WO2016053232A1 - Security control - Google Patents

Security control Download PDF

Info

Publication number
WO2016053232A1
WO2016053232A1 PCT/US2014/057971 US2014057971W WO2016053232A1 WO 2016053232 A1 WO2016053232 A1 WO 2016053232A1 US 2014057971 W US2014057971 W US 2014057971W WO 2016053232 A1 WO2016053232 A1 WO 2016053232A1
Authority
WO
WIPO (PCT)
Prior art keywords
security control
security
configuration
instance
virtual
Prior art date
Application number
PCT/US2014/057971
Other languages
French (fr)
Inventor
Dennis Hayes
Original Assignee
Hewlett Packard Enterprise Development Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development Lp filed Critical Hewlett Packard Enterprise Development Lp
Priority to US15/500,892 priority Critical patent/US20170223060A1/en
Priority to PCT/US2014/057971 priority patent/WO2016053232A1/en
Publication of WO2016053232A1 publication Critical patent/WO2016053232A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • Network perimeter security controls provide safeguards or countermeasures to avoid, or counteract security risks to computer networks and network-accessible resources.
  • Network security controls may be implemented as network hardware devices or as software residing on network attached computers. Examples of security controls include firewalls, anti-spam systems, anti-virus systems, intrusion prevention or detection systems, web application firewalls, Extensible Markup language (XML) gateways, deep packet inspection firewalls, next generation firewalls, website filters, Quality-of- Service (QoS) managers, and application inspection and control systems.
  • XML Extensible Markup language
  • Figure 1 illustrates an example method for assigning virtual security controls and correspondingly configuring a software defined network (SON);
  • Figure 2 illustrates an example method of establishing multiple security controls for a pair of endpoints and configuring an SDN accordingly
  • Figure 3 illustrates an example system provisioned as described with respect to Figure 2;
  • Figure 5 illustrates an example system including a provisioning tool to provision security control instances for endpoints
  • Figure 6 illustrates an example system including a monitor
  • Figure 7 illustrates an example computer including a non- transitory computer readable medium storing instructions executable to configure sets of security control instances and configure a software defined network.
  • Sharing security controls between multiple applications with multiple message streams may be complex and error-prone. Sharing security controls may require ensuring that fie appropriate inheritable petioles are in place and any nonshared policies apply only lo their intended message streams. Additionally, the coordination of policies across multiple controls may complicate the process further, requiring validation that the policies are correct do not negate or invalidate other policies, and do not duplicate the protection offered by other controls,
  • aspects of the disclosed technology may implement security controls and an underlying network switch Infrastructure virtually and provision only those controls that, are required between a singfe pair of endpolnts. Additionally, aspects of the disclosed technology may allow the controls between endpolnts to be specifically configured for the endpolnts. This may avoid some complications associated win shared security controls,
  • Figure 1 Illustrates an example method tor assigning virtual security controls and correspondingly configuring a software defined network (SDN),
  • SDN software defined network
  • the illustrated method may he performed by a network security orchestration system to Implement a security gateway using one or more servers,
  • Block 101 may include obtaining a security control configuration for a pair of endpolnts for a security control type.
  • the endpolnts may be any source and destination for packets.
  • the endpolnts may be a server and a client, such as a wefe server and browsers,, or email server and email client.
  • the endpolnts may be peers engaging In peerto-peer transmissions.
  • the endpolnts may be application components in a service oriented architecture, such as a web tier component, a business logic tier component, or database tier component.
  • the security control type may be any type of security control used !o provide security for Ilia eodpoints.
  • the type of security control may Include firewalls, anrl-spani systems, anti-virus systems, intrusion prevention or detection systems, web application firewalls, Extensible Markup language (XMl) gateways, deep packet Inspection firewalls, next generation firewalls, website filters, Qualtty-of-Serviee (QoS) managers, and application Inspection and control systems.
  • the security control configuration may be obtained torn a system administrator.
  • the security control configuration may be obtained using a configuration tool providing an Interface to allow the administrator to Input the security control configuration.
  • tNe security control oonigoration may be obtained by retrieval from storage or by receipt torn an automated network operations system,
  • the security control configuration may define the policies specific to the security control type that will be applied to packets sent from one of the endpointa to the other.
  • the security control configuration may include a set of settings for the type of security control to be Implemented..
  • the permitted exceptions may be tailored to the specific enclpoints to which the control applies, For example, port 80 lor HTTP, port 443 for HTTFS, or port 23 for Telnet may he allowed to one application, but not allowed to others, Thus, the eonfigurattoe of these controls may provide fine-grained control over the degree or type of ⁇ roteotlon afforded each application, In further examples, ⁇ the security control configuration may be formatted aceoning to the control selection and configuration portion of the Risk Management Framework process described In National Institute of Standards and Technology (NIST) documentation and systems management recommendations outlined in the Information Technology Information library (ITIL)
  • NIST National Institute of Standards and Technology
  • the security control configuration may also define how many instances of the security control type will be allocated to the endpoints, For example, based on message load, multiple Instances of the same type may fee allocated to the endpolnts and toad balancing may be used to distribute massages between tha instances.
  • the example method may also include block 102.
  • Block 102 may include assigning a virtual security control instance of the security control type to the pair of endpolnts.
  • the virtual security control Instance may he a specific Instance of the type of security control allocated for the pair of endpolnts.
  • the virtual security control instance may be a firewall running on a virtual machine that is dedicated to the pair of endpolnts,
  • assigning the virtual security control Instance may include selecting a virtual security control Instance from a group of pre- instantiated virtual security control instances, for example, a set of " virtual machines may be instantiated on one or mom hyperasors and may execute a set of virtual security control Instances of the virtual seeyrffy control type.
  • assigning the virtual security control instance may Include instantiating a virtual security control instance torn a stored template. For example, a virtual machine image executing the security control image may be instantiated in a hypervlsor,
  • block 102 may Include assigning multiple virtual security control instances of the secudty control type to the pair of endpolnts,. For example, this may be done In conjunction with load balancing to reduce the processing load on any one virtual security control Instance,
  • the example method may also include block 103, Sioels 103 may include configuring the virtual security control instance assigned in block 102, For example, block 103 may Include configuring the virtual security control instance according the security control oonlgoration obtained In block 101 , For example, block 103 may Include configuring the virtual security control instance by setting the policies contained In the security control configuration,
  • the example method may also include block 104,
  • Block 104 may Include configuring a software defined network to forward packets from one of the endpolnts to tm other one of the eodpoiots through the virtual security control Instance,
  • block 104 may Include providing Information regarding the endpolnts and the virtual security control instance to an SDN controller. This may enable the SDN controller to provide tow rules to the SDN switches it controls to forward packets from one of the endpolnts to the other through the virtual security control instances.
  • block 104 may include establishing flow rules for switches of the SDH and transmitting the flow mles to the switches, directly or via an SDN controller,
  • Figure 2 Illustrates an example method of establishing multiple security controls for a pair of endpoints.
  • multiple different types of security controls may be established fer different types of endpolnts.
  • a set of security controls may be established to protect an email application within a network.
  • the set of security controls the email application may include a firewall, an anthspam application, and an antivirus application.
  • a set of security controls for a web application and user may Include a firewall, an intrusion prevention or detection application, and a web application firewall (WAP).
  • WAP web application firewall
  • Security controls for a web application that communicates by using XML messages might Include a firewall, an intrusion prevention or detection application, a WAF, and an XML gateway.
  • a client-server application may have incoming messages forwarded through a firewall and an intrusion prevention or detection application,
  • the example method may Include block 201, Block 201 may
  • the security configuration may include information determining which controls are to be applied and the settings or policies for each of the controls. For example, the security configuration may Include a list of control types to be Implemented, and a security control configuration for each type listed. Additionally, in some implementations, the security configuration may define the order that the controls should be applied to Incoming messages. For example, for security controls monitoring incoming email messages It may be more efficient to have an anti-spam filter prior to an anti-virus detection system. In some eases, a security control may he shared between two message streams. For example, messages intended for the same server from two different clients may share some or ail of their security control instances, in these cases, the security configuration may also indicate whether a shared or unipe instance of each control Is permissible for the pair feeing provisioned.
  • block 201 may be performed by obtaining the security configuration from a system administrator.
  • block 201 may be performed using a system cosiffgiiratiori tool.
  • block 201 may be performed fey retrieving the security conjuration from storage, or receiving the security configuration from a network orchestrator or operations support system.
  • the example method may also Include block 202, Slock 202 may include obtaining a security control configuration for a security control type from the security configuration obtained in block 201.
  • the example method may further include feioek 203-
  • Block 203 may include assigning a virtual security control instance cf the type associated with the configuration obtained In block 202.
  • block 203 may be performed as described with respect to block. 102 of f igure 1.
  • the example method may farther include block 204.
  • Block 204 may Include configuring the virtual security control instance assigned in block 203 according to the seconfy control configuration obtained in block 202. for example, block 204 may be performed as described with respect to block 103 of figure 1 >
  • the example method may also Include block 205, Slock 205 may include determining if there is another control type In the security configuration obtained m block 201, If so, the method may repeat block 202 until a virtual security control instance has been configured for each security control type In the security configuration.
  • the example method may also include block 208, Block 208 may include configuring the SDN to forward packets through the set of virtual security control instances configured by performing blocks 201-206.
  • Block 208 may include configuring the SDN to forward packets through the set of virtual security control instances configured by performing blocks 201-206.
  • block 206 may be performed as described with respect to block 104 of Figure 1 , If the security configuration Includes an ordering for the security control Instances, block 206 may include configuring the SON to forward packets through the set of instances In the order defined In the security configuration,
  • the example method may also include block 207, the system may determine if there are further endpoints for which to provision security controls, if so, the method may repeat from block 201 for each pair of endpoints.
  • Figure 3 Illustrates an example system provisioned as described with respect to Figure 2. Itm illustrated example Includes three erxlpoMs 301-
  • the system further includes an SDN switch fabric 304, 315, 323, 331 configured to forward packets of the different flows through their respective security controls,
  • the system may include a set of anti-spam controls 305-310 instantiated on virtual machines on various physical devices.
  • switch 304 Is configured to forward flow 313 to anti-spam control 303
  • Control 308 is configured to forward packets to switch 315.
  • the remaining switch fabric 315, 323, 331 is configured to forward packets to email server 334, Accordingly, email messages are not subjected to unnecessary security controls,
  • the controls 303-310 may instantiated on toe same physical devices, each may be instantiated on a different physical device, or any other configuration.
  • each control 305-310 may be installed on a separate blade of s blade server enclosure.
  • a control SOS- SI 0 may be instantiated on the same system as the endpoinf. It protects, in the illustrated example, controls 305-309 are instantiated and provisioned to provide security to a network endpolnt,
  • Sow 314 from browser 301 is forwarded by switch
  • Firewall Instance 320 is configured to forward packets to switch 323
  • Switch 323 is configured to forward packets of flow 314 to WAF 323.
  • WAF 323 Is configured to forward packets to switch 331 , which is configured to forward packets to web server 333.
  • flow 312 fern the client applicalkm 303 is forwarded through the switch fabric to firewall 321 and then to server 332.
  • trewall 321 may be configured according to a security control configuration specie to the application 332,
  • firewall 320 may ne configured according to a security control configuration specific to the application 333.
  • application 333 may provide more security features tban application 332, Accordingly, firewall 321 may fee configured to avoid providing them the same features as provided by application 333.
  • WAF 325 may check for SQL snfectlom
  • WAF 324 may be provisioned tar a web server that natively protects against SQL injection. Accordingly, WAF 324 may be configured not to check for SOL injection.
  • a virtual group 311 may include instances of different types, For example, instances of those groups may he reserved for applications that benefit from controls of ear* different type. In other cases, a virtual group 316, 32? contains instances of the same type.
  • the Instances 317-319, 328-330 may be provisioned as needed when new eodpoints join the network, or when message load increases and load balancing will be applied,
  • Figure 4 illustrates an example implementation of a system utilizing load balancing.
  • expanding or contracting the number of controls may fee determined by the immediate message load and performed hy the provisioning system.
  • the methods of Figure 1 or Figure 2 may be performed to expand the number of secy sty control instances upon an Increase in message load
  • the Implementation of load balancing may include provisioning separate virtual load balancer appliances and configuring the SDN switches with rules to forward flows to the load balancers.
  • load balancing may fee implemented as a feature of the SDN.
  • SDN switches may fee configured with flow rules by m SDN controller to implement load balancing by distributing Incoming packets amongst copies of security controls,
  • messages from a first endpoint 401 to a second endpoint 404 am forwarded through a deception break/inspect component 403, m anti-spam control 409, and an antivirus control 412.
  • Messages from the first endpoint 401 to a third endpolrri 417 are forwarded through the decryption component 403, a firewall control 413, and a re- encryption component 416,
  • switch 402 may bo configured to forward all packets from endipolnt 401 to a load balancer 406 which distribute the packets to an instance of the break/inspect component: 403,
  • Switch 405 may be configured with flow rules that differentiate between packets for endpoint 404 and erx!po!nt
  • Packets for endpoint 404 may he forwarded to load balancer 408.
  • Load balancer 408 may distribute packets to one of the instances of anti-spam control 400, wtiich then sends the packets to switch 410.
  • Switch 410 may send the packets to load balancer 411 which distributes the packets to Instances of the antivirus control 412 before the packets are forwarded lo the endpc!ni 404,
  • Packets for ⁇ ndpolnt 417 may bo forwarded to load balancer 407, Load balancer 407 may distribute packets to instances si toe firewall control 413, which sends packets to switch 414, Switch 414 may forward packets to load balancer 41 S, wftioh distributes packets to instances of re-encryption control 416 before the packets are forwarded to endpoint 417,
  • Figure 5 illustrates an example system 501 Including a provisioning tool 501 to provision security control Instances for eodpolnfs.
  • the iostrated system 601 may be implemented using hardware components, software stored on a non-transitory computer readable medium and executed by a processor, or a combination thereof, for example, the Illustrated components may. be components of a security gateway control system.:
  • the system may include a conflguraticn tool 502, Trie configuration tool S02 may be to obtain a security configuration for massages to an endpoint
  • the security control configuration may define a set of security controls to operate on the messages and security control configuratlons of the set of security controls.
  • the configuration tool 502 may perform block 201 of Figure 2.
  • the trituration tool 502 may provide a user interface to allow m administrator to input configurations.
  • the system may further include a provisioning tool 503,
  • the provisioning too! may assign, for each respective security control of the set of security controls, an instance of the respective security control Additionally, the provisioning tool may configure each Instance according the respective security control configurations For example, the provisioning tool may perform steps 202-204 of Figure 2 for each security control of the set.
  • the provisioning tool 503 may assign each Instance oy selecting an instantiated template virtual security control or by Instantiating a stored template virtual security control in further implementations, the provisioning tool 503 may instantiate a security control instance tor the set of security control instances to satisfy only policy requirements for the corresponding security control Accordingly, each security control instance may be specific to the endpoint In further implementations, each security control Instance is specific to the two endpoints exchanging messages.
  • the system may further Include a controller 504,
  • the controller 504 may implement a path In a software defined riefwcrk for the messages through the set of security control instances.
  • the controller 604 may he an SDN network controller or may communicate with an SDN network controller to provision a set of flow rules to implement the path.
  • the controller may perform step 206 of Figure 2.
  • Figure 8 illustrates an example system including a monitor 60S
  • the illustrated system 601 may be implemented using hardware components, software stored on a non-transitory computer readable medium and executed by a processor, or a combination thereof
  • the illustrated components may be components of a security gateway control system.
  • the example system may Include a configuration tool 602, a provisioning toot 003, and a controller 604, These components may be as described with respect to conSgufaiksn tool 502, provisioning tool 503, and controller 504 of Figure 5,
  • too example system 601 may include a monitor 605.
  • the monitor 605 may monitor the flows implemented by the low rules in the software defined aeiworfc. Additionally, the monitor 605 many monitor the operations of the set of seoynty control instances- For example, the monitor 605 may monitor the security system to provide assurance mat each control was started successfully and accepted the configuration it was supplied. Additionally, fie monitor may provide an interface to support queries regarding pofformanee, capacity, inbound or outbound queue depth, or other operational factors.
  • the monitor 605 may provide a graphical Interface, tnforrnafoo about the status of the controls, such as which controls are configured, the massage load passing through them, the performance characteristics of the each, and the total path may he shown in a diagram.
  • this information may be overlaid on a diagram similar to Figures 3 or 4,
  • the flows through the series of controls, switches, load balancers, and other devices, may he represented In color.
  • Increasing level of detail may he obtained by mousing over or clicking on components or sections, by hand or finger gestures, or other Interface methods,
  • the monitor 605 may monitor the message load through the security control instances. Upon meeting various load criteria, the monitor 605 may instruct tie provisioning tool to assign additional security control instances with the appropriate configurations, for example, as described with respect to Figure 4, a set of security control instances all configured with the same configuration may he used to handle larger message loads,
  • Figure 7 Illustrates an example computer 701 including a non- transitory computer readable medium 704 storing Instructions executable to configure sets of security control Instances and conflows a software defined network.
  • the norvfransitory computer mailable medium 704 may include storage, memory, or a combination thereof.
  • the example computer of Figure 7 may be an Imptemonfation of a security gateway system, such as a system 601 of Figure 5 or a system 601 of Figure 8.
  • the medium 704 may store instactions 705.
  • instructions 705 may be executable by a processor 703 to configure a first set of security control instances according to a first security eootjpration for a Irst endpoint.
  • Instructions 705 may be executable by the processor 703 to configure a second set of security control instances according to a second security configuration for a second endpoint.
  • the instructions 705 may be executable by the processor 703 to transmit configurations for the instances via a network interlace 702,
  • the Instructions 70S may be further executable by the processor 703 to assign the sets of security control Instances according the security configurations.
  • the instructions- 705 may be executable to assign the first set of security control Instances according to the first security configuration and assign the second sel of security control instances according to the second security configuration.
  • the medium 704 may also store Instructions 706.
  • Instructions 706 may be executable by the processor 703 to configure a software defined network to forward packets to the first endpoint through the first set of security control instances and to forward packets to the second endpoint through the second set of security control instances.
  • the instructions 706 may be executable ' by the processor to configure the software defined network by transmitting flow mles directly to SDN switches or by transmitting Instructions to an SDN controller.
  • the security configurations apply In a many ⁇ tOH3oe manner, so that the security configurations are specific to a message destination and apply to any message source.
  • the security configurations apply pairwise to pair ' s of endpoint .
  • the Instructions JOB may be executable to configure a third set of security control Instances according to a third security configuration for the first endpoint and a fourth endpoint.
  • the instructlom 706 may be executable to configure the software defined network to forward packets from the fourth endpoint to the first onrjpolnt through the third set of security control Instances,

Abstract

Some implementations may include obtaining a security control configuration for a pair of endpoints for a security control type. A virtual security control instance of the security control type may be assigned to the pair of endpoints. The virtual security control instance may be configured according to the security control configuration. A software defined network may be configured to forward packets from one of the endpoints to the other one of the endpoints through the virtual security control instance.

Description

SECURITY CONTROL
BACKGROUND
[0001] Network perimeter security controls provide safeguards or countermeasures to avoid, or counteract security risks to computer networks and network-accessible resources. Network security controls may be implemented as network hardware devices or as software residing on network attached computers. Examples of security controls include firewalls, anti-spam systems, anti-virus systems, intrusion prevention or detection systems, web application firewalls, Extensible Markup language (XML) gateways, deep packet inspection firewalls, next generation firewalls, website filters, Quality-of- Service (QoS) managers, and application inspection and control systems.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] Certain examples are described in the following detailed description and in reference to the drawings, in which;
[00033 Figure 1 illustrates an example method for assigning virtual security controls and correspondingly configuring a software defined network (SON);
[O004] Figure 2 illustrates an example method of establishing multiple security controls for a pair of endpoints and configuring an SDN accordingly;
[0005] Figure 3 illustrates an example system provisioned as described with respect to Figure 2;
[0006] ]igure 4 illustrates an example implementation of a system utilizing load balancing;
[0007] Figure 5 illustrates an example system including a provisioning tool to provision security control instances for endpoints;
[0008] Figure 6 illustrates an example system including a monitor; and
[0009] Figure 7 illustrates an example computer including a non- transitory computer readable medium storing instructions executable to configure sets of security control instances and configure a software defined network. DETAILED DESCRIPTION OF SPECIFIC EXAMPLES
[0010] Selection of security controls, in terms of the appropriate set of controls and the fcasellne- configuration of each ctmtmi, that is appropriate to address the risk to an organization for the confidentiality, integrity., and availability of information are application-specific. Sharing security controls between multiple applications with multiple message streams may be complex and error-prone. Sharing security controls may require ensuring that fie appropriate inheritable petioles are in place and any nonshared policies apply only lo their intended message streams. Additionally, the coordination of policies across multiple controls may complicate the process further, requiring validation that the policies are correct do not negate or invalidate other policies, and do not duplicate the protection offered by other controls,
[0011 ] Aspects of the disclosed technology may implement security controls and an underlying network switch Infrastructure virtually and provision only those controls that, are required between a singfe pair of endpolnts. Additionally, aspects of the disclosed technology may allow the controls between endpolnts to be specifically configured for the endpolnts. This may avoid some complications associated win shared security controls,
[0012] Figure 1 Illustrates an example method tor assigning virtual security controls and correspondingly configuring a software defined network (SDN), For example, the illustrated method may he performed by a network security orchestration system to Implement a security gateway using one or more servers,
[0013] The example method may Include block 101 , Block 101 may include obtaining a security control configuration for a pair of endpolnts for a security control type. The endpolnts may be any source and destination for packets. For example, the endpolnts may be a server and a client, such as a wefe server and browsers,, or email server and email client. As another examples the endpolnts may be peers engaging In peerto-peer transmissions. As a further example, the endpolnts may be application components in a service oriented architecture, such as a web tier component, a business logic tier component, or database tier component. [0014] The security control type may be any type of security control used !o provide security for Ilia eodpoints. For example, the type of security control may Include firewalls, anrl-spani systems, anti-virus systems, intrusion prevention or detection systems, web application firewalls, Extensible Markup language (XMl) gateways, deep packet Inspection firewalls, next generation firewalls, website filters, Qualtty-of-Serviee (QoS) managers, and application Inspection and control systems.
[0015] in some implementations, the security control configuration may be obtained torn a system administrator. For example the security control configuration may be obtained using a configuration tool providing an Interface to allow the administrator to Input the security control configuration. In other implementations, tNe security control oonigoration may be obtained by retrieval from storage or by receipt torn an automated network operations system,
[0016] The security control configuration may define the policies specific to the security control type that will be applied to packets sent from one of the endpointa to the other. For example, the security control configuration may include a set of settings for the type of security control to be Implemented.. For example, In a deny by default / allow by exception feoondary control, the permitted exceptions may be tailored to the specific enclpoints to which the control applies, For example, port 80 lor HTTP, port 443 for HTTFS, or port 23 for Telnet may he allowed to one application, but not allowed to others, Thus, the eonfigurattoe of these controls may provide fine-grained control over the degree or type of ^roteotlon afforded each application, In further examples, < the security control configuration may be formatted aceoning to the control selection and configuration portion of the Risk Management Framework process described In National Institute of Standards and Technology (NIST) documentation and systems management recommendations outlined in the Information Technology Information library (ITIL)
[0017] In some implementations, the security control configuration may also define how many instances of the security control type will be allocated to the endpoints, For example, based on message load, multiple Instances of the same type may fee allocated to the endpolnts and toad balancing may be used to distribute massages between tha instances.
[0018] The example method may also include block 102. Block 102 may include assigning a virtual security control instance of the security control type to the pair of endpolnts. The virtual security control Instance may he a specific Instance of the type of security control allocated for the pair of endpolnts. For example, the virtual security control instance may be a firewall running on a virtual machine that is dedicated to the pair of endpolnts,
[0019] In some cases, assigning the virtual security control Instance may include selecting a virtual security control Instance from a group of pre- instantiated virtual security control instances, for example, a set of" virtual machines may be instantiated on one or mom hyperasors and may execute a set of virtual security control Instances of the virtual seeyrffy control type. In other cases, assigning the virtual security control instance may Include instantiating a virtual security control instance torn a stored template. For example, a virtual machine image executing the security control image may be instantiated in a hypervlsor,
[0020] in some Implementations, block 102 may Include assigning multiple virtual security control instances of the secudty control type to the pair of endpolnts,. For example, this may be done In conjunction with load balancing to reduce the processing load on any one virtual security control Instance,
[0021] The example method may also include block 103, Sioels 103 may include configuring the virtual security control instance assigned in block 102, For example, block 103 may Include configuring the virtual security control instance according the security control oonlgoration obtained In block 101 , For example, block 103 may Include configuring the virtual security control instance by setting the policies contained In the security control configuration,
[0022] The example method may also include block 104, Block 104 may Include configuring a software defined network to forward packets from one of the endpolnts to tm other one of the eodpoiots through the virtual security control Instance, For example, block 104 may Include providing Information regarding the endpolnts and the virtual security control instance to an SDN controller. This may enable the SDN controller to provide tow rules to the SDN switches it controls to forward packets from one of the endpolnts to the other through the virtual security control instances. As another example, block 104 may include establishing flow rules for switches of the SDH and transmitting the flow mles to the switches, directly or via an SDN controller,
[0023] Figure 2 Illustrates an example method of establishing multiple security controls for a pair of endpoints. In some implementations, multiple different types of security controls may be established fer different types of endpolnts. For example, a set of security controls may be established to protect an email application within a network. The set of security controls the email application may include a firewall, an anthspam application, and an antivirus application. As another example, a set of security controls for a web application and user may Include a firewall, an intrusion prevention or detection application, and a web application firewall (WAP). Security controls for a web application that communicates by using XML messages might Include a firewall, an intrusion prevention or detection application, a WAF, and an XML gateway. As another example, a client-server application may have incoming messages forwarded through a firewall and an intrusion prevention or detection application,
[0024] The example method may Include block 201, Block 201 may
Include obtaining a security configuration for the pair of endpolofs. The security configuration may include information determining which controls are to be applied and the settings or policies for each of the controls. For example, the security configuration may Include a list of control types to be Implemented, and a security control configuration for each type listed. Additionally, in some implementations, the security configuration may define the order that the controls should be applied to Incoming messages. For example, for security controls monitoring incoming email messages It may be more efficient to have an anti-spam filter prior to an anti-virus detection system. In some eases, a security control may he shared between two message streams. For example, messages intended for the same server from two different clients may share some or ail of their security control instances, in these cases, the security configuration may also indicate whether a shared or unipe instance of each control Is permissible for the pair feeing provisioned.
[0025] In some Implementations, block 201 may be performed by obtaining the security configuration from a system administrator. For example, block 201 may be performed using a system cosiffgiiratiori tool. As another example, block 201 may be performed fey retrieving the security conjuration from storage, or receiving the security configuration from a network orchestrator or operations support system.
[0026] The example method may also Include block 202, Slock 202 may include obtaining a security control configuration for a security control type from the security configuration obtained in block 201.
[0027] The example method may further include feioek 203- Block 203 may include assigning a virtual security control instance cf the type associated with the configuration obtained In block 202. for example, block 203 may be performed as described with respect to block. 102 of f igure 1.
[0028] The example method may farther include block 204. Block 204 may Include configuring the virtual security control instance assigned in block 203 according to the seconfy control configuration obtained in block 202. for example, block 204 may be performed as described with respect to block 103 of figure 1 >
[0029] The example method may also Include block 205, Slock 205 may include determining if there is another control type In the security configuration obtained m block 201, If so, the method may repeat block 202 until a virtual security control instance has been configured for each security control type In the security configuration.
[0030] The example method may also include block 208, Block 208 may include configuring the SDN to forward packets through the set of virtual security control instances configured by performing blocks 201-206.. For example, block 206 may be performed as described with respect to block 104 of Figure 1 , If the security configuration Includes an ordering for the security control Instances, block 206 may include configuring the SON to forward packets through the set of instances In the order defined In the security configuration,
[0031] The example method may also include block 207, In block 207, the system may determine if there are further endpoints for which to provision security controls, if so, the method may repeat from block 201 for each pair of endpoints.
[0032] Figure 3 Illustrates an example system provisioned as described with respect to Figure 2. Itm illustrated example Includes three erxlpoMs 301-
303 having message iows to three other endpoints. For example, a browser 301 having a flow 314 to a web server 333, an email application having a flow 313 to an email server 334., and a user application 303 having a flow 312 a server 332, The system further includes an SDN switch fabric 304, 315, 323, 331 configured to forward packets of the different flows through their respective security controls,
[0033] As m example, the system may include a set of anti-spam controls 305-310 instantiated on virtual machines on various physical devices. In this example, switch 304 Is configured to forward flow 313 to anti-spam control 303, Control 308 is configured to forward packets to switch 315., The remaining switch fabric 315, 323, 331 is configured to forward packets to email server 334, Accordingly, email messages are not subjected to unnecessary security controls,
[0034] in sorne cases, the controls 303-310 may instantiated on toe same physical devices, each may be instantiated on a different physical device, or any other configuration. For example, each control 305-310 may be installed on a separate blade of s blade server enclosure. As another example, a control SOS- SI 0 may be instantiated on the same system as the endpoinf. It protects, in the illustrated example, controls 305-309 are instantiated and provisioned to provide security to a network endpolnt,
[0035] lo this example, Sow 314 from browser 301 is forwarded by switch
304 through tie switch fabric to switch 315, which is configured to forward packets to firewall instance 320, Firewall Instance 320 is configured to forward packets to switch 323, Switch 323 is configured to forward packets of flow 314 to WAF 323. WAF 323 Is configured to forward packets to switch 331 , which is configured to forward packets to web server 333.
[0036] In the illustrated example, flow 312 fern the client applicalkm 303 is forwarded through the switch fabric to firewall 321 and then to server 332. As described above, trewall 321 may be configured according to a security control configuration specie to the application 332, Similarly, firewall 320 may ne configured according to a security control configuration specific to the application 333. These configurations may differ from each other. For example, application 333 may provide more security features tban application 332, Accordingly, firewall 321 may fee configured to avoid providing them the same features as provided by application 333. As another example, WAF 325 may check for SQL snfectlom WAF 324 may be provisioned tar a web server that natively protects against SQL injection. Accordingly, WAF 324 may be configured not to check for SOL injection.
[0037] In the illustrated example, control instances that are not provisioned ere provided in virtual groups 311, 316, 327, in some cases, a virtual group 311 may include instances of different types, For example, instances of those groups may he reserved for applications that benefit from controls of ear* different type. In other cases, a virtual group 316, 32? contains instances of the same type. The Instances 317-319, 328-330 may be provisioned as needed when new eodpoints join the network, or when message load increases and load balancing will be applied,
[0038] Figure 4 illustrates an example implementation of a system utilizing load balancing. In some implementations, expanding or contracting the number of controls may fee determined by the immediate message load and performed hy the provisioning system. For example, the methods of Figure 1 or Figure 2 may be performed to expand the number of secy sty control instances upon an Increase in message load, in some examples, the Implementation of load balancing may include provisioning separate virtual load balancer appliances and configuring the SDN switches with rules to forward flows to the load balancers. In other example, load balancing may fee implemented as a feature of the SDN. For example, SDN switches may fee configured with flow rules by m SDN controller to implement load balancing by distributing Incoming packets amongst copies of security controls,
[0039] In the illustrated example, messages from a first endpoint 401 to a second endpoint 404 am forwarded through a deception break/inspect component 403, m anti-spam control 409, and an antivirus control 412. Messages from the first endpoint 401 to a third endpolrri 417 are forwarded through the decryption component 403, a firewall control 413, and a re- encryption component 416,
[0040] For example, switch 402 may bo configured to forward all packets from endipolnt 401 to a load balancer 406 which distribute the packets to an instance of the break/inspect component: 403, Switch 405 may be configured with flow rules that differentiate between packets for endpoint 404 and erx!po!nt
417.
[0041] Packets for endpoint 404 may he forwarded to load balancer 408. Load balancer 408 may distribute packets to one of the instances of anti-spam control 400, wtiich then sends the packets to switch 410. Switch 410 may send the packets to load balancer 411 which distributes the packets to Instances of the antivirus control 412 before the packets are forwarded lo the endpc!ni 404,
[0042] Packets for ©ndpolnt 417 may bo forwarded to load balancer 407, Load balancer 407 may distribute packets to instances si toe firewall control 413, which sends packets to switch 414, Switch 414 may forward packets to load balancer 41 S, wftioh distributes packets to instances of re-encryption control 416 before the packets are forwarded to endpoint 417,
[0043] Figure 5 illustrates an example system 501 Including a provisioning tool 501 to provision security control Instances for eodpolnfs. For example, the iostrated system 601 may be implemented using hardware components, software stored on a non-transitory computer readable medium and executed by a processor, or a combination thereof, for example, the Illustrated components may. be components of a security gateway control system.:
[0044] The system may include a conflguraticn tool 502, Trie configuration tool S02 may be to obtain a security configuration for massages to an endpoint For example, the security control configuration may define a set of security controls to operate on the messages and security control configuratlons of the set of security controls. In some implementations, the configuration tool 502 may perform block 201 of Figure 2. For example, the trituration tool 502 may provide a user interface to allow m administrator to input configurations.
[0045] The system may further include a provisioning tool 503, The provisioning too! may assign, for each respective security control of the set of security controls, an instance of the respective security control Additionally, the provisioning tool may configure each Instance according the respective security control configurations For example, the provisioning tool may perform steps 202-204 of Figure 2 for each security control of the set.
[0046] In some implementations, the provisioning tool 503 may assign each Instance oy selecting an instantiated template virtual security control or by Instantiating a stored template virtual security control in further implementations, the provisioning tool 503 may instantiate a security control instance tor the set of security control instances to satisfy only policy requirements for the corresponding security control Accordingly, each security control instance may be specific to the endpoint In further implementations, each security control Instance is specific to the two endpoints exchanging messages.
[0047] The system may further Include a controller 504, The controller 504 may implement a path In a software defined riefwcrk for the messages through the set of security control instances. For example, the controller 604 may he an SDN network controller or may communicate with an SDN network controller to provision a set of flow rules to implement the path. For example, the controller may perform step 206 of Figure 2.
[0048] Figure 8 illustrates an example system including a monitor 60S, Similarly to Figure 5, the illustrated system 601 may be implemented using hardware components, software stored on a non-transitory computer readable medium and executed by a processor, or a combination thereof* For example, the illustrated components may be components of a security gateway control system. The example system may Include a configuration tool 602, a provisioning toot 003, and a controller 604, These components may be as described with respect to conSgufaiksn tool 502, provisioning tool 503, and controller 504 of Figure 5,
[0013] Additionally, too example system 601 may include a monitor 605. The monitor 605 may monitor the flows implemented by the low rules in the software defined aeiworfc. Additionally, the monitor 605 many monitor the operations of the set of seoynty control instances- For example, the monitor 605 may monitor the security system to provide assurance mat each control was started successfully and accepted the configuration it was supplied. Additionally, fie monitor may provide an interface to support queries regarding pofformanee, capacity, inbound or outbound queue depth, or other operational factors. In some Implementations, the monitor 605 may provide a graphical Interface, tnforrnafoo about the status of the controls, such as which controls are configured, the massage load passing through them, the performance characteristics of the each, and the total path may he shown in a diagram. For example, this information may be overlaid on a diagram similar to Figures 3 or 4, The flows through the series of controls, switches, load balancers, and other devices, may he represented In color. As an example, Increasing level of detail may he obtained by mousing over or clicking on components or sections, by hand or finger gestures, or other Interface methods,
[0013] In additional implementations, the monitor 605 may monitor the message load through the security control instances. Upon meeting various load criteria, the monitor 605 may instruct tie provisioning tool to assign additional security control instances with the appropriate configurations, for example, as described with respect to Figure 4, a set of security control instances all configured with the same configuration may he used to handle larger message loads,
[0013] Figure 7 Illustrates an example computer 701 including a non- transitory computer readable medium 704 storing Instructions executable to configure sets of security control Instances and conflows a software defined network. For example, the norvfransitory computer mailable medium 704 may include storage, memory, or a combination thereof. For example, the example computer of Figure 7 may be an Imptemonfation of a security gateway system, such as a system 601 of Figure 5 or a system 601 of Figure 8.
[0053] In the illustrated example, the medium 704 may store instactions 705. instructions 705 may be executable by a processor 703 to configure a first set of security control instances according to a first security eootjpration for a Irst endpoint. Additionally, Instructions 705 may be executable by the processor 703 to configure a second set of security control instances according to a second security configuration for a second endpoint. For example, the instructions 705 may be executable by the processor 703 to transmit configurations for the instances via a network interlace 702,
[0054] In some implementations, the Instructions 70S may be further executable by the processor 703 to assign the sets of security control Instances according the security configurations. For example, the instructions- 705 may be executable to assign the first set of security control Instances according to the first security configuration and assign the second sel of security control instances according to the second security configuration.
[0055] The medium 704 may also store Instructions 706. Instructions 706 may be executable by the processor 703 to configure a software defined network to forward packets to the first endpoint through the first set of security control instances and to forward packets to the second endpoint through the second set of security control instances. For example, the instructions 706 may be executable' by the processor to configure the software defined network by transmitting flow mles directly to SDN switches or by transmitting Instructions to an SDN controller.
[0056] In soma Implementations, the security configurations apply In a many~tOH3oe manner, so that the security configurations are specific to a message destination and apply to any message source. In other Implementations, the security configurations apply pairwise to pair's of endpoint . In these implementations, the Instructions JOB may be executable to configure a third set of security control Instances according to a third security configuration for the first endpoint and a fourth endpoint. Additionally, the instructlom 706 may be executable to configure the software defined network to forward packets from the fourth endpoint to the first onrjpolnt through the third set of security control Instances,
[0057] in the foregoing description, numerous details are set forth to provide an understanding of the subject disclosed herein. However, implementations may be practiced without some or all of those details. Other Implementations may include modifications and variations from the details discussed above. It is intended that the appended claims cover such modifications and variations.

Claims

1 , A method, comprising:
obtaining a security control configuration for a pair of eodpolnfs for a security control type:
assigning a virtual security control Instance of the security control type to the pair of endpoints;
configuring the vidua! security control instance according to the security control configuration;
configuring a software defined network to forward packets from one of tie endpoints to the other one of the endpoints through the virtual security control instance,
2. The method of claim 1 , further comprising:
assigning, ths virtual security control Instance by selecting the virtual security control instance from a set of instantiated virtual security control templates.
3.. The method of claim 1 , fudlw comprising:
assigning the ysdual security control Instance by Instantiating the virtual security control instance from a stored vidua! security eoftfsol template.
4, The method of claim 1 , wherein the virtual security control instance Implements a set of security policies specific to the par of endpoints,
5. The method of claim 1 , further comprising:
obtaining a security configuration for the pair of endpoints,. the security configuration indicating a plurality of security control types ier the pair of endpoints and a corresponding plurality of security oontroi configurations for each security control type:
for each respective security control type, configuring a virtual security control instance according to the security control configuration lor the respective security control type.
6, The method of claim 5, wherein the security configurate Indicates whether to use a unique or shared Instance of a security control for each security control type.
7, The method of claim 1 , further composing:
obtaining a second security control configuration for a second pair of endpolnis for the security control: type;
assigning a second virtual security control Instance of the security control type;
configuring the second virtual security control instance according to the second security control configuration; arid
configuring the software defined network to forward packets from one of fie second pair of endpolnts to the other one of the second pair of endpolnts through the second virtual security control Instance,
8, A system, comprising;
a configuration tool to obtain a security eonfiguraflori for messages to an endpoini, trie security control configuration defining a set of security controls to operate on the messages and security control contlguratiorrs of the set of security controls;
a provisioning tool to:
assign, for each respective security control of the set of security controls, an Instance of the respective secunfy control; and
configure each instance according the respective security control configuration; and
a controller to implement a path in a software defined network for the messages through the set of security control Instances,
9, The system of claim 8, wherein the provisioning tool is to assign each instance of the respective security control by selecting an Instantiated template virtual security control or by instantiating a stored template virtual security control,
10. The system of claim 8, wherein the provisioning lool is to instantiate a security control Instance for the set of security control Instances to satisfy only policy requirements lor the corresponding security control,
11. The system of claim 8, further comprising:
a monitor to monitor tf owe Implementing the path in the software defined network and the set of security control Instances,
12, The system of claim 11 , wherein the monitor is further to detect m
Increased message load and cause the provisioning tool to assign additional security control instances,
13, A non-transitory computer readasfe medium storing instructions executable to:
configure a first sot of security cento! instances according to a first security configuration: for a first etidpoint;
configure a second set of security control instances according to a second security configuration for a second endpoint;
configure a software defined network to forward packets to the first endpoint through the first set of security control Instances; and
configure- the software defined network to forward packets to the second endpoint through the second set of security control instances,
14, The non-transitory computer readable medium of claim 13, whemio the first security configuration applies to conTOunieatlons from a third endpoint to the first endpoint; and the medium storing further instructions executable to; configure a third set of security control instances according to a third secuuty consguratson lor tne rsrst enoposm ano a tounn enoporni, ano
configure the software defined network to forward packets frorn the fourth endpoint to the first endpoint: through the third set of security control instances,
15. The non-transitory computer readable medium of claim t3, storing further instructions to: assign the first set of security control instances according to the first security configuration; and
assign the second set of security control instances according to the second security configuration.
PCT/US2014/057971 2014-08-28 2014-09-29 Security control WO2016053232A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US15/500,892 US20170223060A1 (en) 2014-08-28 2014-09-29 Security control
PCT/US2014/057971 WO2016053232A1 (en) 2014-09-29 2014-09-29 Security control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2014/057971 WO2016053232A1 (en) 2014-09-29 2014-09-29 Security control

Publications (1)

Publication Number Publication Date
WO2016053232A1 true WO2016053232A1 (en) 2016-04-07

Family

ID=55631093

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/057971 WO2016053232A1 (en) 2014-08-28 2014-09-29 Security control

Country Status (1)

Country Link
WO (1) WO2016053232A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10826943B2 (en) 2018-08-21 2020-11-03 At&T Intellectual Property I, L.P. Security controller

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030208596A1 (en) * 2002-05-01 2003-11-06 Carolan Jason T. System and method for delivering services over a network in a secure environment
US20070107043A1 (en) * 2005-11-09 2007-05-10 Keith Newstadt Dynamic endpoint compliance policy configuration
EP2106070A1 (en) * 2007-04-30 2009-09-30 Huawei Technologies Co., Ltd. Method, system and device for making security control
US20140075519A1 (en) * 2012-05-22 2014-03-13 Sri International Security mediation for dynamically programmable network
US20140123212A1 (en) * 2012-10-30 2014-05-01 Kelly Wanser System And Method For Securing Virtualized Networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030208596A1 (en) * 2002-05-01 2003-11-06 Carolan Jason T. System and method for delivering services over a network in a secure environment
US20070107043A1 (en) * 2005-11-09 2007-05-10 Keith Newstadt Dynamic endpoint compliance policy configuration
EP2106070A1 (en) * 2007-04-30 2009-09-30 Huawei Technologies Co., Ltd. Method, system and device for making security control
US20140075519A1 (en) * 2012-05-22 2014-03-13 Sri International Security mediation for dynamically programmable network
US20140123212A1 (en) * 2012-10-30 2014-05-01 Kelly Wanser System And Method For Securing Virtualized Networks

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10826943B2 (en) 2018-08-21 2020-11-03 At&T Intellectual Property I, L.P. Security controller

Similar Documents

Publication Publication Date Title
CN110214311B (en) Differential segmentation of virtual computing elements
US10193860B2 (en) Secure application delivery system with dial out and associated method
US10554691B2 (en) Security policy based on risk
Anwer et al. Programming slick network functions
US20150363219A1 (en) Optimization to create a highly scalable virtual netork service/application using commodity hardware
Sun et al. Security-as-a-service for microservices-based cloud applications
Anwer et al. A slick control plane for network middleboxes
US20180332081A1 (en) Policy based on a requested behavior
US20150304281A1 (en) Method and apparatus for application and l4-l7 protocol aware dynamic network access control, threat management and optimizations in sdn based networks
US20150341377A1 (en) Method and apparatus to provide real-time cloud security
US9864727B1 (en) Providing dynamically scaling computing load balancing
US20150263894A1 (en) Method and apparatus to migrate applications and network services onto any cloud
CN103650436B (en) Service path distribution method, router and business perform entity
CN105721420B (en) Access right control method and Reverse Proxy
EP3323228A1 (en) Highly available service chains for network services
WO2015031866A1 (en) System and method of network functions virtualization of network services within and across clouds
US8443416B2 (en) Techniques for secure channel messaging
US20170302470A1 (en) Network service chain construction
CN110226155B (en) Collecting and processing context attributes on a host
Hamed et al. A novel approach for resource utilization and management in SDN
Cui et al. Enabling heterogeneous network function chaining
US20150067789A1 (en) Method and apparatus to provide a network software defined cloud with capacity to prevent tenant access to network control plane through software defined networks
Hikichi et al. Dynamic application load balancing in distributed SDN controller
US20170223060A1 (en) Security control
Keeriyattil et al. Microsegmentation and zero trust: Introduction

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14903001

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 15500892

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14903001

Country of ref document: EP

Kind code of ref document: A1