 810, the information enters the organization personal computers 170. Separation between elements does not have to be physical, thereby providing more flexibility in physical network design.
Fig. 9 is a schematic block diagram of an example of an embodiment of a physical network topology of the system network architecture of the present invention. Wherein said topology, all internal traffic of the virtual entire system is virtually tunneled. In addition to the physical connections illustrated by the thin arrows, virtual tunneling connections are shown by thick arrows via network elements 710. These are shown from the Internet 110 to the FirewaU 130 and from Firewall 130 to IPS 120, from IPS 120 to the DMZ Server 720, from DMZ Server 720 to a computer 170.
Thus, every system physically connected via a network element can be encrypted on entry and decrypted just before arrival at a destination, so that all internal traffic of the virtual system is encrypted, or virtually tunneled.
As another exemplary embodiment of the present invention, fig. 10 is a schematic block diagram illustrating application of the logical network configuration so that connected systems see isolated tunnels connecting two systems using a virtual direct cable. In addition to the physical connections illustrated by the thin arrows, virtual tunneling connections are shown by thick arrows via a virtual direct cable. These are shown from the Internet 110 to the Firewall 130, from Firewall 130 to the IPS 120, from IPS 120 to the DMZ Server 720 and from DMZ Server 720 to a PC 170.
Said isolation increases security, control over the traffic and improves network management. These direct connections can be predefined by the network administrator or automatically whenever data is moved between the two systems or on connection initiation.
The system, of the present invention, can enforce an internal routing rule for Network Risk Management, such as rerouting all internal traffic through a Firewall or an Anti- Virus. Rules can be selectively applied to specific systems according to Risk Management requirements and decision making. Enforcing Network Risk Management methodologies increases network tolerance to attacks from external systems, but also increases network tolerance to attacks coming from internal network elements and trusted connected systems.
The system, of the present invention, also can employ known network security practices, which are commonly used to secure the internal network from attackers that come from an external network, i.e., the Internet, for example, quarantine, honey-pot, data inspection and modification, etc. On the system network there is no physical difference or limitation between external to internal connected systems so the entire system can employ network security practices on internal clients and trusted connected systems. This can be achieved without the need for installation on the client or servers in the network.
The system can perform basic Network Management functionalities such as monitoring traffic and notifying the administrator on predefined or extreme conditions and statuses. The system can also perform advanced Network Risk Management functionalities such as detection of suspicious connected system, suspicious communication, suspicious user, etc. The system can also take means to secure the system accordingly. This may include reconfiguration or adjustment of routing rules and system topology.
It is possible for the system of the present invention to listen to network traffic or interfere with the network traffic, for example for cancellation, modification or delay of communication. The system can also actively produce traffic for several different reasons, such as client identification, detection of harmful software installed on a client, detection of disconnection, etc. This can also include practices such as penetration testing and port scanning, which can be performed by the system as part of the Network Risk Management methodology.
Fig. 11, according to still another embodiment of the present invention, is a schematic block diagram illustrating the physical connection of connected systems with different trust levels. Every network connection, i.e., input/output port 1110, has an identity that also defines its Clearance Level. This does not apply for connections between network elements, since these may operate in any common protocol such as Internet Protocol (IP) or Internet Control Message Protocol (ICMP) to proprietary protocols that are internal to the network. Generally speaking the network elements 710 should act together to form a single entity. For example, the Internet 110 and a DMZ server 720 can be directly physically connected to different network element units, but logically connected directly, and traffic between them is completely isolated from other connected systems anywhere on the network. Connected system which can by i.e. PC, servers and firewalls can also mean any Network Function such as a connected system or an application or a service running on a connected system. This is achieved by definition of trust levels called Clearance Levels for each connected system. Thus, any input to the virtual entire Network has a definition of its Clearance Level. Another model, the Interest Frames, is used in the same way; the Interest Frames allow to generate groups of users allowed to access to specific resources of the organization.
Fig. 12a is a schematic illustration of exemplary Clearance Levels for the entire system using a model called the Clearance Ring model, according to some embodiments of the present invention. There could be several parallel Clearance Ring schemas used in a single network; moreover a Clearance Rings diagram can be defined per Resource, Network Function, User, etc. The highest numbers define the most trusted connected system, such as Virus Free (12) 1260, Spam Scanned (5) 1250 and After Firewall (1) 1240. Zero defines an unverified or unknown system, such as the Internet (0) 1230. The lowest numbers (negative in Fig. 12) define the most dangerous connected system, such as Quarantined (-3) 1210 and Suspicious (-1) 1220. There are no rules for Clearance Level enumeration and no limit on high and low values. The system of the present invention may degrade a connected client from any Clearance Level to a lower one for many reasons such as Firewall or IPS recommendation, threat detected, administrator's request, predefined rules, etc.
Any data on the network has a destination. The system compares the target Clearance Level to the source Clearance Level and if they match then the communication may continue. If the Clearance Level of the source is higher than the target, for example, a trusted computer connecting to the Internet, then the communication can continue on the regular route. On the other hand if the Clearance Level of the source is lower then the target's, for example, a source from the Internet is trying to communicate with a trusted machine, then the Clearance Level of the data frame has to be upgraded to at least match the Clearance Level of the target.
This paradigm is more secure than the one used on classic prior art networks because prior art networks have filtering elements between network infrastructure, and on the entire system network the infrastructure decides whether to pass the data frame or not. In other words the network does not rely on a filtering element to stop the unverified data before it is passed to the destination. Instead the network will pass the data only to targets within the permitted Clearance Level. According to an embodiment of the present invention, the Clearance Ring can be used in an Interest Frames context, n Interest Frame is a hierarchical model organizing Network Functions and Users according to their functional role and expected behavior such as position in the organization, relation to projects, and services provided to and by. Fig. 12b and 12c shows examples of such hierarchies. Fig. 12b and 12c shown examples of hierarchies.
In most cases, members of an organization work in teams according to a hierarchical organization layout. The present intention provides the possibility to create Interest Frames for any team, any project, and any stage of a project, in order to allow resource sharing. An Interest Frame can be defined per Resource, Network Function, User, etc.
Fig. 12b is an example of an organization hierarchy 1280. CEO 1281 works with the CTO 1282 and the V.P. Marketing 1283. CTO 1282 and the V.P. Marketing 1283 are working together. An Interest Frame is defined and included CEO 1281, CTO 1282 and V.P. Marketing 1283. They can share data and resources securely without risks to disseminate information to others organization's members. CTO 1282 works with the teams leaders 1284 and 1285. An Interest Frame is defined and included CTO 1282, the team leaders 1284 and 1285. They can share data and resources securely without interfering with others organization's members. Team leader 1284 manages Devi 1288 and Dev2 1289; Devi 1288 and Dev 2 1289 work together; an interest frame including Team leader 1284, Devi 1288 and Dev2 1289 is define to allow them sharing particular data and resources. Same mechanisms are used to create Interest Frames including respectively Team leader 1285, Dev3 1290, QA 1291 and V.P. Marketing 1283, Marketing Manager 1286, Marketing Manager 1287. According to the position in the hierarchy of an organization a member and according his membership in particular Interests frames, said member can used specific resources define using Clearance rings levels.
As another example of Interests frames definition, fig. 12c shows a modified hierarchy of an organization in order to be able to work in a temporary situation. In this context, all generated Interests frames are temporary one and are removed when they are no more needed. CEO 1281 works with Marketing Managers 1286 and 1287; an Interest frame including these three organization members is generated. Another Interest Frame including Marketing Manager 1 1286, Devi 1288, Dev2 1289, and QA 1291 is also generated. Yet another Interest Frame is created and including Marketing Manager 2 1287, Team Leader 1 1284, Dev3 1290, and QA 1291.
According to yet a further embodiment of the present invention, fig. 13 is a schematic block diagram illustrating movement between Clearance Levels. The system defines a Procedure Set that helps determine how to move between Clearance Levels. When a data frame needs to upgrade its Clearance Level for example from 1 to 12, the system will check the appropriate procedure level that may, for example, involve passing via the Firewall and two IPS systems, delay for 25 minutes, and require Network Administrator's permission.
As another example, when the CEO 1380 is browsing to a Web server ("WWW Server") 1330 on the Internet 110 the computer 170 of CEO 1380 will send data to Web server 1330. Since the Clearance Level of the Web site is zero 1350 the data may go to Web server 1330. Server 1330 replies with a data frame that has the Clearance Level of zero 1350, so the source Clearance Level is (0) 1350 and the target Clearance Level is (8) 1370. The system will go over the conversion procedure from (0) to (8) to find that the procedure defines that going from (0) to (8) requires going from (0) to (1), from (1) to (5) and from (5) to (8). Going from (1) to (5) defines going from (1) to (2) and from (2) to (5). The system will then check to see the procedure for going from (0) to (1) and will find that it requires going through the Firewall 130. After the data is returned form Firewall 1330 it is upgraded to Clearance Level (1). This is an example. The procedure may vary according to system implementation, procedures and rules defined by the network administrator, particularly for Interest Frames management.
Optionally, a Clearance Level Modifier to upgrade or downgrade the Clearance Level of a data frame, machine, application and service on the connected system, etc., according to the mandate given by the entire system. It is also possible for a Clearance Level Modifier to block, quarantine or even deny Clearance Level or levels by any other Clearance Level Modifier. For example, the Anti Spam may upgrade the Clearance Level from (1) to (2) but deny the Anti Virus from upgrading the Clearance Level from (2) to (5), or re-enqueue for later inspection within a given period.
Fig. 14a is a schematic block diagram of an example of a physical network that supports the virtual topologies, according to another embodiment of the present invention. Information from the Internet 111 passes into all elements of the organization via a network element 160, and from there to other network elements 1460, as well as to the Firewall 1430, the IPS 120, the DMZ server 150 and the organization personal computers 170.
Fig. 14b is a schematic block diagram illustrating the virtual processing of the system of the present invention seen during operation of the physical network of Fig. 14a, according to an embodiment of the present invention. The network elements 710 of the entire system 810 work cooperatively and system 810 is divided into Work Units. Each work unit can process a task. The tasks in system 810 are produced by other tasks. A Work Unit can be external, such as an external Firewall 130 and an IPS120 connected to system 810, or internal like a network element 710. Network elements 710 have a Task Queue managed by a Network / Streaming Operating System / Software for a real-time Infrastructure. The network connection between network elements 710 is considered as the internal CPU bus 1410 and the network connection from network elements 1465 to other connected systems is considered the external CPU bus / I/O port or ports.
According to an embodiment of the present invention, said system can have an operating system that runs on all the network elements, using them as work units. These work units behave as Cores in a multicore CPU on one layer. On another layer, each work unit has I/O ports that are part of the large virtual CPU. This virtual CPU runs an operating system on which it is possible to run applications. The virtual CPU can be a multi-core CPU. Fig. 15 is a schematic block diagram of a prior art implementation of the system of the present invention. As an example, a single computer having all CPU cores 1505 inside a single chip 1605, such as a computer 170 with a Pentium processor 1503. Chip 1503 is able to manage peripherals 1513 1515 1517 1519 1521 1523 using a bus 1525.
According to yet another embodiment of the present invention, fig. 16 is a schematic block diagram illustrating the virtual processing system of Fig. 14b in central processing units, co-processing units and peripherals. This is the equivalent of a common implementation of a Central Processing Unit (CPU) 1610 based machine that runs an operating system. The Operating System regards external Work Units as co-processors 1630 and network elements as CPU Cores 1620. According to a further embodiment of the present invention, an Operating System's element, called OS Core, and an Access Control Layer (ACL) are responsible for the interaction and communication between network elements. OS cores taking place in a system and each said OS core is efficient to exchange data with other operating system cores and applications programs. Each OS core is more efficient to deal with a particular kind of data. AGL identifies the interaction between the elements and every such resource may be accessed under restrictions. ACL is responsible for all access permissions and security filtering. According to this embodiment, interaction between an OS Core and an ACL allows to provide secured transaction between network elements.
According to some embodiments of the present invention, there are several abstraction strata for the system:
• Physical stratum: network elements are connected to one another using a network connection and all other machines and connected systems are connected to the network elements using a network connection.
• Internal CPU stratum: network elements use the communication lines between them to perform as a single entity. This configuration makes each network element a core in the multiprocessor CPU that is the system network.
• CPU external stratum: The network communication between the network elements and the other units connected to them provides an external I/O bus for the virtual entire system processor. On this stratum every network component is a port extender that has several (network) I/O's, so on this level regardless of the ability of a network component to process information or handle tasks, a network element can also extend the external CPU bus and I/O ports. It is possible that some network elements will only do processing or only be port extenders. On this stratum the external Firewall, IPS, IDS and other security elements perform as co-processors to the virtual entire system CPU.
• Virtual Processor Flow Manager: Handles Task scheduling and dispatching between Work units (network elements, external processors, etc.), Task generation and enqueuing, Hardware exception handler, Cache management, Work unit enumeration and profiling and other Kernel Operating System services such as synchronization. Shares responsibility of breaking down tasks into smaller tasks and of exception handling with the Operating System.
• Operating System Kernel: Responsible for management of the Virtual Processor, enumeration and profiling of systems connected externally to the Virtual Processor. Shares responsibility of breaking down tasks into smaller tasks and of exception handling with the Virtual Processor. This stratum provides Hardware Abstraction Stratum (HAS) for the Operating System. It is possible to implement the task scheduling, distribution and management on this stratum in cooperation with, in parallel to, or instead of the Virtual Processor Flow Manager.
• Operating System Services: Responsible for providing Hardware Abstraction Stratum (HAS) for running applications, synchronization support, Exception handling, and other Operating System services and features that running applications may use.
• Application stratum: This stratum comprises applications running on the virtual entire system processor and system. These can be management applications that manage the network and the entire system or any other general purpose application. It is also possible to run a Virtual Firewall element as an application that will take the role of the external physical Firewall that is connected as an external co-processor.
Optionally, the system offloads units such as the Firewall and IPS, or handle or process tasks generated by such external units. It is also possible in the other way around, that connected units offload system generated tasks.
The virtual entire system network processor supports dynamic attachment and detachment of processing cores and co-processors.
The entire system can implement Plug and Play paradigms. These may include the following: • Communication Timeouts: The system can listen to connected systems and monitor communication so that it is aware of the time of last communication with a connected system. This way the system can know that the connected system is in fact still connected.
• Keep Alive: periodically the system can initiate communication with a connected system to verify its connectivity. Thus, even if the connected system had no communication with the system, the system can initiate communication with the connected system to verify that it is still connected. If such a connected system does not reply, then the system may indicate that the connected system is no longer connected and take appropriate actions such as indicate on the management console, notify the administrator, respond on behalf of the missing system and cache data sent to it, immediately reply to other systems that the connected system is down, thus reducing timeouts, consider future communication from the given physical connection as being an unknown source, etc.
• Keep Alive can be performed using any of several methods, including:
• Ping: ICMP echo. The connected system will reply if it is connected.
• AEP and MAC based: lower stratum communications on layer 3 of the OSI model can be used to verify connected system's connectivity. • Signaling: The system can be physically connected to the connected units so layer 2 of the OSI model can be used to verify connected system's connectivity.
• Physical: The system may also use indication of physical connection such as a physical electronic sensor that can sense cable attachment and detachment, or by using electrical sensors that can sense electrical conductivity, activity, and / or wire capacitance.
• Applicative Level: It is possible for the system to monitor and communicate with a connected unit using a higher level protocol that such as HTTP, FTP, SOAP, RPC, etc., or mid level protocol such as opening a TCP socket specifically for the response. The system can use higher layers of the OSI model to communicate with a connected system. This can help the system detect connected systems and installed services on connected systems. Optional mapping strata include:
• Physical Link: map all wires connected to ports of the network elements.
• Physical Device: map devices connected to ports on the network elements.
• Connected Systems: connected sub-systems to the main system of the present invention. • Functional Systems: map functional units such as Firewall, IPS, servers, etc. These can be hardware devices, but can also be software applications on the system.
• Services: map installed services on a connected system.
• Users: map users connected to/through the system network of the present invention.
• Forces: map attackers and friendly systems both inside the network and external to the network system of the present invention.
• Vulnerability: map insecure systems by possible activities, infections, outdated software, data sensitivity, etc.
For mapping purposes the system can use any of the following methodologies :
• Monitor and listen to network traffic in/out of a connected system.
• Actively initiate communication to a connected system.
• Interfere with traffic in a way that can invoke behavior or non- behavior.
• Non-penetration scans can initiate communication on different levels of protocol, such as run over ports, run over web site files, attempt communication with an assumed host (assuming the host is there, this can also detect back doors and worms), etc.
• Penetration scans may actively attack a connected system, host, user, service, application, etc. The goal of such an attack is to detect the behavior of the target in order to identify the target, as well as make sure that the target is in fact secure as its current mapping indicates.
• Any known hacker / cracker / system exploit / system detection mechanism used to attack internal systems from the outside can be used by the network itself in the process of mapping the network.
Mapping the network and remapping the network can happen for many reasons such as:
• Indication of connected system connect / disconnect.
• Periodic scheduled mapping.
• Dead connected system / service / application detected.
• Connected System / service / application misbehavior.
• Connected System / service / application break expected protocol or communication.
• Administrator's request.
• System initialization.
• System setup.
• Connected System inactivity for a timeout.
Mapping methodologies can help detect the network mapping as well as mapping faults, such as a misplaced unit, wrong unit, error in manual mapping, etc.
Using these methodologies and others the system network of the present invention can be a Plug and Play network, detecting connection and disconnection of units and detecting a connected system's profile and characteristics.
• The network itself can enforce a connected system to update its software / firmware to accommodate network security restrictions. This is performed by the network, and no action is required by an application server connected to the network. ". Thus, the network's infrastructure for the present invention does what is done in the prior art using a server. In the prior art the computer logs in to the server and the server enforces special rules if the computer wants to login. The present invention does not need a server for it, because the network itself verifies computer security and compatibility. This function can also be performed by the domain server to which all clients log in.
• The system may use encryption between end points, or internally between network elements in the network complex.
• To increase encryption strength the system may compress data before encryption and decompress after decryption. This increases data security and reduces exposure of encryption keys because compression (such as ZIP) reduces repeating elements and produces a unique identifier to the compressed data, so the encryption operates on three unique elements instead of two primary numbers (that are unique) and a non-primary number as the data (that is a multiple of many weak primary numbers). Having described the present invention with regard to certain specific embodiments thereof, it is to be understood that the description is not meant as a limitation, since further modifications will now suggest themselves to those skilled in the art, and it is intended to cover such modifications as fall within the scope of the appended claims.
Although embodiments of the invention have been described by way of illustration, it will be understood that the invention may be carried out with many variations, modifications, and adaptations, without exceeding the scope of the claims.

Claims

Claims
1. A system for a communication infrastructure in a network comprising at least one connected system, at least one network risk management network element, and wherein said network acts as a . virtual network comprising at least one virtual network element, at least one virtual network element takes over the roles of existing network elements, and wherein said virtual network works with physical elements to form the network's infrastructure.
2. A system according to claim 1, wherein the communication infrastructure is based on an active network element that monitors traffic.
3. A system according to claim 1, wherein at least one network element records traffic logs into the communication infrastructure.
4. A system according to claim 1, wherein the communication infrastructure is at least one network element that can isolate each connected system from any other connected system.
5. A system according to claim 1, wherein the communication infrastructure is at least one network element that enforces security rules to prevent attacks between different at least one connected systems.
6. A system according to claim 1, wherein said network is protected by a Firewall that controls and manages the network element system in said protected network.
7. A system according to claim 6, wherein said a Firewall and a network element system comprise a single management system for rule enforcement and log handling.
8. A system according to claim 6, comprising at least an intrusion protection system and an intrusion detection system.
9. A system according to claim 6, wherein the network element offloads tasks at least from said Firewall and said IPS.
10. A system according to claim 6, wherein said Firewall offloads to system and that system offloads to Firewall, can be both or either.
11. A system according to claim 1, wherein the network infrastructure provides Pattern Matching services to applications.
12. A system according to claim 1, wherein the network uses ACL at its core.
13. A system according to claim 12, wherein the network infrastructure provides ACL services to applications.
14. A system according to claim 13, wherein the Security network functions (firewall, antivirus, etc.) deploy security patterns to the ACL instead or in parallel to the network function doing the filtering.
15. A system according to claim 14, wherein the infrastructure can send an event to a security network function according to a pattern.
16. A system according to claim 1, wherein the network infrastructure and the operating system are based on the same models.
17. A system according to claim 1, wherein the network element is a core in a virtual multicore CPU.
18. A system according to claim 6, wherein at least one network element takes the role of said Firewall in order to protect said system.
19. A system according to claim 6, comprising said Firewall and the network element system having a single management and information system.
20. A system according to claim 8, wherein the network element system offloads tasks at least to said Firewall and said IPS.
21. A system according to claim 20, wherein the network element reports to a management interface about suspicious behavior of said at least one connected system.
22. The system according to claim 1, wherein the network element is also an anti- virus scanner.
23. A system according to claim 1, providing at least one management interface in communication with a network administrator that allows a configurable network topology.
24. A system according to claim 23, wherein said a Firewall deploys feature updates and security updates to at least one network element in the internal network, wherein at least one management interface is a dedicated appliance comprising at least one of a computer, an PDA or a cellular phone.
25. A system according to claim 24, wherein said management interface is a mobile device comprising a cellular or a PDA device, and wherein said mobile device is notified using one of a SMS and MMS message, and wherein said management interface manages the network and network topology using said mobile device, and wherein said SMS/MMS message contains information that will automatically direct said management interface to an appropriate management display.
26. A system according to claim 1, wherein at least one network element is configured with at least one designated I/O pin to act as: an input or an output or a filtered input or a DMZ.
27. A system according to claim 1, wherein the network element can apply Firewall capabilities to each of connected systems.
28. A system according to claim 27, wherein said Firewall capabilities comprise at least: quarantine, honey pot, and data modification.
29. A system according to claim 27, wherein all of said at least one network element's are managed by said Firewall and said Firewall has said single management and information system.
30. A system according to claim 1, wherein the network element makes routing decisions based on information collected about said at least one connected system.
31. A system according to claim 30, wherein any network function and any network resource has a clearance level defined.
32. A system according to claim 30, wherein the network element denies routing for some of the available networks after detection of suspicious behavior.
33. A system according to claim 32, wherein said suspicious behavior is port scanning.
34. A system according to claim 1, further comprising Internal network tunneling so that every at least one connected system is encrypted on the first at least one network element and decrypted on the last at least one network element, thereby preventing sniffing of the network for this data and modification of network data.
35. A system according to claim 34, wherein said tunneling is between each of at least one connected system in the network so that a large set of at least one connected system's sharing the same network address space and being virtually connected directly to each other.
36. A system according to claim 1, comprising clearance rings, wherein clearance is according to a model of concentric zones; that can be multiple clearance rings models.
37. A system according to claim 1, further comprising Security Rings using virtual networks on the network system.
38. A system according to claim 1, comprising Interest frames which work with the clearance rings.
39. A system according to claims 37 and 38, wherein there can be multiple Interest Frames and that an Interest Frame can have a clearance level as a group.
40. A system according to claim 39, an Interest Frame has a Head that has special management permissions.
41. A system according to claim 36, wherein each of at least one I/O port of at least one network element has a defined clearance level.
42. A system according to claim 36, wherein one of an unverified source and an unknown source is clearance level 0.
43. A system according to claim 36, wherein if the target clearance is higher than the current clearance level, then the network element system checks for the procedure to increase said current clearance level to said target level incrementally.
44. A system according to claim 43, wherein said current clearance level can be incremented, decremented, and voted.
45. A system according to claim 1, wherein at least one network element is a work unit.
46. A system according to claims 1 and 45, providing cooperative network management between at least one network elements.
47. A system according to claim 1, wherein said network is a virtual network over the physical network.
48. A system according to claim 47, wherein said network is at least one virtual LAN.
49. A system according to claims 19 and 47, wherein a management interface instructs said network administrator how to react to a situation, said instruction comprising at least a checklist that said network administrator preferably is to follow based on predefined rules.
50. A system according to claim 46, wherein all of said network elements in the network are cores of a single multicore processor.
51. A system according to claim 50, wherein each core adds its own I/O to said multicore processor, and wherein said I/O is in the format of said network.
52. A system according to claim 50, wherein said processor can have coprocessors acting as at least one of said Firewall, said IPS and said IDS.
53. A system according to claim 50, comprising an Operating System that uses at least one network element as processor.
54. A system according to claim 50, wherein at least one network element is grouped in clusters and wherein said network further comprises at least one of RAM and cache for sharing data between cluster items.
55. A system according to claim 50, wherein a single multicore processor is divided dynamically into smaller processors.
56. A system according to claim 50, wherein all internal busses and external busses of single multicore processor are in one network.
57. A system according to claim 50, wherein a single multicore processor further comprises hierarchies of multicore processors.
58. A system according to claim 50, wherein a single multicore processor has cores attached and removed dynamically.
59. A system according to claim 50, wherein a single multicore processor has a Plug and Play core.
60. A system according to claim 50, wherein at least two network elements are connected via an intermediate network regarded as a virtual cable.
61. A system according to claim 53, wherein said processor and said Operating System run applications.
62. A system according to claim 61, wherein at least one application work as a Firewall, an IPS or an anti- virus.
63. A system according to claim 61, wherein at least one application is a virtual Firewall, a virtual IPS or a virtual anti- virus.
64. A system according to claim 61, wherein a network element applications and Operating System can be distributed between cores.
65. A system according to claim 1, further comprising a network mapping service.
66. A system according to claim 65, wherein a network element ping at least one connected system to check that said at least one connected system is connected.
67. A system according to claim 65, wherein a network element uses lower level communication to perform Keep Alive, thereby bypassing software Firewalls installed on the target machines.
68. A system according to claim 65, wherein the network element system uses the Physical Link indicator as part of said network mapping service.
69. A system according to claim 65, wherein the network element makes periodic attempts to connect to specific ports on said at least one connected system and a specific protocol, in order to verify that:
• said at least one connected system is in fact connected;
• said at least one connected system is correctly placed and connected to said designated I/O; and
• said specific application on said at least one connected system is up and running.
70. A system according to claim 65, comprising at least one system scanning model usually used by hackers for locating security faults, wherein at least one system scanning model is visible as part of said single management and information system and is used for security decision making, thereby:
• helping to verify that said at least one connected system is the correct one;
• helping with Plug and Play connection of network devices so that a new machine connected to the network is questioned in order to identify its nature and hosted applications and services; and
• becoming a part of said network mapping service.
71. A system according to claim 65, wherein the system monitors network traffic:
• as part of said Keep Alive mechanism;
• as part of said Plug and Play system;
• for detecting network vulnerabilities and infected systems; and
• as part of said Network Mapping service.
72. A system according to claim 65, wherein the system enforces Network Policy that makes said at least one connected system install at least one of the following items: updates, patches, and security helping tools, that the system forces at least one connected system to conform to Network Mapping service before taking security actions.
73. A system according to claim 65, comprising a Clearance Ring management system, wherein installed items are used by Clearance Ring management system that automatically reduce clearance of a given system.
74. A system according to claim 65, wherein Clearance Levels of said Clearance Ring management system are:
• zero: meaning at least one of unknown and unverified;
• positive: higher means more secure and in a more internal ring; and
• negative: lower means more dangerous/isolated and in a more external ring.
75. The system according to claim 65, wherein said mapping service maps users of the network.
76. A system according to claim 1, wherein the following services are provided by the system:
• a Network Mapping service: a management tool helping to define each connected system and every application on connected systems, by one of manual definition and automatic detection;
• a Keep Alive service: a background service that monitors the presence of at least one connected system, which is used by said network management and information systems, said Network Mapping service, and said below-referenced Plug and Play service;
• a Plug and Play service: implementation of Plug and Play methodologies on a Network Function, wherein said Plug and Play- service has a management interface and is used as a notification system;
• a Clearance Rings Mapper: provides means of defining Clearance Levels of a Network Function in one of manual and automatic mode;
SUBSTITUTE MT(IULEW) • a Policy and Procedures manager: defines the methods of operation, the rules, the procedures and the behavior of the system for given conditions, wherein these comprise the need to clear a data frame from one Clearance level to another, and rules and procedures for handling unordinary situations;
• a Profiling System: keeps a profile of at least: each of at least one connected system on the network; every available application on at least one connected system, the internal parts of the network system itself, the users and external systems, and applications;
• a Protocol Mapper: negotiates between two connected systems to find the most appropriate mutual protocol, said negotiation comprising at least an attempt to load a Protocol Converter, when required, that work in background;
• a Bouncer service: in charge of handling attackers, attacking systems, infected systems, and other security vulnerabilities on the personal machine level, said bouncer service comprising at least demanding updates as part of the security policy, quarantine, penetration tests, system scanning and system/application repairs; and
• a Sentinel service: in charge of securing the network from systems in the responsibility of said Bouncer service, a Sentinel service comprising at least rerouting a Cleared at least one Network Function through at least one of said Firewall and a security inspector before passing on the data to said Cleared network, even though both said at least one Network Function and the network has
SUBSTITUTE MT(RULEW) the same Clearance Level, wherein said Sentinel service is responsible for sending a suspicious one of at least one Network Function to said Bouncer service, for quarantine, and wherein said Sentinel service also decrements security via Clearance Level and 'detach' at least one of t least one Network Function from the network and a specific one of said applications on said at least one Network Function from the network, and wherein said at least one said Sentinel Service tunnels at least one Network Function directly to the external network and create a Virtual Network that is private for the given one of at least one' Network Function's.
77. A system according to claim 1, wherein security is improved at least by- compressing the data before encryption, thereby reducing repetitive data and thereby increasing the strength of the encryption.
78. A system according to claim 1, wherein said network risk management device network element and system for a communication infrastructure is acting in place of at least one server.
79. A system according to claim 1, wherein the network OSI 7 layer model is implemented by the network's communication infrastructure so that at least two of at least one network element's implement OSI model layers internally between them regardless of communication between at least two of at least one connected system on the network.
80. A system according to claim 79, wherein said mapping service further comprises actively investigating network users by interacting with said users.
SUBSTITUTE SHEET (IEE U)
81. A system according to claim 80, wherein investigating network users comprises simulating attacks and exploits, such that said user's responses help determine the type of said user.
82. A system according to claim 81, wherein said investigating comprises at least one of sending a fake email asking for said user's password and asking to install a malicious attachment, thereby helping to determine said user's vulnerability to attacks that require action by said user.
83. A system, according to claim 1, further comprising:
• an operational mode: for active risk management;
• a simulation mode: where the network actively reacts to artificially injected events in order to verify security and behavior;
• an investigation mode: for initial mapping of the network and defining expected behaviors and checklists; and
• an interrogation mode: for detection of faults found in said operational mode and said simulation mode, comprising at least going over logs and running simulations based on recorded data, wherein reference is made to the above-referenced co-pending provisional application: Software for a real-time Infrastructure.
84. A system according to claim 1, wherein all network connected systems are completely isolated from each other and are connected only to external networks / outside the network.
85. A system according to claim 84, wherein connected systems are connected to each other through a security element.
SUBSTITUTE SHEET(RULE2έ) 1091
- 58 -
86. A system according to claim 84, wherein connected system communicate with each other through a server.
87. A system according to claim 1, wherein the network infrastructure can run a virtual computer system that can host other operating systems and their applications.
SUBSTITUTE SHEET (RULE U)
PCT/IL2008/001091 2007-08-07 2008-08-07 A network element and an infrastructure for a network risk management system WO2009019701A2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US11/834,697 US20090044270A1 (en) 2007-08-07 2007-08-07 Network element and an infrastructure for a network risk management system
US11/834,697 2007-08-07
US2237508P 2008-01-21 2008-01-21
US61/022,375 2008-01-21

Publications (2)

Publication Number Publication Date
WO2009019701A2 true WO2009019701A2 (en) 2009-02-12
WO2009019701A3 WO2009019701A3 (en) 2010-01-07

Family

ID=40341862

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2008/001091 WO2009019701A2 (en) 2007-08-07 2008-08-07 A network element and an infrastructure for a network risk management system

Country Status (1)

Country Link
WO (1) WO2009019701A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009093237A2 (en) * 2008-01-21 2009-07-30 Feldman, Moshe Network interactions management using interest frames and clearance rings

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6047320A (en) * 1996-11-15 2000-04-04 Hitachi, Ltd. Network managing method and system
US20070143851A1 (en) * 2005-12-21 2007-06-21 Fiberlink Method and systems for controlling access to computing resources based on known security vulnerabilities

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6047320A (en) * 1996-11-15 2000-04-04 Hitachi, Ltd. Network managing method and system
US20070143851A1 (en) * 2005-12-21 2007-06-21 Fiberlink Method and systems for controlling access to computing resources based on known security vulnerabilities

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009093237A2 (en) * 2008-01-21 2009-07-30 Feldman, Moshe Network interactions management using interest frames and clearance rings
WO2009093237A3 (en) * 2008-01-21 2010-03-11 Feldman, Moshe Network interactions management using interest frames and clearance rings

Also Published As

Publication number Publication date
WO2009019701A3 (en) 2010-01-07

Similar Documents

Publication Publication Date Title
US20090044270A1 (en) Network element and an infrastructure for a network risk management system
US11604861B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
US11616791B2 (en) Process-specific network access control based on traffic monitoring
US10839075B2 (en) System and method for providing network security to mobile devices
US11050712B2 (en) System and method for implementing content and network security inside a chip
US11652829B2 (en) System and method for providing data and device security between external and host devices
US11470115B2 (en) Implementing decoys in a network environment
US11265347B2 (en) Automated testing of network security policies against a desired set of security controls
US9942270B2 (en) Database deception in directory services
EP2132643B1 (en) System and method for providing data and device security between external and host devices
Zeng et al. Full-stack vulnerability analysis of the cloud-native platform
KR20040065674A (en) Host-based security system and method
WO2009019701A2 (en) A network element and an infrastructure for a network risk management system
KR20060090408A (en) A development of enterprise vulnerability management system on a distributed network environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08789767

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08789767

Country of ref document: EP

Kind code of ref document: A2