WO2005094174A2 - Managing traffic within an internal communication network - Google Patents

Managing traffic within an internal communication network Download PDF

Info

Publication number
WO2005094174A2
WO2005094174A2 PCT/IL2005/000362 IL2005000362W WO2005094174A2 WO 2005094174 A2 WO2005094174 A2 WO 2005094174A2 IL 2005000362 W IL2005000362 W IL 2005000362W WO 2005094174 A2 WO2005094174 A2 WO 2005094174A2
Authority
WO
WIPO (PCT)
Prior art keywords
communication
accordance
traffic control
network
entities
Prior art date
Application number
PCT/IL2005/000362
Other languages
French (fr)
Other versions
WO2005094174A3 (en
Inventor
David Ronen
Benny Ballin
Yaron Mashav
Original Assignee
David Ronen
Benny Ballin
Yaron Mashav
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by David Ronen, Benny Ballin, Yaron Mashav filed Critical David Ronen
Publication of WO2005094174A2 publication Critical patent/WO2005094174A2/en
Publication of WO2005094174A3 publication Critical patent/WO2005094174A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention generally relates to the field of network management, more specifically the present invention relates to a system, method and device for managing traffic within an internal communication network.
  • firewall philosophy has been found lacking. According to a CSI/FBI 2003 Report 80% of enterprises reported insider abuse - none addressed by the perimeter defense of firewalls. Other reports corroborate the need to shift attention and resources from "firewall" perimeter protection to internal networks security (for example: Securing Internal Networks, META Group, 2004) .
  • malware Malware
  • Malware is allowed to freely spread within the organization, from one computer to another, with practically no network obstacles that can stop their propagation.
  • Computer Economics has estimated the financial damages from few specific attacks during recent years in over $2B.
  • Limiting worm propagation is becoming an even more critical need as recent worms were less innocent than their predecessors - they collected financial information about the users, and established a covert communications channel ("back-door”) in order to send this information to their senders.
  • each of the endpoints (hosts, servers, etc.) protected by the firewall is cryptographically assured. More specifically, each packet generated by an authorized endpoint is associated with a certain certificate, and when a packet arrives at a certain endpoint within the firewall, the access granted to that packet is determined by the rights granted for the certificate associated with that packet or the lack of thereof.
  • the application-specific policy described by Bellovin is very limited and is suitable only for enforcing a uniform policy across the protected network with regards to a certain application or a subset of an application.
  • the solution provided by Bellovin does not differentiate communications between entities within the network and is incapable of granting (or deny) access permissions for communications between any two (or more) network entities based on the specific application or the specific subset of a certain application associated with that communication.
  • a security specialist or a system administrator must implement a substantially large number of access control rules and measures in order to limit access to certain software, data structures and the like or to certain functions, regions or the like of such software or data structures by unauthorized network entities or personal from within the internal network.
  • These access control definitions must be frequently updated and adapted to keep abreast with dynamic developments within the organization.
  • the task of implementing, managing and maintaining access control measures within the internal network of an organization has become one of the most complicated branches of system administration and a considerable amount of resources and time must be dedicated by the organizations technical team to the handling of such access control measures.
  • the security level provided by such access control measures is marginal when the intruder is a knowledgeable hacker.
  • Some embodiments of the present invention may relate to a system for managing traffic within an internal communication network.
  • the system may include a communication application adapted to generate communications in the network, two or more end nodes and a traffic control driver.
  • each of the two or more end nodes may be associated with one or more entities.
  • at least two of the entities may be adapted to utilize the communication application.
  • the at least two entities may be adapted to utilize the communication application in accordance with a permission rule.
  • the permission rule may be configured to indicate which one or more entities are allowed to utilize the communication application to communicate with which one or more entities.
  • the traffic control driver may be adapted to authenticate the communication using a secret shared among the at least two entities.
  • the system in accordance with further embodiments -of the present invention may include one or more applications adapted to utilize the communication network, two or more end nodes and a traffic control driver.
  • each of the two or more end nodes may be associated with one or more entities.
  • One or more of the entities may be adapted to utilize one or more of the applications.
  • the applications may generate communications within the internal network.
  • each permission rule may be configured to indicate which entities are allowed to utilize one or more of the applications to connect to one or more of the other entities.
  • each of the entities may be adapted to utilize one or more of the applications to connect to one or more of the other entities only in compliance with permission rules.
  • Each permission rule may apply to a specific one application or to more then one application, for example, any or all applications.
  • a permission rule (one or more) may be configured to allow a certain entity (one or more) to access any of the one or more applications or to deny a certain entity (one or more) from accessing any of the one applications to connect to one or more of the other entities.
  • at least one of the permission rules may relate to a specific (one or more but not all) application.
  • At least one permission rule may be configured to indicate which one or more entities are allowed to utilized one or more specific applications (but not all of the applications) to connect to one or more of the other entities.
  • each of the end nodes may include a traffic control driver.
  • the traffic control driver may be adapted to authenticate communications within the internal network in accordance with one or more shared secrets.
  • Each of the shared secrets may be associated with a specific group of permission rules.
  • Further embodiments of the present invention may relate to a method of managing an internal network.
  • the method in accordance with some embodiments of the present invention may include generating one or more shared secrets and authenticating communications within the network in accordance with the one or more shared secrets.
  • the generating of the one or more shared secrets may further include generating one or more shared secrets wherein each of the shared secrets may be associated with a specific group of permission rules relating to communications between two or more entities.
  • at least one of the permission rules may further relate to one or more specific applications adapted to utilize the communication network.
  • the entities may be allowed to communicate only in compliance with the permission rules.
  • Yet further embodiments of the present invention may relate to a traffic control driver for enforcing traffic control policy.
  • the traffic control driver in accordance with some embodiments of the present invention may include a traffic control database including one or more shared secret entries and a traffic control module adapted to authenticate communications within the network in accordance with one or more shared secrets associated with a specific group of permission rules. .
  • each shared secret entry may include data relating to a specific group of permission rules.
  • Each per ission rule may relate to one or more entities and to one or more applications adapted to utilize the communication network.
  • each of the entities may be allowed to utilize one or more of the applications only in compliance with the permission rules to generate communications.
  • Each permission rule may apply to a specific one application or to more then one application, for example, any or all applications.
  • a permission rule (one or more) may be configured to allow a certain entity (one or more) to access any of the one or more applications or to deny a certain entity (one or more) from accessing any of the one applications.
  • at least one of the permission rules may relate to a specific (one or more but not all) application.
  • FIG. 1 is block diagram illustration of a system for managing traffic within an internal communication network, in accordance with some embodiments of the present invention
  • FIG. 2 is a graphical illustration of an internal communication network partitioned into a plurality of trusted virtual networks and to one untrusted virtual network, in accordance with some embodiments of the present invention
  • FIG. 3 is a block diagram illustration of a traffic control driver in accordance with some embodiments of the present invention
  • FIG. 4 is an illustration of some database entries which may be included in a certain traffic control database, in accordance with some embodiments of the present invention.
  • FIG. 5 is a block diagram illustration of various exemplary implementations of the traffic control driver in accordance with some embodiments of the present invention.
  • FIG. 5 is a block diagram illustration of various exemplary implementations of the traffic control driver in accordance with some embodiments of the present invention.
  • Embodiments of the present invention may include apparatuses for performing the operations herein.
  • This apparatus may be specially constructed for the desired purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer.
  • a computer program may be stored in a computer readable storage medium, such as, but is not ' limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs) " , random access memories (RAMs) electrically programmable read-only memories (EPROMs) , electrically erasable and programmable read only memories (EEPROMs), magnetic or optical cards, or any other type of media suitable for storing electronic instructions, and capable of being coupled to a computer system bus.
  • ROMs read-only memories
  • RAMs random access memories
  • EPROMs electrically programmable read-only memories
  • EEPROMs electrically erasable and programmable read only memories
  • inter communication network unless stated otherwise, shall be used to mean any group of network entities within a single administrative domain, including but not limited to a stand-alone organizations network; an organizations network including one or more Virtual Private .Networks; a combination of two or more Virtual Private Networks under a single administrative domain, etc.
  • one or more communication applications shall be used to mean- one, more then one and/or any or all communication applications, whereas, the term “specific communication application” or “one or more specific communication applications” shall be used to mean one and/or more then one but not all or any communication application (s) .
  • group of permission rules shall be used to mean one or more permission rules.
  • Some embodiments of the present invention may relate to a system for managing traffic within an internal communication network.
  • the system may include a communication application adapted to generate communications in the network, two or more end nodes and a traffic control driver.
  • each of the two or more end nodes may be associated with one or more entities.
  • at least two of the entities may be adapted to utilize the communication application.
  • the at least two entities may be adapted to utilize the communication application in accordance with a permission rule.
  • the permission rule may be configured to indicate which one or more entities are allowed to utilize the communication application to communicate with which one or more entities.
  • the traffic control driver may be adapted to authenticate the communication using a secret shared among the at least two entities.
  • the system in accordance with further embodiments of the present invention may include one or more communication applications adapted to generate communications in the network, two or more end nodes and a traffic control driver.
  • each of the two or more end nodes may be associated with one or more entities.
  • One or more of the entities may be adapted to utilize one or more of the communication applications.
  • the communication applications may generate communications within the internal network.
  • each permission rule may be configured to indicate which entities are allowed to utilize one or more of the communication applications to communicate with one or more of the other entities.
  • each of the entities may be adapted to utilize one or more of the communication applications to communicate with one or more of the other entities only in compliance with permission rules.
  • Each permission rule may apply to a specific one communication application or to more then one communication application, for example, any or all the communication applications.
  • a permission rule may be configured to allow a certain entity (one or more) to access any of the one or more communication applications or to deny a certain entity (one or more) from accessing any of the one communication applications to connect to one or more of the other entities.
  • at least one of the permission rules may relate to a specific (one or more but ⁇ not all) communication application.
  • at least one permission rule may be configured to indicate which one or more entities are allowed to utilized one or more specific communication applications (but not all of the applications) to connect to one or more of the other entities .
  • each of the end nodes may include a traffic control driver.
  • the traffic control driver may be adapted to authenticate communications within the internal network in accordance with one or more shared secrets.
  • Each of the shared secrets may be associated with a specific group of permission rules.
  • Further embodiments of the present invention may relate to a method of managing an internal network.
  • the method in accordance with some embodiments of the present invention may include generating one or more shared secrets and authenticating communications within the network in accordance with the one or more shared secrets.
  • the generating of the one or more shared secrets may further include generating one or more shared secrets wherein each of the shared secrets may be associated with a specific group of permission rules relating to communications between two or more entities.
  • at least one of the permission rules may further relate to one or more specific communication applications adapted to utilize the communication network.
  • the entities may be allowed to communicate only in compliance with the permission rules.
  • Yet further embodiments of the present invention may relate to a traffic control driver for enforcing traffic control policy.
  • the traffic control driver in accordance with some embodiments of the present invention may include a traffic control database including one or more shared secret entries and a traffic control module adapted to authenticate communications within the network in accordance with one or more shared secrets associated with a specific group of permission rules.
  • each shared secret entry may include data relating to a specific group of permission rules.
  • Each permission rule may relate to one or more entities and to one or more applications adapted to utilize the communication network.
  • each of the entities may be allowed to utilize one or more of the communication applications only in compliance with the permission rules to generate communications.
  • Each permission rule may apply to a specific one communication application or to more then one communication application, for example, any or all communication applications.
  • a permission rule (one or more) may be configured to allow a certain entity (one or more) to access any of the one or more communication applications or to deny a certain entity (one or more) from accessing any of the one communication applications.
  • at least one of the permission rules may relate to a specific (one or more but not all) communication application.
  • a system for managing traffic within an internal network may include a communication application 62 and 32 adapted to generate communication in the network 10, two or more end nodes 20, 30 and 40 and a traffic control driver 100A- 100C.
  • each of the two or more end nodes 20, 30 and 40 may be associated with one or more entities 22, 24 and 26; 32, 34 and 36; and 22, respectively.
  • at least two of the entities 22, 24 and 26; 32, 34 and 36; and 22 may be adapted to utilize the communication application.
  • the at least two entities 22, 24 and 26; 32, 34 and 36; and 22 may be adapted to utilize the communication application in accordance with a permission rule.
  • the permission rule may be configured to indicate which one or more entities 22, 24 and 26; 32, 34 and 36; and 22 are allowed to utilize the communication application to communicate with which one or more entities 22, 24 and 26; 32, 34 and 36; and 22.
  • the traffic control driver 100A-100C may be adapted to authenticate the communication using a secret shared among the at least two entities 22, 24 and 26; 32, 34 and 36; ' and 22 communicating therebetween or a secret shred between the end nodes 20, 30 and 40 which include the entities 22, 24 and 26; 32, 34 and 36; and 22 which are communicating .
  • a system for managing traffic within an internal communication network 10 may include one or more communication applications 62 and 32 which are adapted to utilize the communication network 10 and one or more end nodes 20, 30 and 40.
  • Each of the end nodes 20, 30 and 40 may be associated with one or more entities 22-26, 32-36 and 24, respectively.
  • One or more of the entities 22-26, 32-36 and 24 may be adapted to utilize one or more applications 62 and 32.
  • the communication applications 62 and 32 may generate communication within the internal network 10.
  • each of the end nodes 20, 30 and 40 may include a traffic control driver 100A-100C, respectively.
  • each of the traffic control drivers 100A-100C may be adapted to authenticate communications within the internal network in accordance with one or more shared secrets.
  • each of the shared secrets may be correlated with a specific group of permission rules.
  • each of the entities 22-26, 32-36 and 24 may be one of the following: a specific end node; a specific user of the internal network; or a specific software.
  • end node 20 may be associated with a first entity 22 correlated with user A, with a second entity 24 correlated with user B, and with a third entity 26 correlated with software B;
  • end node 30 may be associated with a fifth entity 32 correlated with software C, with a sixth entity 34 correlated with user C, and with a seventh end node 36 correlated with device B; and end node 40 may also be associated with the second entity 24 correlated with user B.
  • each of the communication applications 62 and 32 may be configured to generate communications in response to being utilized to that effect by one or more entities which are adapted to cause that specific communication application to generate traffic.
  • a communication application which is adapted to generate communications within the internal network may also be regarded as an internal network entity (software) , for example, in the embodiment shown in FIG. 1 the element marked 32 serves as both a software entity and a communication application, not all communication applications are necessarily also network entities, and not all the pieces of software which are related to as network entities may be configured to generate communications within the internal network, or may not be configured to generate communication within the internal network in response to being utilized by one or more of the entities.
  • the communication applications 62 and 32 may be any currently known or yet to be devised in the future communication application or a subset of a communication application which is configured to generate communications in response to being utilized by one or more entities.
  • the permission rules may be configured to indicate which of the entities 22-26, 32-36 and 24 are allowed to utilize one or more of the communication applications 62 and 32 or are allowed to utilize a certain subset of the applications 62 and 32 to connect to one or more of the other entities.
  • one or more of the permission rules may be configured to indicate that one or more of the entities 22-26, 32-36 and 24 are allowed to utilize any or all of the communication applications to communicate with to one or more of the other entities, such permission rules may, in some cases (for example, if no additional limitations apply) effectively allow any communication between the first group of entities and the second group of entities, regardless of which communication application is used to generate the communication.
  • At least one permission rule may relate to a specific communication application 62 and 34 (one or more but not all) .
  • at least one permission rule may be configured to indicate which one or more entities are allowed to utilize one or more specific communication applications (but not all of the communication applications) to connect to one or more of the other entities.
  • a certain exemplary permission rule may be configured to indicate that user A 22 is allowed to utilize communication application A 62 to connect to software C 32 (here software C 32 serves as one of the entities and not as one of the communication applications adapted to utilize the network) .
  • software C 32 serves as one of the entities and not as one of the communication applications adapted to utilize the network
  • the permission rule may indicate that user A is allowed to utilize the web browser (application A) in order to connect to the CRM application.
  • the above embodiment is exemplary in nature and that the present invention is not limited to any one particular permission rule.
  • one or more of the permission rules may be configured to indicate that communications between two or more entities 22-26, 32-36 and 24 are allowed only if the communications are associated with a specific one or more communication applications (or subsets of communications applications) , and may disregard a distinction relating to which entity is the source and which is the destination.
  • one or more of the permission rules may be configured to indicate that communications between two or more entities 22-26, 32-36 and 24, are allowed only if the source entity is one of a specific group of entities which utilized a specific (one or more) communication application to generate communications which are intended to be received by a specific (one or more) destination-entity.
  • the permission rules are not limited to being defined by the above mentioned entities and/or applications and may be defined in addition or in alternative by a variety of additional characteristics or parameters of the communication, including but not limited to any characteristics or parameters which may be included in or which may be derived from the headers of the co munications, such as IP address or a range of IP addresses, list of MAC addresses, protocol, URL, port, XML/SOAP tags, etc.
  • one or more permission rules may relate to a specific communication defined by specific characteristics and/or parameters, while other permission rules (one or more) may relate to a certain type of communications and may be defined by some common characteristic or parameter, such as a certain range of network addresses.
  • at least some of the permission rules may be predefined. Examples of permission rules shall be provided below.
  • a certain exemplary permission rule may be configured to indicate that user A 22 is allowed to utilize application A 62 to connect to device B 36 using a specific communication protocol, for example, a communication protocol which is suitable for communicating with application C 32.
  • device B is a CRM sever on which application C is running, where application C is, for example, a CRM application, and application A is, for example, a web browser that is capable of connecting to device B in response to being utilized by user A and the protocol which is allowed for communication with device B is HTTP
  • the permission rule may indicate that user A is allowed to utilize the web browser (application A) in order to connect to device B using the HTTP protocol.
  • the above embodiment is exemplary in nature and that the present invention is not limited to any one particular permission rule.
  • one or more groups of permission rules may be defined in the internal network 10.
  • one or more shared secrets may be generated in the internal network 10.
  • Each of the shared secrets may be correlated with a different group of permission rules.
  • the definition of the one or more groups of permission rules, and the generation of the shared secrets and their connection to the group of permission rules, shall be described in greater detail hereinbelow.
  • a shared secret may be a unique encryption key and/or any similar shared secret (s) known in the present or yet to be devised in the future.
  • each end node 20, 30 and 40 within the internal network 10 may include a traffic control driver 100A, 100B and 100C respectively.
  • Each of the traffic control drivers may include a traffic control driver 100A, 100B and 100C respectively.
  • the traffic control drivers 100A-100C may be adapted to authenticate the data that is about to be transmitted the received data, and the interactions between the entity (s) and the communication applications 62 and 32 which are intended to generate the communication.
  • the authentication of the communications shall be described below.
  • Each traffic control driver 100A-100C may be associated with one or more shared secrets.
  • each traffic control drivers 100A-100C may include data relating to one or more shared secrets or may include an actual copy of the one or more shared secrets with which it is associated.
  • each traffic control driver 100A-100C may be associated with one or more shared secrets which are correlated with a group (one or more) of permission rules which relate to the end node with which the traffic control driver is associated.
  • each traffic control driver 100A-100C may be associated with one or more shared secrets which are correlated with a group (one or more) of permission rules which relate to one or more entities with which that end node is associated; and/or to one or more applications with which that end node is associated; and/or to any other parameter or characteristic which may be used to define one or more of the permission rules with which that end node is associated.
  • each traffic control driver 100A-100C may be adapted to authenticate communications within the network 10 in accordance with the shared secrets with which it is associated.
  • the traffic control driver 100A-100C associated with that end node 20, 30 and 40 may authenticate the communication using the shared secret which is correlated with the permission rule which applies to that communication.
  • the traffic control drivers 100A-100C may be adapted to authenticate each packet of the communication.
  • the traffic control drivers 100A-100C. may be adapted to authenticate each packet independently from any of the other packets of the communication.
  • the term communication as used herein includes the utilization of the communication application to generate the communication, the transmission of the communication and the receipt of the communication.
  • the traffic control driver 100A installed on end node 20 with which user A 22 is associated may check which permission rule applies to this scenario. Once the traffic control driver 100A determines which permission rule applies to this scenario, the traffic control driver 100A may determine which shared secret is correlated with this permission rule and may use that shared secret to authenticate the communication. As part of authenticating the communication, the traffic control driver 100A may authenticate the outgoing communication generated by application A 22 and intended for device B 32.
  • the traffic control driver 100B of end node 30 may check which permission rule applies to this scenario (a communication initiated by user A 24 and generated by communication application A 22 which is intended for device 36) . It should be noted that the permission rule in end -node 20 is not necessarily the one in end node 30, since the permission rule may not be symmetric. Once the traffic control driver 100B determines which permission rule applies to this scenario, the traffic control- driver may determine which shared secret is correlated with this permission rule and may use that shared secret to authenticate the communication.
  • the relevant traffic control driver may be adapted to authenticate the communication only if the communication complies with the additional characteristics or parameters.
  • the traffic control driver 100A installed on end node 20 with which user A 22 is associated may check which permission rule applies to this scenario. Lets assume that the traffic control driver 100A determines that a permission rule for communications between user A and device B, wherein user A utilized communication application A 62 to generate the communication exists, but that the permission rule additionally indicates that the communications must be associated with a specific communication protocol.
  • the traffic control driver 100A-100C may check one or more of the following: whether user A 22 intends to utilize communication application A 62 in order to generate a communication which is associated with the specific protocol; and whether the communication generated by communication application A 62 is associated with the specific protocol.
  • the traffic control driver 100A may be adapted to allow the transmission only if it is satisfied that the outgoing transmission is associated with the specific communication protocol. It should be noted that in accordance with some embodiments of the present invention, the traffic control driver 100A may also be adapted to deny user A 22 from utilizing application A 62 to generate the communication if it determines that user A does not intend to utilize the communication application A 62 in order to generate a communication which is associated with the specific protocol.
  • the traffic control driver 100B may check . which permission . rule this transmission should be in compliance with.
  • the traffic control module 100B may be adapted to allow the transmission to be received at device B 36, only if the transmission is associated with that specific protocol.
  • each of the traffic control drivers 100A-100C may be adapted to deny any communication which is not authenticated.
  • the traffic control driver 100A-100C may be adapted to deny any transmission of a communication which is not authenticated, any receipt of a communication which is not authenticated and/or any other activity associated with a communication, including but not limited to, the utilization of a communication application to generate a communication, which is not authenticated.
  • one or more permission rules may ' be defined and implemented in the internal communication network 10 with which none of the shared secrets is correlated.
  • a group of permission rules may be defined and implemented in the internal network with which none of the shared secrets is associated.
  • Each of the default permission rules in the group of default permission may be configured to indicate that any communication within the internal network which is in accordance with that permission rule, and which is not in accordance with any of the permission rules with which one of the shared secrets is correlated, is allowed but none of the shared secret may be correlated with these communications.
  • no- more than one default permission rule may be defined and implemented in the internal communication- network 10 with which none of the shared secrets is correlated.
  • the default permission rule with which none of the shared secrets is correlated may be configured to indicate that any communication within the internal network which is not associated with any of the other permission rules is allowed but none of the shared secrets may be correlated with such default permission rule.
  • a default permission rule may be a negative rule in nature, the default permission rule may not be limited in definition and/or in application to any one or more specific entities and/or to any one or more specific communication applications and/or to any other specific parameter and/or characteristic although such limitations may apply in some cases.
  • one or more of the traffic, control drivers 100A- 100C may be adapted to allow only authenticated communications, unless an unauthenticated communication is in compliance with one of the permission rules with which none of the shared secrets is correlated, for example, a default permission rule.
  • one or more of the traffic control drivers 100A-100C may be adapted to allow authenticated communications, and may deny any unauthenticated communication, unless the unauthenticated communication is associated with one or more specific permission rules with which none of the shred secrets is correlated.
  • the one or more of the traffic control drivers may allow some unauthenticated communications which are associated with certain permission rules, with which none of the shared secrets is associated, while denying unauthenticated communications which are not associated with any permission rule.
  • unauthenticated communications may be substantially less secured and safe than authenticated communications.
  • an internal communication network may be virtually partitioned into a plurality of trusted virtual networks or trusted virtual zones, wherein each trusted virtual network is associated with a specific shared secret, such that within each trusted virtual network all the communications are authenticated using the shared secret with which that trusted virtual network is associated.
  • each shared secret is associated with a group of permission rules and that each permission rule is configured to indicate which communications are allowed in accordance with that permission rule, it may be evident that by allowing only authenticated communications within the trusted virtual network, .it may be possible to substantially ensure that only communications which are in compliance with one of the permission rules which are associated with the shared secret with which a certain trusted virtual network is associated are allowed within that trusted virtual network.
  • an untrusted virtual network or zone may be also be included in the internal communication network in addition to the trusted virtual networks, wherein the untrusted virtual network may be associated with one or more permission rules defined and implemented in the internal network, with which none of the shared secrets is correlated, for example the untrusted virtual network may be associated with one or more default permission rule(s).
  • the untrusted virtual network may be associated with one or more default permission rule(s).
  • a certain communication may either be associated with one of the trusted virtual networks, in case that the communication is associated with one of the permission rules with which one of the shared secrets is associated, or that communication may be associated with the untrusted virtual network, in case that the communication is not associated with any of the permission rules and is associated one of the default permission rules.
  • the communication may be associated with one of the trusted virtual networks, in case that the communication is associated with one of the permission rules with which one of the shared secrets is associated, or that communication may be associated with the untrusted virtual network, in case that the communication is not associated with any of the permission rules and is associated one of the default permission rules.
  • communications within the trusted virtual networks may be substantially more secured and safe than communications within the untrusted communications network.
  • FIG. 2 is a graphical illustration of an internal communication network partitioned into a plurality of trusted virtual networks and to one untrusted virtual network, in accordance with some embodiments of the present invention.
  • the internal network 10 is partition into trusted virtual networks 110, 120 and 130 and an untrusted virtual network 140.
  • each of the trusted virtual networks 110, 120 and 130 may be associated with a certain shared secret, and communications within each of .
  • the trusted virtual networks 110, 120 and 130 may be authenticated using the shared secret with which that trusted virtual network may be associated.
  • the untrusted virtual network 140 may be associated with a default permission rule, as discussed above, and may not be associated with any shared secret. Communication within the untrusted virtual network may be unauthenticated.
  • a single end node can be (and typically is) associated with more than one network zone, for example, different entities on the end node may be associated with different virtual networks or zones. Furthermore, in accordance with further embodiments of the present invention, a single entity may also be associated with more then one virtual network zone. For example, when a first permission rule which is associated with a certain entity relates to communications between that entity and a first group of entities is correlated with a first shared secret, and a second permission rule which is associated with the same entity relates to communications between that entity and a second group of entities is correlated with a second shared secret.
  • each of the trusted virtual networks 110, 120 and 130 may be associated with a shared secret and each of the shared secrets may be correlated with a certain group of permission rules, wherein each permission rule may be configured to indicate at least which one or more entities may be allowed to utilize one or more of the communication applications to connect to one or more other entities.
  • a communication which is in compliance with one of the permission rules with which one of the shared secrets is correlated may be within the trusted virtual network which is associated with that shared secret.
  • the first trusted virtual network 110 may be associated with a certain shared secret which is correlated with a group of permission rules which are typical of extranet communications.
  • one of the permission rules may be configured to indicate that one or more specific entities 114, for example, one or more network device having an IP address which are included in a predefined list, are allowed to use a specific communication application, for example, a web browser, to generate communications in accordance with the HTTP protocol only, in order to connect to a specific entity 112, for example to a dedicated extranet server.
  • the second trusted virtual network 120 may be associated with a certain shared secret which is correlated with a group of permission rules which are typical of email communications.
  • one of the permission rules may be configured to indicate that one or more specific entities 122 and 124, for example, one or more network devices having an IP address which is included in a predefined list associated with that permission rule and a mail server, are allowed to utilize one or more specific communication applications, for example a mail server application or a mail client application, in order to connect to one or more of the other specific entities 124 and 122.
  • this rule is symmetric and may apply to both communications from the mail server 122 (utilizing the mail server application to any one of the specific network devices 124, and to communications from any one of the specific network device 124 (utilizing the mail client application) to the mail server 122.
  • the untrusted virtual network 140 may be associated with a default permission rule, with which none of the shared secrets is associated.
  • the default permission rule may be a negative rule in -nature and may not relate to any one or more specific communication applications or to any one or more specific communication applications, although as also mentioned above, in accordance with other embodiments of the present invention, other default rules may relate to one or more specific entities and/or to one or more specific communication applications.
  • FIG. 3 is a block diagram illustration of a traffic control driver in accordance with some embodiments of the present invention.
  • the traffic control driver 100 may include a traffic control database 1020 and a traffic control module 1010.
  • the traffic control driver shown in FIG. 3 and described herein is associated with end node 20, however each of the end nodes (one or more and possibly all) within the internal network 10 may be associated with a traffic control driver.
  • the traffic control database 1020 may include one or more shared secret entries.
  • Each of the shared secret entries may include data relating to a specific group of permission rules.
  • Each group of permission rules may be comprised of one or more specific permission rules.
  • each of the permission rules may be adapted to indicate which one or more entities are allowed to utilize one or more of the communication applications to connect to one or more other entities.
  • FIG. 4 is an illustration of some database entries which may be included in a certain traffic control database, in accordance with some embodiments of the present invention.
  • each traffic control database 1020 may include a plurality of shared secret entries Kl-Kn.
  • the traffic control database 1020 may further include for each of the shared secret entries may one or more permission rule records.
  • each permission record may include data relating to the entities, the communication applications and any other characteristic or parameter to which the permission rule relates.
  • permission rules which are configured to indicate which entities are allowed to utilize one or more communication applications to communication with one or more entities, as well as other parameters or characteristics which should be associated with permitted communications are well known in art. Any such suitable permission rules may be used as part of some embodiments of the present invention.
  • each permission rule record in the traffic control database may further include data relating to whether that rule applies to traffic which is in one direction (input or output) or whether that permission rule is symmetric and applies to traffic in both directions.
  • each traffic control database 1020 may include data relating to one or more shared secrets, wherein each of the shared secrets included in a certain traffic control database may be correlated with a permission rule (one or more) which relates to one or more entities which are associated with the end node 20 with which the traffic control database 1020 is associated.
  • a permission rule one or more which relates to one or more entities which are associated with the end node 20 with which the traffic control database 1020 is associated.
  • the traffic control module 1010 may be adapted to authenticate communications within the internal network 10. In accordance with further embodiments of the present invention, the traffic control module 1010 may be adapted to control the outgoing traffic generated by any of the communication applications associated with end node 20 on which the traffic control driver 10 is installed. In accordance with further embodiments of the present invention, the traffic control module 1010 may be adapted to control the incoming traffic arriving at the end node 20 on which the traffic control driver 100 is installed.
  • the traffic control driver 100 may be operatively connected to the end node's communication subsystem, commonly a network interface card (not shown) , which handles all the incoming and outgoing communications arriving to or being transmitted ' out of the end node with which the communication subsystem and the traffic control driver 1010 are associated.
  • the traffic control driver 100 may be operatively connected to the operating system, for example, using a kernel hook. It should be noted that the above description relates to only two exemplary implementations in accordance with some embodiments of the present invention.
  • inventions of the present invention may otherwise enable the traffic control driver and specifically the traffic control module to intercept incoming and/or outgoing communications arriving to or being transmitted out of the end node on which the traffic control driver is installed.
  • the communication subsystem and the host with which the communication subsystem is associated may be described or it may be implied by a description in the specification or in the claims that the communication subsystem and the host or end node are separate form one another, the present invention is not limited in this respect, and in fact, often, the communication subsystem may be an integral part of the host or end node with which it is associated, and the driver in such cases may be adapted to intercept the communication within the host or end node.
  • the traffic control module 1010 may be adapted to control each incoming and each outgoing communication which is about to be received in the end node 20 or which is about to be transmitted out of the end node 20. In accordance with further embodiments of the present invention, the traffic control module 1010 may be adapted to allow or deny each incoming communication from being received by the end node 20 with which it is associated and to allow or deny any outgoing communication from being transmitted out-of the end node 20 with which it is associated. [086] In accordance with further embodiments of the present invention, the traffic control module 1010 may be adapted to intercept any communication exchanged between the end node 20 and its communication subsystem.
  • the traffic control module 1010 may be adapted to intercept the communication when it is en route from the communication application to the communication subsystem, and in accordance with further embodiments of the present invention, whenever a communication is received at the communication subsystem of the end node 20, the traffic control module 1010 may be adapted to intercept the communication before the communication is delivered from the communication subsystem to the host or end node 20 itself.
  • the traffic control module 1010 may be adapted to extract out of the intercepted communication data relating to the application which was used to generate the communication; data relating to the source entity or to the entity which utilized the application in order to generate the intercepted communication; data relating to the destination entity or to the entity which is intended to receive the intercepted communication; and additional data relating to additional characteristics or parameters with which the intercepted communication is associated, for example, the communication protocol with which the intercepted communication is associated.
  • the data may be extracted out of a header portion included in or associated with the communication.
  • some embodiments of the present invention are not limited in this respect and the data may be otherwise obtained from any available source and in accordance with any process known in the present or yet to be devised in the future.
  • An example of an exemplary process of extracting data from a header portion of an intercepted communication shall be provided below.
  • the traffic control module 1010 may check the traffic control database 1020 to determine if there is a permission rule associated with the intercepted communication.
  • the traffic control module 1010 may be adapted to check which permission rule relates to a communication which was generated by the same communication application which wasused to generate the intercepted communication in response to being utilized by the same entity which utilized the communication application as part of the generation of the intercepted communication, and which is intended to be received by the same entity which is the destination of the intercepted communication.
  • the traffic control module 1010 may in addition check . that the intercepted communication is in compliance with these (one or more) characteristics or parameters. It should also be noted, that if in some case, more then one permission rule is applicable to a certain intercepted communication, then the more specific permission rule may be selected, for example.
  • the traffic control module 1010 may check the traffic control database 1020 to determine with which shared secret that permission rule is correlated.
  • the traffic control module may be adapted to authenticate the communication using the shared secret with which the permission rules is correlated. The authentication of the communication shall be discussed in greater detail hereinbelow.
  • the traffic control module 1010 may deny the communication from being transmitted out of or from being received in the end node 20 or the host with which it is associated.
  • the traffic control module 1010 may be adapted to prevent the intercepted communication from proceeding to the communication subsystem, and may thus prevent the communication from arriving to the communication subsystem and from being transmitted out of the host or end node 20, and in case the intercepted communication is an incoming communication, the traffic control module 1010 may be adapted to prevent the intercepted communication from proceeding into the host or end node 20, for example to the entity that is the intended recipient of the communication.
  • the entity which is the intended recipient of the communication may be a device, a user or software associated with the end node 20 on which the traffic control driver 100 is installed.
  • the traffic control module 1010 may allow the communication to proceed to its destination, but may treat the communication as an "untrusted communication", and may, for example, not authenticate the communication or otherwise discriminate the communication in compression to a communication which is in compliance with a permission rule which is correlated with one of the shared secrets.
  • the traffic control module 1010 may be adapted to deny the communication from being transmitted out of or from being received in the end node 20 or the host with which it is associated.
  • the traffic control driver 100 and specifically the traffic control module 1010 may be adapted to intercept each packet of each communication which is intended to be exchanged .between the host or end node 20 and the host's communication subsystem, before it reaches its destination (the communication subsystem when the packet is part of an outgoing communication and the host or end node when the packet is part of an incoming communication) .
  • the present invention is not limited to collecting the data necessary for performing one or more of the processes, procedures or functions, which may be part of some embodiments of the present invention, solely from the packets or from the communication.
  • the traffic control driver 100 and specifically the traffic control module 1010 may be adapted to collect the data from other sources other than the communication or the packet itself, including but not limited to from the entity which is the intended recipient of the communication or the packet (for example, the software or the user or the device which are the intended recipients) .
  • the traffic control module 1010 may be adapted to monitor the processing of each packet as well as the operation of users and software (or entities in general) , for example the entities which are the intended recipients of the communication or packet.
  • suitable hook may be implemented to enable the traffic control module 1010 to obtain the information, for example information relating to one or more entities, and in accordance with a more specific example, information relating to one or more entities which are the intended recipient of the communication or the packet.
  • the traffic control driver 100 and the traffic control module 1010 may be adapted to collect some the data necessary for performing the and thus these operations or processed may take place the packet level. Described below is one example of a process of authenticating a packet, in accordance with some embodiments of the present invention.
  • the traffic control module 1010 may be adapted to digitally sign each intercepted outgoing packet which is in compliance with a permission rule which is correlated with a shared secret, in accordance with the shared secret with which the permission rule associated with the packet is correlated, and in accordance with some embodiments of the present invention, the traffic control module 1010 may be adapted to verify the digital signature with which an incoming packet is signed in accordance with the shared secret which is correlated with the permission rule with which the incoming packet complies.
  • Each shared secret may be uniquely associated with one or more digital signatures or with a range of digital signature.
  • any suitable method or technique of digitally signing a packet using a certain shared secret and of verifying the digital signature with which a certain packet may be signed in accordance with the shared secret in accordance with which the packet may be signed may be used as part of some embodiments of the present invention.
  • the permission rules, the shared secrets and the digital signatures may be manually configured, for example by a system administrator.
  • the permission rules, the shared secrets and the digital signatures may manually input to each traffic control database 1020, such that each traffic control database include all the permission rules which are relevant to the end one 20 on which the traffic control driver 100 which includes the traffic control database is installed, the shared secret associated with each of the permission rules, and the digital signature to be used to authenticate each communication which is associated with one of the shared secrets.
  • the permission rules, the shared secrets and the digital signatures may be automatically configured.
  • each internal network 10 may include, for example, a central traffic management module 72.
  • each of the traffic control drivers 100 may include a traffic management agent 1060 (for example, a traffic management agent application) .
  • the traffic management module 72 may be operatively connected to each of the traffic management agents 1060.
  • the traffic management module 72 may be adapted to automatically generate permission rules.
  • the traffic management module may be adapted to generate the permission rules in accordance with one or more of the following: predefined logic; existing permission rules; dynamic analysis of the operation of the system (for example, during as part of an initialization process) ; manually configured permission rules; and any other suitable means.
  • the traffic management module 72 may include all the rules which are applicable to any end node (and entity) within the internal network. The rules may be defined and generated only during a predetermined initialization process or may be continuously and dynamically generated by during the operation the internal network and in response to various events and actions or in response to manual intervention.
  • the traffic management module 72 may be adapted to distribute the permission rules to the traffic management agent 1060.
  • the traffic management module 72 may be adapted to provide each traffic management agent 1060 with the permission rules which relate to one or more of the entities associated with the end node on which the traffic control driver 100 which includes that traffic management agent 1060 is installed.
  • the traffic management module 72 in case that the permission rules are continuously and dynamically generated at the traffic management module 72, whenever a' new permission rules is generated or an existing rule is modified or deleted, the traffic management module 72 may be adapted to update as necessary each relevant traffic management agent 1060 which is associated with the newly generated, modified or deleted permission rule.
  • each traffic management agent 1060 may be operatively connected to the traffic control database 1020.
  • the traffic control agent 1060 may be adapted to provision the traffic control database 1020 with the permission rules with are associated with the end node 20 with which the traffic control driver 100 is associated, and may cause the traffic control database 1020 to add, modify or delete the appropriate entries relating to the various permission rules and/or the relevant records associated with each entry.
  • the internal communication network may further include a key management module 74.
  • the key management module 74 may be adapted to automatically generate shared secrets and to determine which permission rules are to be correlated with each shared secret.
  • the key management module 74 may also be adapted to generate one or more keys which are suitable for generating digital signatures, or alternatively may be adapted to generate one or more keying rules in accordance with which one or more keys may be generated, such that each key or group of keys generated (either directly or in accordance with one of the key generation rules) is uniquely associated with a particular shared secret.
  • one or more of the traffic control drivers 100 may include a key management agent 1050.
  • the key management module 74 may be operatively connected to each of the key management agents 1050.
  • the key management module 74 may be adapted to distribute the shared secrets and the keys to the appropriate key management agents 1050.
  • the key management module 74 may be adapted to distribute to each key management agent 1050, the shared secrets and the keys which are associated with one of the entities on the end node 20 with which the traffic control driver 100 which includes that key management agent 1050 is associated.
  • the key management module 74 may be adapted to update as necessary each relevant key management agent 1060 which is associated with the newly generated, modified or deleted key and/or shared secret and/or permission rule.
  • each key management agent 1060 may be operatively connected to the traffic control database 1020.
  • the key control agent 1060 may be adapted to provision the traffic control database 1020 with the shared secrets which are associated with each of the permission rules in the traffic control database 1020.
  • the key management agent 1050 may also provision the traffic control database with the keys to be used for authenticating a communication associated with a certain shared secret, however, in accordance with other embodiments of the present invention, the key may not be provisioned to the database 1020, and rather the traffic control module 1010 may be adapted to retrieve the data relating to the authentication keys from the key management agent whenever it is necessary to authenticate a certain communication. The traffic control module 1010 may retrieve the key in accordance with the shared secret with which the communication has been determined to be associated.
  • the traffic control driver 100 may be adapted to associate or to include in each communication which is associated with a certain shared secret a shared secret indicator or index.
  • the communication may be checked to determine whether that communication include or is associated with a certain shared secret indicator or index.
  • security associate sometimes known as "security associate", and may enable faster access to the digitally singed communication, providing that the shared secret to which the shared secret indicator points is the correct shared secret and that the communication is authenticated successfully.
  • each traffic control database may include in addition to the entries and records discussed above, at least one shared secret indicator record for each shared secret entry in the database.
  • the traffic control module may be adapted to associate the outgoing communication or include in the outgoing communication a shared secret indicator which is correlated with the shared secret that is determined to correlation with the permission rule which the outgoing communication is in compliance with, and whenever the traffic control module is authenticating an outgoing communication, the traffic control module may be adapted to determine with which shared secret indicator the incoming traffic is associated or include, and may attempt to authenticate the incoming communication using the shared secret with which -the shared secret indicator associated or included in the communication is correlated.
  • the shared secret indicator may be encapsulated in each packet (for example in the header portion of the packet) as part of the authentication of the packet as described above, and may accordingly be extracted from each authenticated packet.
  • the traffic control driver 320 may be a hardware interface installed in-between the host 310 and the communication subsystem 330 (e.g., NIC) .
  • the traffic control driver 340 may be implemented in the host, for example, as software running on the host 340 and adapted to intercept incoming and outgoing communications.
  • the traffic control module 380 may be included in the communication subsystem 390. It should be noted that in accordance with other embodiments of the present invention, the traffic control driver may be otherwise implemented, may be implemented in software and/or hardware and may be divided between the host the communication subsystem.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

An internal network (10) is partition into trusted virtual networks (110), (120), (130) and an untrusted virtual network (140). In accordance with some embodiments of the present invention, each of the trusted virtual networks (110), (120) and (130) may be associated with a certain shared secret, and communications within each of the trusted virtual networks (110), (120) and (130) may be authenticated using the shared secret with which that trusted virtual network may be associated.

Description

A SYSTEM, METHOD AND DEVICE FOR MANAGING TRAFFIC WITHIN AN INTERNAL COMMUNICATION NETWORK
CROSS-REFERENCE TO RELATED APPLICATIONS [001]
FIELD OF THE INVENTION
[002] The present invention generally relates to the field of network management, more specifically the present invention relates to a system, method and device for managing traffic within an internal communication network.
BACKGROUND OF THE INVENTION
[003] Traditionally, the predominant philosophy for protecting enterprises ' networks was to selectively "isolate" the internal (trusted) networks from the outside (untrusted) world using firewalls. Users that are physically connected to the enterprise networks are assumed to pose no risk to the organization. Hackers and other adversaries are assumed to always be on the outside (connected to the Internet) .
[004] However, the firewall philosophy has been found lacking. According to a CSI/FBI 2003 Report 80% of enterprises reported insider abuse - none addressed by the perimeter defense of firewalls. Other reports corroborate the need to shift attention and resources from "firewall" perimeter protection to internal networks security (for example: Securing Internal Networks, META Group, 2004) .
[005] In addition, the border between internal • and external networks is expanding and becoming unclear. Gartner has listed the increasing use of laptops, palms and smartphones (all outside of the firewall) , Wireless LANs, encryption and SSL (which blind existing solutions) as key contributors to the changing enterprise perimeter.
[006] The wide open nature of internal enterprise networks poses no obstacles, and even facilitates hackers and intruders. A typical attack is performed in stages. In the first stage, an attacker gains control to a less- secured device within the internal network; the large number of desktops, employees (not all can be equally trusted) , mobile users, remote offices and even outsiders having certain access privileges into the network (such as suppliers and clients, for example) make it an almost impossible task to equally protect every single device within the network. Unfortunately, the state of the matters is such that once a single device within the internal network has been compromised, the attacker enjoys an open field for attacking various computer systems - since the enterprise network typically enables connectivity to every possible resource or system in the organization. Using this connectivity, the attacker is able to scan and map the network ("collects intelligence") . With full knowledge of the network including the specification of the various systems, the attacker can plan and choose the specific form of attack on the target system.
[007] Another troubling weakness of current internal network security and management approaches is the susceptibility of such networks to infectious computer viruses, worms, Trojans and other malicious code ("malware") . Malware is allowed to freely spread within the organization, from one computer to another, with practically no network obstacles that can stop their propagation. Computer Economics has estimated the financial damages from few specific attacks during recent years in over $2B. Limiting worm propagation is becoming an even more critical need as recent worms were less innocent than their predecessors - they collected financial information about the users, and established a covert communications channel ("back-door") in order to send this information to their senders. [008] In addition to the above, the raising popularity of wireless devices and Wireless LANs enable hackers and dishonest users to act as if from the inside - bypassing any perimeter security completely. Emerging wireless standards attempt to mitigate this risk through encryption, access control, and other mechanisms. However, the IT department can easily lose control - a single $50 router deployed by an employee will usually be unknown to the IT department and will open an easy passage to anyone that is looking for network access. [009] One proposed solution to the shortcoming of present firewall security is the suggested in an article by Steven . Bellovin, Distributed Firewalls, Login Nov. 1999, pp. 37-39. In accordance with the proposed distributed firewalls, the external security policy is still centrally defined, but enforcement, however, takes place on each endpoint. The identity of each of the endpoints (hosts, servers, etc.) protected by the firewall is cryptographically assured. More specifically, each packet generated by an authorized endpoint is associated with a certain certificate, and when a packet arrives at a certain endpoint within the firewall, the access granted to that packet is determined by the rights granted for the certificate associated with that packet or the lack of thereof. [010] Furthermore, while Bellovin remarks that application- level protection can be achieved by distributing application-specific policy files which are intended to limit the use of a certain application within the protected network, the application-specific policy described by Bellovin is very limited and is suitable only for enforcing a uniform policy across the protected network with regards to a certain application or a subset of an application. The solution provided by Bellovin does not differentiate communications between entities within the network and is incapable of granting (or deny) access permissions for communications between any two (or more) network entities based on the specific application or the specific subset of a certain application associated with that communication.
[011] In the current art, it is known to limit access to certain network entities or applications within the internal network by means of network and/or application login. Whenever a certain application or a certain entity through an application seeks to gain access to a certain entity or to a certain application to which access is limited, a username string and a compatible password must be provided in order to be granted access. Such access control solutions have become a relatively minor setback for knowledgeable hackers which are able to discover the appropriate strings or which are sometimes able to bypass the access control measures en-route to the targeted resources. [012] Furthermore, modern enterprise software bundles or suits are designed to answer a wide range of the enterprise's needs. As a result, a security specialist or a system administrator must implement a substantially large number of access control rules and measures in order to limit access to certain software, data structures and the like or to certain functions, regions or the like of such software or data structures by unauthorized network entities or personal from within the internal network. These access control definitions must be frequently updated and adapted to keep abreast with dynamic developments within the organization. The task of implementing, managing and maintaining access control measures within the internal network of an organization has become one of the most complicated branches of system administration and a considerable amount of resources and time must be dedicated by the organizations technical team to the handling of such access control measures. Furthermore, as mentioned above, even if such access control are implemented and are maintained implacably, the security level provided by such access control measures is marginal when the intruder is a knowledgeable hacker.
[013] There is thus a need for a system, method and circuit for controlling traffic within an internal network which overcomes the limitations and provides enhancements over the teachings of the prior art. There is a further need to provide such a system, method and circuit capable of enabling (or disabling) communications between two or more entities within .an internal network based on the identities of the communicating entities, as well as on data relating to the specific application or specific subset of application with which the communications are associated.
SUMMARY OF THE INVENTION
[002] Some embodiments of the present invention may relate to a system for managing traffic within an internal communication network. In accordance with some embodiments of the present invention, the system may include a communication application adapted to generate communications in the network, two or more end nodes and a traffic control driver. [003] In accordance with some embodiments of the present invention, each of the two or more end nodes may be associated with one or more entities. In accordance with further embodiments of the present invention, at least two of the entities may be adapted to utilize the communication application. In accordance with further embodiments of the present invention, the at least two entities may be adapted to utilize the communication application in accordance with a permission rule.
[004] In accordance with some embodiments of the present invention, the permission rule may be configured to indicate which one or more entities are allowed to utilize the communication application to communicate with which one or more entities. In accordance with some embodiments of the present invention, the traffic control driver may be adapted to authenticate the communication using a secret shared among the at least two entities.
[005] The system in accordance with further embodiments -of the present invention may include one or more applications adapted to utilize the communication network, two or more end nodes and a traffic control driver. [006] In accordance with some embodiments of the present invention, each of the two or more end nodes may be associated with one or more entities. One or more of the entities may be adapted to utilize one or more of the applications. As part of the utilization of the applications by the entities, the applications may generate communications within the internal network. [007] In accordance with some embodiments of the present invention, each permission rule may be configured to indicate which entities are allowed to utilize one or more of the applications to connect to one or more of the other entities. In accordance with some embodiments of the present invention, each of the entities may be adapted to utilize one or more of the applications to connect to one or more of the other entities only in compliance with permission rules. Each permission rule may apply to a specific one application or to more then one application, for example, any or all applications. Thus, in accordance with some embodiments of the present invention, a permission rule (one or more) may be configured to allow a certain entity (one or more) to access any of the one or more applications or to deny a certain entity (one or more) from accessing any of the one applications to connect to one or more of the other entities. In accordance with further embodiments of the present invention, at least one of the permission rules may relate to a specific (one or more but not all) application. For example, at least one permission rule may be configured to indicate which one or more entities are allowed to utilized one or more specific applications (but not all of the applications) to connect to one or more of the other entities. [008] In accordance with some embodiments of the present invention each of the end nodes may include a traffic control driver. The traffic control driver may be adapted to authenticate communications within the internal network in accordance with one or more shared secrets. Each of the shared secrets may be associated with a specific group of permission rules.
[014] Further embodiments of the present invention may relate to a method of managing an internal network. The method in accordance with some embodiments of the present invention may include generating one or more shared secrets and authenticating communications within the network in accordance with the one or more shared secrets.
[009] In accordance with some embodiments of the present invention, the generating of the one or more shared secrets may further include generating one or more shared secrets wherein each of the shared secrets may be associated with a specific group of permission rules relating to communications between two or more entities. As part of the generating of the one or more shared secrets, at least one of the permission rules may further relate to one or more specific applications adapted to utilize the communication network. As a further part of the generating of the one or more shared secrets, the entities may be allowed to communicate only in compliance with the permission rules.
[010] Yet further embodiments of the present invention may relate to a traffic control driver for enforcing traffic control policy. The traffic control driver in accordance with some embodiments of the present invention may include a traffic control database including one or more shared secret entries and a traffic control module adapted to authenticate communications within the network in accordance with one or more shared secrets associated with a specific group of permission rules. .
[011] In accordance with some embodiments of the present invention, each shared secret entry may include data relating to a specific group of permission rules. Each per ission rule may relate to one or more entities and to one or more applications adapted to utilize the communication network.
[012] In accordance with some embodiments of the present invention, each of the entities may be allowed to utilize one or more of the applications only in compliance with the permission rules to generate communications. Each permission rule may apply to a specific one application or to more then one application, for example, any or all applications. Thus, in accordance with some embodiments of the present invention, a permission rule (one or more) may be configured to allow a certain entity (one or more) to access any of the one or more applications or to deny a certain entity (one or more) from accessing any of the one applications. In accordance with further embodiments of the present invention, at least one of the permission rules may relate to a specific (one or more but not all) application.
BRIEF DESCRIPTION OF THE DRAWINGS
[013] In order to understand the invention and to see how it may be carried out in practice, a preferred embodiment will now be described, by way of non-limiting example only, with reference to the accompanying drawings, in which:
[014] FIG. 1 is block diagram illustration of a system for managing traffic within an internal communication network, in accordance with some embodiments of the present invention; [015] FIG. 2 is a graphical illustration of an internal communication network partitioned into a plurality of trusted virtual networks and to one untrusted virtual network, in accordance with some embodiments of the present invention; [016] FIG. 3 is a block diagram illustration of a traffic control driver in accordance with some embodiments of the present invention;
[017] FIG. 4 is an illustration of some database entries which may be included in a certain traffic control database, in accordance with some embodiments of the present invention; and
[018] FIG. 5 is a block diagram illustration of various exemplary implementations of the traffic control driver in accordance with some embodiments of the present invention. [019] It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements .
DETAILED DESCRIPTION OF THE INVENTION
[020] In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the present invention. [021] Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as "processing", "computing", "calculating", "determining", "generating", "assigning" or the like, refer to the action and/or processes of a computer or computing system, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing system's registers and/or memories into other data similarly represented as physical quantities within the computing system's memories, registers or other such information storage, transmission or display devices.
[022] Embodiments of the present invention may include apparatuses for performing the operations herein. This apparatus may be specially constructed for the desired purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but is not' limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs)", random access memories (RAMs) electrically programmable read-only memories (EPROMs) , electrically erasable and programmable read only memories (EEPROMs), magnetic or optical cards, or any other type of media suitable for storing electronic instructions, and capable of being coupled to a computer system bus.
[023] The processes and displays presented herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the desired method. The desired structure for a variety of these systems will appear from the description below. In addition, embodiments of the present invention are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the inventions as described herein.
[024] Throughout the specification and the claims the term "internal communication network", unless stated otherwise, shall be used to mean any group of network entities within a single administrative domain, including but not limited to a stand-alone organizations network; an organizations network including one or more Virtual Private .Networks; a combination of two or more Virtual Private Networks under a single administrative domain, etc.
[025] Throughout the -specification and the claims, unless specifically stated otherwise, the term "one or more communication applications" shall be used to mean- one, more then one and/or any or all communication applications, whereas, the term "specific communication application" or "one or more specific communication applications" shall be used to mean one and/or more then one but not all or any communication application (s) .
[026] Throughout the specification and the claims, unless specifically stated otherwise, the term "group of permission rules" shall be used to mean one or more permission rules.
[027] Some embodiments of the present invention may relate to a system for managing traffic within an internal communication network. In accordance with some embodiments of the present invention, the system may include a communication application adapted to generate communications in the network, two or more end nodes and a traffic control driver. [028] In accordance with some embodiments of the present invention, each of the two or more end nodes may be associated with one or more entities. In accordance with further embodiments of the present invention, at least two of the entities may be adapted to utilize the communication application. In accordance with further embodiments of the present invention, the at least two entities may be adapted to utilize the communication application in accordance with a permission rule.
[029] In accordance with some embodiments of the present invention, the permission rule may be configured to indicate which one or more entities are allowed to utilize the communication application to communicate with which one or more entities. In accordance with some embodiments of the present invention, the traffic control driver may be adapted to authenticate the communication using a secret shared among the at least two entities.
[030] The system in accordance with further embodiments of the present invention may include one or more communication applications adapted to generate communications in the network, two or more end nodes and a traffic control driver.
[031] In accordance with some embodiments of the present invention, each of the two or more end nodes may be associated with one or more entities. One or more of the entities may be adapted to utilize one or more of the communication applications. As part of the utilization of the communication applications by the entities, the communication applications may generate communications within the internal network.
[032] In accordance with some embodiments of the present invention, each permission rule may be configured to indicate which entities are allowed to utilize one or more of the communication applications to communicate with one or more of the other entities. In accordance with some embodiments of the present invention, each of the entities may be adapted to utilize one or more of the communication applications to communicate with one or more of the other entities only in compliance with permission rules. Each permission rule may apply to a specific one communication application or to more then one communication application, for example, any or all the communication applications. Thus, in accordance with some embodiments of the present invention, a permission rule (one or more) may be configured to allow a certain entity (one or more) to access any of the one or more communication applications or to deny a certain entity (one or more) from accessing any of the one communication applications to connect to one or more of the other entities. In accordance with further embodiments of the present invention, at least one of the permission rules may relate to a specific (one or more but ι not all) communication application. For example, at least one permission rule may be configured to indicate which one or more entities are allowed to utilized one or more specific communication applications (but not all of the applications) to connect to one or more of the other entities . [033] In accordance with some embodiments of the present invention each of the end nodes may include a traffic control driver. The traffic control driver may be adapted to authenticate communications within the internal network in accordance with one or more shared secrets. Each of the shared secrets may be associated with a specific group of permission rules.
[015] Further embodiments of the present invention may relate to a method of managing an internal network. The method in accordance with some embodiments of the present invention may include generating one or more shared secrets and authenticating communications within the network in accordance with the one or more shared secrets.
[034] In accordance with some embodiments of the present invention, the generating of the one or more shared secrets may further include generating one or more shared secrets wherein each of the shared secrets may be associated with a specific group of permission rules relating to communications between two or more entities. As part of the generating of the one or more shared secrets, at least one of the permission rules may further relate to one or more specific communication applications adapted to utilize the communication network. As a further part of the generating of the one or more shared secrets, the entities may be allowed to communicate only in compliance with the permission rules.
[035] Yet further embodiments of the present invention may relate to a traffic control driver for enforcing traffic control policy. The traffic control driver in accordance with some embodiments of the present invention may include a traffic control database including one or more shared secret entries and a traffic control module adapted to authenticate communications within the network in accordance with one or more shared secrets associated with a specific group of permission rules.
[036] In accordance with some embodiments of the present invention, each shared secret entry may include data relating to a specific group of permission rules. Each permission rule may relate to one or more entities and to one or more applications adapted to utilize the communication network.
[037] In accordance with some embodiments of the present invention, each of the entities may be allowed to utilize one or more of the communication applications only in compliance with the permission rules to generate communications. Each permission rule may apply to a specific one communication application or to more then one communication application, for example, any or all communication applications. Thus, in accordance with some embodiments of the present invention, a permission rule (one or more) may be configured to allow a certain entity (one or more) to access any of the one or more communication applications or to deny a certain entity (one or more) from accessing any of the one communication applications. In accordance with further embodiments of the present invention, at least one of the permission rules may relate to a specific (one or more but not all) communication application. [038] Reference is now made to FIG. 1, which is block diagram illustration of a system for managing traffic within an internal communication network, in accordance with some embodiments of the present invention. In accordance with some embodiments of the present invention, a system for managing traffic within an internal network may include a communication application 62 and 32 adapted to generate communication in the network 10, two or more end nodes 20, 30 and 40 and a traffic control driver 100A- 100C.
[039] In accordance with some embodiments of the present invention, each of the two or more end nodes 20, 30 and 40 may be associated with one or more entities 22, 24 and 26; 32, 34 and 36; and 22, respectively. In accordance with further embodiments of the present invention, at least two of the entities 22, 24 and 26; 32, 34 and 36; and 22 may be adapted to utilize the communication application. In accordance with further embodiments of the present invention, the at least two entities 22, 24 and 26; 32, 34 and 36; and 22 may be adapted to utilize the communication application in accordance with a permission rule. [040] In accordance with some embodiments of the present invention, the permission rule may be configured to indicate which one or more entities 22, 24 and 26; 32, 34 and 36; and 22 are allowed to utilize the communication application to communicate with which one or more entities 22, 24 and 26; 32, 34 and 36; and 22. [041] In accordance with some embodiments of the present invention, the traffic control driver 100A-100C may be adapted to authenticate the communication using a secret shared among the at least two entities 22, 24 and 26; 32, 34 and 36;' and 22 communicating therebetween or a secret shred between the end nodes 20, 30 and 40 which include the entities 22, 24 and 26; 32, 34 and 36; and 22 which are communicating .
[042] In accordance with further embodiments of the present invention a system for managing traffic within an internal communication network 10 may include one or more communication applications 62 and 32 which are adapted to utilize the communication network 10 and one or more end nodes 20, 30 and 40. Each of the end nodes 20, 30 and 40 may be associated with one or more entities 22-26, 32-36 and 24, respectively. One or more of the entities 22-26, 32-36 and 24 may be adapted to utilize one or more applications 62 and 32. As part of the utilization by the entities 22-26, 32-36 and 24, the communication applications 62 and 32 may generate communication within the internal network 10.
[043] In accordance with some embodiments of the present invention, each of the end nodes 20, 30 and 40 may include a traffic control driver 100A-100C, respectively. In accordance with further embodiments of the present invention, each of the traffic control drivers 100A-100C may be adapted to authenticate communications within the internal network in accordance with one or more shared secrets. In accordance with yet further embodiments of the present invention, each of the shared secrets may be correlated with a specific group of permission rules. Various aspects of the present invention relating to the shared secrets shall be discussed in greater detail hereinbelow. [044] In accordance with some embodiments of the present invention, each of the entities 22-26, 32-36 and 24 may be one of the following: a specific end node; a specific user of the internal network; or a specific software. For example, in the embodiment shown in FIG. 1, end node 20 may be associated with a first entity 22 correlated with user A, with a second entity 24 correlated with user B, and with a third entity 26 correlated with software B; end node 30 may be associated with a fifth entity 32 correlated with software C, with a sixth entity 34 correlated with user C, and with a seventh end node 36 correlated with device B; and end node 40 may also be associated with the second entity 24 correlated with user B. [045] In accordance with some embodiments of the present invention, each of the communication applications 62 and 32 may be configured to generate communications in response to being utilized to that effect by one or more entities which are adapted to cause that specific communication application to generate traffic. It should be noted, that although in some cases, a communication application which is adapted to generate communications within the internal network may also be regarded as an internal network entity (software) , for example, in the embodiment shown in FIG. 1 the element marked 32 serves as both a software entity and a communication application, not all communication applications are necessarily also network entities, and not all the pieces of software which are related to as network entities may be configured to generate communications within the internal network, or may not be configured to generate communication within the internal network in response to being utilized by one or more of the entities. In accordance with some embodiments of the present invention, the communication applications 62 and 32 may be any currently known or yet to be devised in the future communication application or a subset of a communication application which is configured to generate communications in response to being utilized by one or more entities.
[046] In accordance with some embodiments of the present invention, the permission rules may be configured to indicate which of the entities 22-26, 32-36 and 24 are allowed to utilize one or more of the communication applications 62 and 32 or are allowed to utilize a certain subset of the applications 62 and 32 to connect to one or more of the other entities. In accordance with further embodiments of the present invention, one or more of the permission rules may be configured to indicate that one or more of the entities 22-26, 32-36 and 24 are allowed to utilize any or all of the communication applications to communicate with to one or more of the other entities, such permission rules may, in some cases (for example, if no additional limitations apply) effectively allow any communication between the first group of entities and the second group of entities, regardless of which communication application is used to generate the communication. [047] In accordance with further embodiments, at least one permission rule may relate to a specific communication application 62 and 34 (one or more but not all) . For example, at least one permission rule may be configured to indicate which one or more entities are allowed to utilize one or more specific communication applications (but not all of the communication applications) to connect to one or more of the other entities.
[048] In accordance with one embodiment of the present invention, a certain exemplary permission rule may be configured to indicate that user A 22 is allowed to utilize communication application A 62 to connect to software C 32 (here software C 32 serves as one of the entities and not as one of the communication applications adapted to utilize the network) . Thus, if for example software C is a CRM application, and application A is a web browser that is capable to connect to the CRM application, then the permission rule may indicate that user A is allowed to utilize the web browser (application A) in order to connect to the CRM application. However, it should be noted that the above embodiment is exemplary in nature and that the present invention is not limited to any one particular permission rule.
[049] In accordance with yet further embodiments of the present invention, one or more of the permission rules may be configured to indicate that communications between two or more entities 22-26, 32-36 and 24 are allowed only if the communications are associated with a specific one or more communication applications (or subsets of communications applications) , and may disregard a distinction relating to which entity is the source and which is the destination. However, in accordance with yet further embodiments of the present invention, one or more of the permission rules may be configured to indicate that communications between two or more entities 22-26, 32-36 and 24, are allowed only if the source entity is one of a specific group of entities which utilized a specific (one or more) communication application to generate communications which are intended to be received by a specific (one or more) destination-entity. It should be noted that some of the entities to which such a permission rules relate may be allowed to be in some cases both on the source-end and on the destination-end, so long as there is no full overlap. The situation where there is no significance to the identity of the source and the destination entity is also described above with reference to some embodiments of the present invention. [050] The permission rules are not limited to being defined by the above mentioned entities and/or applications and may be defined in addition or in alternative by a variety of additional characteristics or parameters of the communication, including but not limited to any characteristics or parameters which may be included in or which may be derived from the headers of the co munications, such as IP address or a range of IP addresses, list of MAC addresses, protocol, URL, port, XML/SOAP tags, etc. In accordance with some embodiments of the present invention, one or more permission rules may relate to a specific communication defined by specific characteristics and/or parameters, while other permission rules (one or more) may relate to a certain type of communications and may be defined by some common characteristic or parameter, such as a certain range of network addresses. In accordance with some embodiments of the present invention, at least some of the permission rules may be predefined. Examples of permission rules shall be provided below. [051] In accordance with one embodiment of the present invention, a certain exemplary permission rule may be configured to indicate that user A 22 is allowed to utilize application A 62 to connect to device B 36 using a specific communication protocol, for example, a communication protocol which is suitable for communicating with application C 32. Thus, if for example, device B is a CRM sever on which application C is running, where application C is, for example, a CRM application, and application A is, for example, a web browser that is capable of connecting to device B in response to being utilized by user A and the protocol which is allowed for communication with device B is HTTP, then the permission rule may indicate that user A is allowed to utilize the web browser (application A) in order to connect to device B using the HTTP protocol. However, it should be noted that the above embodiment is exemplary in nature and that the present invention is not limited to any one particular permission rule. [052] In accordance with some embodiments of the present invention, one or more groups of permission rules may be defined in the internal network 10. In accordance with further embodiments of the present invention, one or more shared secrets may be generated in the internal network 10. Each of the shared secrets may be correlated with a different group of permission rules. The definition of the one or more groups of permission rules, and the generation of the shared secrets and their connection to the group of permission rules, shall be described in greater detail hereinbelow. [053] In accordance with some embodiments of the present invention, a shared secret may be a unique encryption key and/or any similar shared secret (s) known in the present or yet to be devised in the future.
[054] In accordance with some embodiments of the present invention, each end node 20, 30 and 40 within the internal network 10 may include a traffic control driver 100A, 100B and 100C respectively. Each of the traffic control drivers
100A-100C may be adapted to authenticate communications within the internal network 10. In accordance with some embodiments of the present invention, as part of authenticating a certain communication, the traffic control drivers 100A-100C may be adapted to authenticate the data that is about to be transmitted the received data, and the interactions between the entity (s) and the communication applications 62 and 32 which are intended to generate the communication. The authentication of the communications shall be described below.
[055] Each traffic control driver 100A-100C may be associated with one or more shared secrets. For example, each traffic control drivers 100A-100C may include data relating to one or more shared secrets or may include an actual copy of the one or more shared secrets with which it is associated. In accordance with some embodiments of the present invention, each traffic control driver 100A-100C may be associated with one or more shared secrets which are correlated with a group (one or more) of permission rules which relate to the end node with which the traffic control driver is associated. For example, each traffic control driver 100A-100C may be associated with one or more shared secrets which are correlated with a group (one or more) of permission rules which relate to one or more entities with which that end node is associated; and/or to one or more applications with which that end node is associated; and/or to any other parameter or characteristic which may be used to define one or more of the permission rules with which that end node is associated. [056] In accordance with some embodiments of the present invention, each traffic control driver 100A-100C may be adapted to authenticate communications within the network 10 in accordance with the shared secrets with which it is associated. In accordance with some embodiments' of the present invention, whenever a certain end node 20, 30 and 40 is involved in a communication, the traffic control driver 100A-100C associated with that end node 20, 30 and 40 may authenticate the communication using the shared secret which is correlated with the permission rule which applies to that communication. In accordance with further embodiments of the present invention, as part of authenticating a communication within the network in accordance with the shared secret with which the communication is associated, the traffic control drivers 100A-100C may be adapted to authenticate each packet of the communication. The traffic control drivers 100A-100C. may be adapted to authenticate each packet independently from any of the other packets of the communication. The term communication as used herein includes the utilization of the communication application to generate the communication, the transmission of the communication and the receipt of the communication. [057] In accordance with one exemplary embodiment of the present invention, in case that user A 22 instructs communication application A 62 to generate a communication and to transmit the communication to device B 36, the traffic control driver 100A installed on end node 20 with which user A 22 is associated may check which permission rule applies to this scenario. Once the traffic control driver 100A determines which permission rule applies to this scenario, the traffic control driver 100A may determine which shared secret is correlated with this permission rule and may use that shared secret to authenticate the communication. As part of authenticating the communication, the traffic control driver 100A may authenticate the outgoing communication generated by application A 22 and intended for device B 32. When the authenticated communication is received at end node 30, the traffic control driver 100B of end node 30 may check which permission rule applies to this scenario (a communication initiated by user A 24 and generated by communication application A 22 which is intended for device 36) . It should be noted that the permission rule in end -node 20 is not necessarily the one in end node 30, since the permission rule may not be symmetric. Once the traffic control driver 100B determines which permission rule applies to this scenario, the traffic control- driver may determine which shared secret is correlated with this permission rule and may use that shared secret to authenticate the communication.
[058] In case that the permission rule which applies to a certain communication is defined by additional parameters or characteristics beyond the entities involved in the communication and the application utilize to generate the communication, the relevant traffic control driver may be adapted to authenticate the communication only if the communication complies with the additional characteristics or parameters.
[059] For example, in case that user A 22 instructs communication application A 62 to generate a communication and to transmit the communication to device B 36, the traffic control driver 100A installed on end node 20 with which user A 22 is associated may check which permission rule applies to this scenario. Lets assume that the traffic control driver 100A determines that a permission rule for communications between user A and device B, wherein user A utilized communication application A 62 to generate the communication exists, but that the permission rule additionally indicates that the communications must be associated with a specific communication protocol. In this case, the traffic control driver 100A-100C may check one or more of the following: whether user A 22 intends to utilize communication application A 62 in order to generate a communication which is associated with the specific protocol; and whether the communication generated by communication application A 62 is associated with the specific protocol. In accordance with some embodiments of the present invention, the traffic control driver 100A may be adapted to allow the transmission only if it is satisfied that the outgoing transmission is associated with the specific communication protocol. It should be noted that in accordance with some embodiments of the present invention, the traffic control driver 100A may also be adapted to deny user A 22 from utilizing application A 62 to generate the communication if it determines that user A does not intend to utilize the communication application A 62 in order to generate a communication which is associated with the specific protocol. [060] Furthermore, when the communication arrives at the traffic control driver 100B of end node 30 en route to the entity associated with device B 36, the traffic control driver 100B may check . which permission . rule this transmission should be in compliance with. In case that the permission rule determined to be the one with which the communication should be in compliance with indicates that the incoming transmission must be associated with a certain communication protocol, then providing that all the other conditions are met, the traffic control module 100B may be adapted to allow the transmission to be received at device B 36, only if the transmission is associated with that specific protocol.
[061] In accordance with some embodiments of the present invention, each of the traffic control drivers 100A-100C may be adapted to deny any communication which is not authenticated. In accordance with further embodiments of the present invention, the traffic control driver 100A-100C may be adapted to deny any transmission of a communication which is not authenticated, any receipt of a communication which is not authenticated and/or any other activity associated with a communication, including but not limited to, the utilization of a communication application to generate a communication, which is not authenticated.
[062] However, in accordance with some embodiments of the present invention one or more permission rules may 'be defined and implemented in the internal communication network 10 with which none of the shared secrets is correlated. In accordance with further embodiments of the present invention, a group of permission rules may be defined and implemented in the internal network with which none of the shared secrets is associated. Each of the default permission rules in the group of default permission may be configured to indicate that any communication within the internal network which is in accordance with that permission rule, and which is not in accordance with any of the permission rules with which one of the shared secrets is correlated, is allowed but none of the shared secret may be correlated with these communications. In accordance with yet further embodiments of the present invention, no- more than one default permission rule may be defined and implemented in the internal communication- network 10 with which none of the shared secrets is correlated. The default permission rule with which none of the shared secrets is correlated may be configured to indicate that any communication within the internal network which is not associated with any of the other permission rules is allowed but none of the shared secrets may be correlated with such default permission rule. It should be noted, that since a default permission rule may be a negative rule in nature, the default permission rule may not be limited in definition and/or in application to any one or more specific entities and/or to any one or more specific communication applications and/or to any other specific parameter and/or characteristic although such limitations may apply in some cases.
[063] In accordance with some embodiments of the present invention, one or more of the traffic, control drivers 100A- 100C may be adapted to allow only authenticated communications, unless an unauthenticated communication is in compliance with one of the permission rules with which none of the shared secrets is correlated, for example, a default permission rule. In accordance with yet further embodiments of the present invention, one or more of the traffic control drivers 100A-100C may be adapted to allow authenticated communications, and may deny any unauthenticated communication, unless the unauthenticated communication is associated with one or more specific permission rules with which none of the shred secrets is correlated. It should be noted the one or more of the traffic control drivers may allow some unauthenticated communications which are associated with certain permission rules, with which none of the shared secrets is associated, while denying unauthenticated communications which are not associated with any permission rule. [064] Those of ordinary skill in the art may appreciate that unauthenticated communications may be substantially less secured and safe than authenticated communications.
[065] Those of ordinary skill in the art may appreciate that by implementing some embodiments of the present invention, an internal communication network may be virtually partitioned into a plurality of trusted virtual networks or trusted virtual zones, wherein each trusted virtual network is associated with a specific shared secret, such that within each trusted virtual network all the communications are authenticated using the shared secret with which that trusted virtual network is associated. If we consider that each shared secret is associated with a group of permission rules and that each permission rule is configured to indicate which communications are allowed in accordance with that permission rule, it may be evident that by allowing only authenticated communications within the trusted virtual network, .it may be possible to substantially ensure that only communications which are in compliance with one of the permission rules which are associated with the shared secret with which a certain trusted virtual network is associated are allowed within that trusted virtual network. [066] It would be further appreciated by those of ordinary skill in the art that, in accordance with some embodiments of the present invention, an untrusted virtual network or zone may be also be included in the internal communication network in addition to the trusted virtual networks, wherein the untrusted virtual network may be associated with one or more permission rules defined and implemented in the internal network, with which none of the shared secrets is correlated, for example the untrusted virtual network may be associated with one or more default permission rule(s). Thus, while within the virtual trusted network only authenticated communications are allowed, within the untrusted virtual network unauthenticated communications may also be allowed, so long as the communications are in compliance with one or more permission rules defined and implemented in the internal network, with which none of the shared secrets is correlated.
[067] It should be noted by those of ordinary skill in the art the by defining an implementing a default permission rule with which none of the shared secrets is correlated and which is configured to indicate that any communication within the internal network which is not associated ' with any of the other permission rules is allowed but none of the shared secrets may be correlated with such default permission rule, it may be possible to place each communication within the internal network in one of the virtual networks (trusted or untrusted) . For example, in accordance with some embodiments of the present invention, a certain communication may either be associated with one of the trusted virtual networks, in case that the communication is associated with one of the permission rules with which one of the shared secrets is associated, or that communication may be associated with the untrusted virtual network, in case that the communication is not associated with any of the permission rules and is associated one of the default permission rules. As mentioned above there may be more then one default permission rule or there may be only one global default permission rule which may relate to any communication which is not associated with any of the other permission rules.
[068] Those of ordinary skill in the art may appreciate that communications within the trusted virtual networks may be substantially more secured and safe than communications within the untrusted communications network.
[069] Reference is now made to FIG. 2, which is a graphical illustration of an internal communication network partitioned into a plurality of trusted virtual networks and to one untrusted virtual network, in accordance with some embodiments of the present invention. In the embodiment shown in FIG. 2, the internal network 10 is partition into trusted virtual networks 110, 120 and 130 and an untrusted virtual network 140. In accordance with some embodiments of the present invention, each of the trusted virtual networks 110, 120 and 130 may be associated with a certain shared secret, and communications within each of . the trusted virtual networks 110, 120 and 130 may be authenticated using the shared secret with which that trusted virtual network may be associated. In accordance with further embodiments of the present invention, the untrusted virtual network 140 may be associated with a default permission rule, as discussed above, and may not be associated with any shared secret. Communication within the untrusted virtual network may be unauthenticated.
[070] It should be noted that in accordance with some embodiments of the present invention, a single end node can be (and typically is) associated with more than one network zone, for example, different entities on the end node may be associated with different virtual networks or zones. Furthermore, in accordance with further embodiments of the present invention, a single entity may also be associated with more then one virtual network zone. For example, when a first permission rule which is associated with a certain entity relates to communications between that entity and a first group of entities is correlated with a first shared secret, and a second permission rule which is associated with the same entity relates to communications between that entity and a second group of entities is correlated with a second shared secret.
[071] As discussed above, each of the trusted virtual networks 110, 120 and 130 may be associated with a shared secret and each of the shared secrets may be correlated with a certain group of permission rules, wherein each permission rule may be configured to indicate at least which one or more entities may be allowed to utilize one or more of the communication applications to connect to one or more other entities. In accordance with some embodiments of the present invention, a communication which is in compliance with one of the permission rules with which one of the shared secrets is correlated may be within the trusted virtual network which is associated with that shared secret.
[072] For example, the first trusted virtual network 110 may be associated with a certain shared secret which is correlated with a group of permission rules which are typical of extranet communications. For example, one of the permission rules may be configured to indicate that one or more specific entities 114, for example, one or more network device having an IP address which are included in a predefined list, are allowed to use a specific communication application, for example, a web browser, to generate communications in accordance with the HTTP protocol only, in order to connect to a specific entity 112, for example to a dedicated extranet server. Another exemplary permission rule which may be associated with which the shared secret with which the first virtual network may be configured to indicate that a certain entity 112, for example the 'dedicated extranet server, may be allowed to utilize one or more applications, for example, any application, in order to generate communications to connect to one or more specific entities 114, for example, to one or more network device having an IP address which is included in a predefined list [073] In accordance with another exemplary embodiment of the present invention, the second trusted virtual network 120 may be associated with a certain shared secret which is correlated with a group of permission rules which are typical of email communications. For example, one of the permission rules may be configured to indicate that one or more specific entities 122 and 124, for example, one or more network devices having an IP address which is included in a predefined list associated with that permission rule and a mail server, are allowed to utilize one or more specific communication applications, for example a mail server application or a mail client application, in order to connect to one or more of the other specific entities 124 and 122. Those of ordinary skill in the art may appreciate that this rule is symmetric and may apply to both communications from the mail server 122 (utilizing the mail server application to any one of the specific network devices 124, and to communications from any one of the specific network device 124 (utilizing the mail client application) to the mail server 122.
[074] It should be noted that in accordance with some embodiments of the present invention, in case that two or more communications are associated with two or more different permission rules which are associated with the same shared secret, these two or more communications may be authenticated using the same shared secret and may be within the same trusted virtual network. Additionally, it should be noted by those of ordinary skill in the art that a certain end node, and more specifically, certain entities may be associated with communications which may be within more then one virtual network and within more then one trusted virtual network.
[075] As discussed above, the untrusted virtual network 140 may be associated with a default permission rule, with which none of the shared secrets is associated. The default permission rule may be a negative rule in -nature and may not relate to any one or more specific communication applications or to any one or more specific communication applications, although as also mentioned above, in accordance with other embodiments of the present invention, other default rules may relate to one or more specific entities and/or to one or more specific communication applications. [076] Reference is now made to FIG. 3, which is a block diagram illustration of a traffic control driver in accordance with some embodiments of the present invention. In accordance with some embodiments of the present invention, the traffic control driver 100 may include a traffic control database 1020 and a traffic control module 1010. For illustration purposes, we assume that the traffic control driver shown in FIG. 3 and described herein is associated with end node 20, however each of the end nodes (one or more and possibly all) within the internal network 10 may be associated with a traffic control driver.
[077] In accordance with some embodiments of the present invention, the traffic control database 1020 may include one or more shared secret entries. Each of the shared secret entries may include data relating to a specific group of permission rules. Each group of permission rules may be comprised of one or more specific permission rules. In accordance with some embodiments of the present invention, each of the permission rules may be adapted to indicate which one or more entities are allowed to utilize one or more of the communication applications to connect to one or more other entities. [078] Reference is now additionally made to FIG. 4, which is an illustration of some database entries which may be included in a certain traffic control database, in accordance with some embodiments of the present invention. As can be seen in the embodiment shown in FIG. 4, each traffic control database 1020 may include a plurality of shared secret entries Kl-Kn. The traffic control database 1020 may further include for each of the shared secret entries may one or more permission rule records.
[079] In accordance with some embodiments of the present invention, each permission record may include data relating to the entities, the communication applications and any other characteristic or parameter to which the permission rule relates. Various types of permission rules which are configured to indicate which entities are allowed to utilize one or more communication applications to communication with one or more entities, as well as other parameters or characteristics which should be associated with permitted communications are well known in art. Any such suitable permission rules may be used as part of some embodiments of the present invention. Furthermore, the present invention is not limited to the use of any particular identifier for specifying which entities or which communication application or which additional parameters or characteristics are associated with a certain permission rule, rather, each of the entities or the communication applications or the parameters or characteristics may be specified using any identifier known in the present or yet to be devised in the further. In accordance with further embodiments of the present invention each permission rule record in the traffic control database may further include data relating to whether that rule applies to traffic which is in one direction (input or output) or whether that permission rule is symmetric and applies to traffic in both directions.
[080] In accordance with some embodiments of the present invention, each traffic control database 1020 may include data relating to one or more shared secrets, wherein each of the shared secrets included in a certain traffic control database may be correlated with a permission rule (one or more) which relates to one or more entities which are associated with the end node 20 with which the traffic control database 1020 is associated. For example, if we refer back to FIG. 4, each of the shared secrets entries may be correlated with a permission rule (one or more) which relates to one or more entities which are associated with the end node 20 with which the traffic control database 1020 is associated.
[081] In accordance with some embodiments of the present invention, the traffic control module 1010 may be adapted to authenticate communications within the internal network 10. In accordance with further embodiments of the present invention, the traffic control module 1010 may be adapted to control the outgoing traffic generated by any of the communication applications associated with end node 20 on which the traffic control driver 10 is installed. In accordance with further embodiments of the present invention, the traffic control module 1010 may be adapted to control the incoming traffic arriving at the end node 20 on which the traffic control driver 100 is installed. [082] For example, in accordance with some embodiments of the present invention, the traffic control driver 100 may be operatively connected to the end node's communication subsystem, commonly a network interface card (not shown) , which handles all the incoming and outgoing communications arriving to or being transmitted ' out of the end node with which the communication subsystem and the traffic control driver 1010 are associated. In another example, in accordance with some embodiments of the present invention, the traffic control driver 100 may be operatively connected to the operating system, for example, using a kernel hook. It should be noted that the above description relates to only two exemplary implementations in accordance with some embodiments of the present invention. Other embodiments of the present invention may otherwise enable the traffic control driver and specifically the traffic control module to intercept incoming and/or outgoing communications arriving to or being transmitted out of the end node on which the traffic control driver is installed. [083] It should be noted that though, for purposes of clarity of the description, the communication subsystem and the host with which the communication subsystem is associated, may be described or it may be implied by a description in the specification or in the claims that the communication subsystem and the host or end node are separate form one another, the present invention is not limited in this respect, and in fact, often, the communication subsystem may be an integral part of the host or end node with which it is associated, and the driver in such cases may be adapted to intercept the communication within the host or end node.
[084] A description of various exemplary implementations of the traffic control driver in relation to the communication subsystem, in accordance with some embodiments of the present invention, shall be provided hereinbelow with reference to FIG. 5.
[085] In accordance with further embodiments of the present invention, the traffic control module 1010 may be adapted to control each incoming and each outgoing communication which is about to be received in the end node 20 or which is about to be transmitted out of the end node 20. In accordance with further embodiments of the present invention, the traffic control module 1010 may be adapted to allow or deny each incoming communication from being received by the end node 20 with which it is associated and to allow or deny any outgoing communication from being transmitted out-of the end node 20 with which it is associated. [086] In accordance with further embodiments of the present invention, the traffic control module 1010 may be adapted to intercept any communication exchanged between the end node 20 and its communication subsystem. For example, in accordance with some embodiments of the present invention, whenever a communication generated by a communication application running on an end one 20 on which traffic control driver 100 and traffic control module 1010 are installed, the traffic control module 1010 may be adapted to intercept the communication when it is en route from the communication application to the communication subsystem, and in accordance with further embodiments of the present invention, whenever a communication is received at the communication subsystem of the end node 20, the traffic control module 1010 may be adapted to intercept the communication before the communication is delivered from the communication subsystem to the host or end node 20 itself.
[087] In accordance with further embodiments of the present invention, whenever the traffic control module 1010 intercepts a communication that is intended to be transmitted out-of the end node 20 and is en route from the host or the end node 20 to the communication subsystem, or whenever the traffic control module 1010 intercepts a communication that has been' received by the communication subsystem and en route to the end node 20 or host, the traffic control module 1010 may be adapted to extract out of the intercepted communication data relating to the application which was used to generate the communication; data relating to the source entity or to the entity which utilized the application in order to generate the intercepted communication; data relating to the destination entity or to the entity which is intended to receive the intercepted communication; and additional data relating to additional characteristics or parameters with which the intercepted communication is associated, for example, the communication protocol with which the intercepted communication is associated.
[088] In accordance with some embodiments of the present invention, the data may be extracted out of a header portion included in or associated with the communication. However, some embodiments of the present invention are not limited in this respect and the data may be otherwise obtained from any available source and in accordance with any process known in the present or yet to be devised in the future. An example of an exemplary process of extracting data from a header portion of an intercepted communication shall be provided below.
[089] In accordance with some embodiments of the present invention, once the data is extracted from the communication, the traffic control module 1010 may check the traffic control database 1020 to determine if there is a permission rule associated with the intercepted communication. In accordance with further embodiments of the present invention, as part of checking the traffic control database 1020 to determine if there is a permission rule associated with the intercepted communication, the traffic control module 1010 may be adapted to check which permission rule relates to a communication which was generated by the same communication application which wasused to generate the intercepted communication in response to being utilized by the same entity which utilized the communication application as part of the generation of the intercepted communication, and which is intended to be received by the same entity which is the destination of the intercepted communication. It should be noted that in case the appropriate permission rule relates to additional parameters or characteristics, the traffic control module 1010 may in addition check . that the intercepted communication is in compliance with these (one or more) characteristics or parameters. It should also be noted, that if in some case, more then one permission rule is applicable to a certain intercepted communication, then the more specific permission rule may be selected, for example.
[090] In accordance with some embodiments of the present invention, if the traffic control module 1010 determines that the intercepted communication is in compliance with one of the permission rules in the traffic control database 1020, the traffic control module 1010 may check the traffic control database 1020 to determine with which shared secret that permission rule is correlated. In accordance with some embodiments of the present invention, once the traffic control module 1010 determines with which permission rule the intercepted communication is in compliance, and with which shared secret the permission rule is correlated, the traffic control module may be adapted to authenticate the communication using the shared secret with which the permission rules is correlated. The authentication of the communication shall be discussed in greater detail hereinbelow.
[091] In accordance with further embodiments of the present invention, if however, the traffic control module 1010 determines that the intercepted communication is not in compliance with any of the permission rules in the traffic control database 1020, the traffic control module 1010 may deny the communication from being transmitted out of or from being received in the end node 20 or the host with which it is associated. For example, in case the intercepted communication is an outgoing communication, the traffic control module 1010 may be adapted to prevent the intercepted communication from proceeding to the communication subsystem, and may thus prevent the communication from arriving to the communication subsystem and from being transmitted out of the host or end node 20, and in case the intercepted communication is an incoming communication, the traffic control module 1010 may be adapted to prevent the intercepted communication from proceeding into the host or end node 20, for example to the entity that is the intended recipient of the communication. As mentioned above, the entity which is the intended recipient of the communication may be a device, a user or software associated with the end node 20 on which the traffic control driver 100 is installed.
[092] In accordance with some embodiments of the present invention, in case that the traffic control module 1010 determines that the intercepted communication is in compliance with one of the permission rules in the traffic control database 1020, but the traffic control module 1010 does not find any shared secret associated with that permission rule, or in case that the traffic control module 1010 checks the traffic control database 1020 and determines that the intercepted communication is in compliance with a default permission rule which is not correlated with any of the shared secrets, the traffic control module 1010 may allow the communication to proceed to its destination, but may treat the communication as an "untrusted communication", and may, for example, not authenticate the communication or otherwise discriminate the communication in compression to a communication which is in compliance with a permission rule which is correlated with one of the shared secrets. In accordance with other embodiments of the present invention, in case that the traffic control module 1010 determines that the intercepted communication is not in compliance with any permission rule, or in case the traffic control module 1010 determines that the intercepted communication is in compliance with a certain permission rule but that none of the shared secrets in the traffic control database 1020 in the traffic control driver 100, which the traffic control module 1010 is part of, is correlated with that permission rule, the traffic control module 1010 may be adapted to deny the communication from being transmitted out of or from being received in the end node 20 or the host with which it is associated. [093] In accordance with some embodiments of the present invention, the traffic control driver 100 and specifically the traffic control module 1010 may be adapted to intercept each packet of each communication which is intended to be exchanged .between the host or end node 20 and the host's communication subsystem, before it reaches its destination (the communication subsystem when the packet is part of an outgoing communication and the host or end node when the packet is part of an incoming communication) . The processes of determining which (if any) permission rule relates to a certain communication; determining which shared secret (if any) is correlated with that permission rule; authenticating the intercepted communication and/or allowing the intercepted communication to proceed to its destination or preventing the communication from proceeding to its destination, which were described above with reference to a "communication" may also be handled in the packet level. It should be noted that in this context the term a "packet" may be interchanged with the term a "communication" . [094] Those of ordinary skill in the art may appreciate that some or, in some cases, all of the data which may be required to perform the above operations, process or procedures may be available within each packets of a communication. For example, some or all of the data referred to above may be found in the header portion of the packet. However, it should be noted that the present invention is not limited to collecting the data necessary for performing one or more of the processes, procedures or functions, which may be part of some embodiments of the present invention, solely from the packets or from the communication. Rather, in accordance with some embodiments of the present invention, in addition to retrieving some of the data necessary to perform one or more of the processes, procedures or functions which may be part of some embodiments of the present invention from the packet or form the communication, the traffic control driver 100 and specifically the traffic control module 1010 may be adapted to collect the data from other sources other than the communication or the packet itself, including but not limited to from the entity which is the intended recipient of the communication or the packet (for example, the software or the user or the device which are the intended recipients) . In accordance with some embodiments of the present invention, in order to be capable of obtaining that data, the traffic control module 1010 may be adapted to monitor the processing of each packet as well as the operation of users and software (or entities in general) , for example the entities which are the intended recipients of the communication or packet. In accordance with further embodiments of the present invention, suitable hook may be implemented to enable the traffic control module 1010 to obtain the information, for example information relating to one or more entities, and in accordance with a more specific example, information relating to one or more entities which are the intended recipient of the communication or the packet. [095] In accordance with some embodiments of the present invention, the traffic control driver 100 and the traffic control module 1010 may be adapted to collect some the data necessary for performing the and thus these operations or processed may take place the packet level. Described below is one example of a process of authenticating a packet, in accordance with some embodiments of the present invention.
[096] In accordance with some embodiments of the present invention, as part of authenticating an intercepted packet (or communication) , the traffic control module 1010 may be adapted to digitally sign each intercepted outgoing packet which is in compliance with a permission rule which is correlated with a shared secret, in accordance with the shared secret with which the permission rule associated with the packet is correlated, and in accordance with some embodiments of the present invention, the traffic control module 1010 may be adapted to verify the digital signature with which an incoming packet is signed in accordance with the shared secret which is correlated with the permission rule with which the incoming packet complies. Each shared secret may be uniquely associated with one or more digital signatures or with a range of digital signature.
[097] Various methods and techniques of digitally signing a packet using a certain shared secret and of verifying the digital signature with which a certain packet may be signed in accordance with the shared secret, with which the digital signature may be associated, are known in the art. Such method or techniques may include, for example, but are not limited to MAC, HMAC, MD-5. It should be noted that the present invention is not limited to the used of any one particular method or technique of digitally signing a packet using a certain shared secret and of verifying the digital signature with which a certain packet may be signed in accordance with the shared secret with which the digital signature may be associated. Rather, in accordance with some embodiments of the present invention, any suitable method or technique of digitally signing a packet using a certain shared secret and of verifying the digital signature with which a certain packet may be signed in accordance with the shared secret in accordance with which the packet may be signed may be used as part of some embodiments of the present invention. [098] In accordance with some embodiments of the resent invention, the permission rules, the shared secrets and the digital signatures may be manually configured, for example by a system administrator. The permission rules, the shared secrets and the digital signatures may manually input to each traffic control database 1020, such that each traffic control database include all the permission rules which are relevant to the end one 20 on which the traffic control driver 100 which includes the traffic control database is installed, the shared secret associated with each of the permission rules, and the digital signature to be used to authenticate each communication which is associated with one of the shared secrets. However, in accordance with further embodiments of the present invention, the permission rules, the shared secrets and the digital signatures may be automatically configured.
[099] Referring back to FIG. 1, each internal network 10 may include, for example, a central traffic management module 72. In accordance with further embodiments of the present invention, each of the traffic control drivers 100 may include a traffic management agent 1060 (for example, a traffic management agent application) . The traffic management module 72 may be operatively connected to each of the traffic management agents 1060. [0100] In accordance with some embodiments of the present invention, the traffic management module 72 may be adapted to automatically generate permission rules. In accordance with further embodiments of the present invention, the traffic management module may be adapted to generate the permission rules in accordance with one or more of the following: predefined logic; existing permission rules; dynamic analysis of the operation of the system (for example, during as part of an initialization process) ; manually configured permission rules; and any other suitable means. The traffic management module 72 may include all the rules which are applicable to any end node (and entity) within the internal network. The rules may be defined and generated only during a predetermined initialization process or may be continuously and dynamically generated by during the operation the internal network and in response to various events and actions or in response to manual intervention.
[0101] In accordance with some embodiments of the present invention, the traffic management module 72 may be adapted to distribute the permission rules to the traffic management agent 1060. In accordance with some embodiments of the present invention, the traffic management module 72 may be adapted to provide each traffic management agent 1060 with the permission rules which relate to one or more of the entities associated with the end node on which the traffic control driver 100 which includes that traffic management agent 1060 is installed. In accordance with further embodiments of the present invention, in case that the permission rules are continuously and dynamically generated at the traffic management module 72, whenever a' new permission rules is generated or an existing rule is modified or deleted, the traffic management module 72 may be adapted to update as necessary each relevant traffic management agent 1060 which is associated with the newly generated, modified or deleted permission rule.
[0102] In accordance with some embodiments of the present invention, within each traffic control driver 100, each traffic management agent 1060 may be operatively connected to the traffic control database 1020. In accordance with further embodiments of the present invention, the traffic control agent 1060 may be adapted to provision the traffic control database 1020 with the permission rules with are associated with the end node 20 with which the traffic control driver 100 is associated, and may cause the traffic control database 1020 to add, modify or delete the appropriate entries relating to the various permission rules and/or the relevant records associated with each entry.
[0103] In accordance with some embodiments of the present invention, the internal communication network may further include a key management module 74. The key management module 74 may be adapted to automatically generate shared secrets and to determine which permission rules are to be correlated with each shared secret. The key management module 74 may also be adapted to generate one or more keys which are suitable for generating digital signatures, or alternatively may be adapted to generate one or more keying rules in accordance with which one or more keys may be generated, such that each key or group of keys generated (either directly or in accordance with one of the key generation rules) is uniquely associated with a particular shared secret.
[0104] In accordance with some embodiments of the present invention, one or more of the traffic control drivers 100 may include a key management agent 1050. In accordance with some embodiments of the present invention the key management module 74 may be operatively connected to each of the key management agents 1050. In accordance with further embodiments of the present invention, the key management module 74 may be adapted to distribute the shared secrets and the keys to the appropriate key management agents 1050. In accordance with some embodiments of the present invention the key management module 74 may be adapted to distribute to each key management agent 1050, the shared secrets and the keys which are associated with one of the entities on the end node 20 with which the traffic control driver 100 which includes that key management agent 1050 is associated. In accordance with further embodiments of the present invention, in case that the authentication keys and/or permission rules, and consequently the shared secrets, are continuously and dynamically generated modified or deleted, the key management module 74 may be adapted to update as necessary each relevant key management agent 1060 which is associated with the newly generated, modified or deleted key and/or shared secret and/or permission rule.
[0105] In accordance with some embodiments of the present invention, within each traffic control driver 100, each key management agent 1060 may be operatively connected to the traffic control database 1020. In accordance with further embodiments of the present invention, the key control agent 1060 may be adapted to provision the traffic control database 1020 with the shared secrets which are associated with each of the permission rules in the traffic control database 1020. In accordance with further embodiments of the present invention, the key management agent 1050 may also provision the traffic control database with the keys to be used for authenticating a communication associated with a certain shared secret, however, in accordance with other embodiments of the present invention, the key may not be provisioned to the database 1020, and rather the traffic control module 1010 may be adapted to retrieve the data relating to the authentication keys from the key management agent whenever it is necessary to authenticate a certain communication. The traffic control module 1010 may retrieve the key in accordance with the shared secret with which the communication has been determined to be associated.
[0106] In accordance with some embodiments of the present invention, the traffic control driver 100 may be adapted to associate or to include in each communication which is associated with a certain shared secret a shared secret indicator or index. In accordance with some embodiments of the present invention, whenever a communication is received by one of the traffic control drivers, the communication may be checked to determine whether that communication include or is associated with a certain shared secret indicator or index. These method is sometimes known as "security associate", and may enable faster access to the digitally singed communication, providing that the shared secret to which the shared secret indicator points is the correct shared secret and that the communication is authenticated successfully.
[0107] In accordance with some embodiments of the present invention, in case that security association is used in the internal communication network, each traffic control database may include in addition to the entries and records discussed above, at least one shared secret indicator record for each shared secret entry in the database. In accordance with further embodiments of the present invention, whenever the traffic control module is authenticating an outgoing communication, the traffic control module may be adapted to associate the outgoing communication or include in the outgoing communication a shared secret indicator which is correlated with the shared secret that is determined to correlation with the permission rule which the outgoing communication is in compliance with, and whenever the traffic control module is authenticating an outgoing communication, the traffic control module may be adapted to determine with which shared secret indicator the incoming traffic is associated or include, and may attempt to authenticate the incoming communication using the shared secret with which -the shared secret indicator associated or included in the communication is correlated. It should be noted the shared secret indicator may be encapsulated in each packet (for example in the header portion of the packet) as part of the authentication of the packet as described above, and may accordingly be extracted from each authenticated packet. [0108] Reference is now made to FIG. 5, which is a block diagram illustration of various exemplary implementations of the traffic control driver in accordance with some embodiments of the present invention. In accordance with the first exemplary implementation 302, the traffic control driver 320 may be a hardware interface installed in-between the host 310 and the communication subsystem 330 (e.g., NIC) . In accordance with the second exemplary implementation 304, the traffic control driver 340 may be implemented in the host, for example, as software running on the host 340 and adapted to intercept incoming and outgoing communications. In accordance with the third exemplary implementation 306, the traffic control module 380, may be included in the communication subsystem 390. It should be noted that in accordance with other embodiments of the present invention, the traffic control driver may be otherwise implemented, may be implemented in software and/or hardware and may be divided between the host the communication subsystem.
[0109] While certain features of the invention have been illustrated and described herein, many modifications, substitutions, changes, and equivalents will now occur to those skilled in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.

Claims

CLAIMS :
1. A system for managing traffic within an internal communication network comprising: a communication application adapted to generate communications in a network; two or more end nodes each end node being associated with one or more entities; at least two of said entities being adapted to utilize the communication application in accordance with a permission rule to generate a communication; and a traffic control driver adapted to authenticate the communication using a secret shared among the at least two entities.
2. A system for managing traffic within an internal communication network comprising: one or more communication applications utilizing the communication network; two or more end nodes, each end node being associated with one or more entities adapted to utilize one or more of the applications only in compliance with permission rules to generate communications, wherein each of said end nodes comprises a traffic control driver adapted to authenticate communications within the network in accordance with one or more shared secrets, each of the shared secrets being associated with a specific group of permission rules.
3. The system according to claim 2, wherein said traffic control driver is adapted to authenticate the communication independently from the operation of each of said one or more communication applications .
4. The system according to claim 3, wherein each shared secret defines a trusted virtual network within all the communication are authenticated using the shared secret.
5. The system according to claim 4, wherein one or more of the end nodes may be associated with more than one trusted virtual network.
6. The system according to claim 5, wherein one or more of the entities may be associated with more than one trusted virtual network.
7. The system according to claim 6, wherein one or more of the entities may be capable of communicating within more than one trusted virtual network.
8. The system according to claim 4, wherein at least one permission rule is not associated with any of the shared secrets.
9. The system according to claim 8, wherein the at least one permission rule which is not associated with any of the shared secrets compose a default permission rule.
10. The system according to claim 9, wherein the at least one permission rule which is not associated with any shared secrets defines an untrusted virtual network.
11. The system according to claim 8, wherein the default permission rule defines an untrusted virtual network.
12. The system according to claim 8, wherein each shared secret defines a trusted virtual network within all the communication are authenticated using the shared secret, and wherein the default permission rule defines an untrusted virtual network within which the communication are not authenticated.
13. The system according to claim 12, wherein each communication within the internal networks is either within the trusted virtual network or within the untrusted virtual network.
14. The system according to claim 13, wherein communication which are not within either the trusted virtual networks or the untrusted virtual network are not allowed within the internal communication network.
15. A method of managing an internal network comprising: generating one or more shared secrets, each of the shared secrets being associated with a specific group of permission rules relating to communications between two or more entities, and at least one of the permission rules further relates to one or more specific communication applications adapted to utilize the communication network, and wherein the entities are allowed to communicate only in compliance with the permission rules; and authenticating communications within the network in accordance with the one or more shared secrets.
16. A traffic control driver for enforcing traffic control policy, comprising: a traffic control database including one or more shared secret entries, each shared secret entry including data relating to a specific group of permission rules, wherein each permission rule relates to one or more entities and to one or more communication applications adapted to utilize the communication network, and wherein the entities are allowed to utilize one or more of the communication applications only in compliance with the permission rules to generate communications; and a traffic control module adapted to authenticate communications within the network in accordance with one or more shared secrets associated with a specific group of permission rules.
PCT/IL2005/000362 2004-03-31 2005-03-31 Managing traffic within an internal communication network WO2005094174A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US55831304P 2004-03-31 2004-03-31
US60/558,313 2004-03-31

Publications (2)

Publication Number Publication Date
WO2005094174A2 true WO2005094174A2 (en) 2005-10-13
WO2005094174A3 WO2005094174A3 (en) 2006-03-16

Family

ID=35064184

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2005/000362 WO2005094174A2 (en) 2004-03-31 2005-03-31 Managing traffic within an internal communication network

Country Status (1)

Country Link
WO (1) WO2005094174A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150012963A1 (en) * 2013-07-03 2015-01-08 Amtel, Inc. Managing secure, private communications in telecom information management system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002095493A (en) * 2000-09-21 2002-04-02 Yamaguchi Technology Licensing Organization Ltd Polysaccharide forming pellicle for acidobacter and purification thereof
US6400707B1 (en) * 1998-08-27 2002-06-04 Bell Atlantic Network Services, Inc. Real time firewall security
US20030033522A1 (en) * 1997-12-10 2003-02-13 Izzet M Bilgic Authentication and security in wireless communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030033522A1 (en) * 1997-12-10 2003-02-13 Izzet M Bilgic Authentication and security in wireless communication system
US6400707B1 (en) * 1998-08-27 2002-06-04 Bell Atlantic Network Services, Inc. Real time firewall security
JP2002095493A (en) * 2000-09-21 2002-04-02 Yamaguchi Technology Licensing Organization Ltd Polysaccharide forming pellicle for acidobacter and purification thereof

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150012963A1 (en) * 2013-07-03 2015-01-08 Amtel, Inc. Managing secure, private communications in telecom information management system
WO2015003090A1 (en) * 2013-07-03 2015-01-08 Amtel, Inc. Managing secure, private communications in telecom information management system

Also Published As

Publication number Publication date
WO2005094174A3 (en) 2006-03-16

Similar Documents

Publication Publication Date Title
US10630725B2 (en) Identity-based internet protocol networking
US10652210B2 (en) System and method for redirected firewall discovery in a network environment
JP6175520B2 (en) Computer program, processing method, and network gateway
US8800024B2 (en) System and method for host-initiated firewall discovery in a network environment
US10764264B2 (en) Technique for authenticating network users
Adeyinka Internet attack methods and internet security technology
KR20060120496A (en) One-core, a solution to the malware problems of the internet
US7594268B1 (en) Preventing network discovery of a system services configuration
CN113904826B (en) Data transmission method, device, equipment and storage medium
Kim et al. OTP-Based Software-Defined Cloud Architecture for Secure Dynamic Routing.
Aich et al. Study on cloud security risk and remedy
Samani et al. Intrusion detection system for DoS attack in cloud
Durairaj et al. A study on securing cloud environment from DDoS attack to preserve data availability
Nair The Why and How of adopting Zero Trust Model in Organizations
WO2005094174A2 (en) Managing traffic within an internal communication network
Riaz et al. Access control for fog/cloud enabled iots
Karamagi Comptia Security+ Practice Exams
Sintaro et al. SDP And VPN For Remote Access: A Comparative Study And Performance Evaluation
Freimanis Vulnerability Assessment of Authentication Methods in a Large-Scale Computer System
Rayjada et al. Analytical Research of Data Center Security Implementations and Cyber Attacks
Vasile Firewall Technologies
Cowley et al. Network Security
Munir et al. Security Attacks and Countermeasures in Cloud Computing
Alenezi et al. CERT Technologies
Dalwadi Network And Data Security

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

NENP Non-entry into the national phase in:

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase