Patent Grant
8607301
The present invention relates to how enterprise networks can create (internally or with their external service provider partners) Virtual Private Networks (VPNs) for different groups of clients and/or host applications, referred to herein as Group VPNs.
Enterprise networks often require different types of functional and/or organizational groups of users. Within the enterprise network, those groups have different privacy requirements for their Internet Protocol (IP) communication between their client users and/or between their client users and their host applications.
Present Network Data Protection Solutions
Most of the time, network traffic is sent “in the clear”, unsecured without encryption or authentication of the sender and receiver. In order to allow private traffic to be sent in a secure manner, a number of security schemes have been proposed and are in use today. Some are application dependent, such as a specific program performing password authentication. Others, such as Security Socket Layer/Transport Layer Security (SSL/TLS), are designed to provide comprehensive security to specific classes of traffic such as Web traffic.
IPSec, as defined in RFC 2401, can work in tunnel mode by encrypting a data packet (if encryption is required since IPSec can be used for authentication only), performing a secure hash (or authentication) on the packet, then wrapping the resulting packet in a new IP packet with a new header indicating it has been secured using IPSec.
The two endpoints where data protection through encryption is enforced are called Policy Enforcement Points (PEPs).
The two PEPs must establish the IPSec security services through a Security Association (SA) and in particular, the encryption keys. This is can be accomplished using the Internet Key Exchange (IKE) protocol, as defined in RFC 2409 (or RFC 4206 for its version 2), that negotiates keys in two phases: the first phase is used to secure a communication channel between the two PEPs; the second phase is used to create two unidirectional IPSec SAs. Traffic can now be encrypted based on the IPSec policy that defines the type of traffic to be protected between two identified IP addresses or subnets.
Limitations When Securing Networks with IPSec
While IPSec secures IP traffic at the network layer, key exchange mechanisms create a number of practical limitations when IPSec is deployed in networks.
Manual keys are not generally used because of the configuration challenges and re-key requirements to implement them in large networks. For those reasons, IKE is normally used for key exchange. However, IKE is based on a secure connection being established between two PEPs and a resulting key negotiation being completed between those two PEPs. As a result, this connection-oriented nature of IKE has a few drawbacks.
If the traffic needs to be sent and/or received through multiple paths, as would be the case in a resilient network, there is no single pair of points that can be identified to perform key negotiation and no single PEP that can be selected as the ultimate destination in the IPSec tunnel header.
Finding a Balance Between Data Protection and Access Control
In an enterprise network, data availability enables business productivity. However, the availability of enterprise data requires managing the business risks associated with that availability. Data that is secured, but not available to users is worthless. Data that is accessed by users, but is unsecured is at risk. The challenge is to find the right balance between data protection and data availability.
Generally in an enterprise, different types of data are accessed by different types of users or groups. For example, users of the same business unit or the same organizational group such as engineering or finance might need to access the same data concurrently. Different business units or different organizational groups have different security requirements. Generally, protection of data for a financial or a legal department is somewhat different than data protection for a marketing or engineering department. In addition, some group transactions such as financial transactions might be secure, while other group transactions such as administrative information might be in the clear.
Connectivity in Networks with Complex Boundaries
If organizational flow charts are usually informally or formally known within an enterprise, the various network links that establishes the data communication paths between client users and application data are generally more difficult to establish for network administrators.
Large enterprise networks have more and more complex physical and logical boundaries inside a building or across remote buildings, campuses or countries. Large enterprise networks also have complex physical and logical boundaries between internal, remote and external users of enterprise applications.
Therefore, provisioning any management functions, in particular security functions, that might affect various users of the same group is somewhat challenging. Even if it is easy to identify the members of the group, it is much more difficult to discover their physical communication paths for large scale networks.
With the present state of the art, there is no way to enable different IPSec encryption of data between two given IP addresses. Currently there is no solution for an enterprise network to implement different network data protection schemes needed for different types of user clients or application hosts.
Furthermore, enterprise networks would prefer to leverage the same security infrastructure across different types of users and applications to lower their capital and operating expenses and across their various network boundaries.
The present invention gives precedence to the deployment over an enterprise network of Group Virtual Private Networks (VPNs) for different types of groups, called security groups, defined by a security policy for the members of a group. Group VPN enables the deployment of security policies and encryption keys to members of a security group using the same IP Security (IPSec) VPN network infrastructure. With Group VPN, enterprises are able to securely partition an enterprise network from end-to-end. Group VPN also provides an internal trusted network that can leverage and co-exist with network access control technologies. Access control technologies only allow trusted users and clients access to the applications.
In particular, each group, referred to as a security group, is defined by a security policy. According to that security policy, encryption keys are generated and distributed among the various members of the group. The Virtual Private Network (VPN) or enterprise data protected network secures Internet Protocol (IP) payload generated by the clients and/or host applications using IP Security (IPSec). Security groups are allowed over the same data protection infrastructure. Security groups provide a trusted IP network that can leverage and co-exist with security access control technologies, such as endpoint security that controls client network access or application security that controls user access to enterprise applications.
Network Overlay of Security Policies and Encryption Keys to the Data Plane
More particularly, by dividing the generation and distribution of security policies and encryption keys into separate components and combining them in new ways across multiple devices, the fundamental connection-oriented approach of IPSec using IKE can be changed while maintaining most of its present features and all of its security capabilities. This approach can solve the present IPSec/IKE point-to-point limitations to completely secure network traffic over point-to-multipoint and multipoint-to-multipoint networks that are the ways that IP networks are designed.
This new three-layer approach to the deployment of the IPSec includes the following functional components:
The PEPs are deployed at various points in the enterprise networks that need secure tunnels. Each PEP is associated with a number of network sets that define a collection of networks identified by their IP addresses and their subnets. A policy can be defined for the network sets associated with each PEP that protects those networks. The KAP could be configured with the policies from the MAP and distributes those policies and SAs to the PEPs. The KAP generates a single outbound key for each PEP policy and its associated network sets and distributes it securely to the PEPs. For those remote peer PEPs that key would become the inbound key. A KAP on each site can share its outbound keys with each KAP on the other sites for each policy. Each PEP network set can receive its pair of inbound and outbound keys per policy from its associated KAP. PEPs encrypt traffic using IPSec Encrypting Security Payload (ESP) from network to network.
Traffic through the PEPs is essentially the same as traffic through any other IPSec gateways except that on outbound traffic, the source and destination IP addresses are maintained from the original and unencrypted packet. In other words, the initial IP address is preserved from encryption.
Additional information about the details of the generation and distribution of security policies and encryption keys are incorporated by the following co-pending U.S. patent applications, all of which are assigned to CiperOptics, Inc., the assignee of the present application, and all of which are hereby incorporated by reference in their entirety:
U.S. Provisional Patent Application No. 60/756,765 entitled SECURING NETWORK TRAFFIC USING DISTRIBUTED KEY GENERATION AND DISSEMINATION OVER SECURE TUNNELS, filed Jan. 6, 2006, which describes how an IP header of an outgoing packet is copied into an outer header of an IPsec tunnel mode packet;
U.S. Provisional Patent Application No. 60/813,766 entitled SECURING NETWORK TRAFFIC BY DISTRIBUTING POLICIES IN A HIERARCHY OVER SECURE TUNNELS, filed Jun. 14, 2006, which describes how to distribute security policies using tunnels; and
U.S. Provisional Patent Application No. 60/837,410 entitled ENFORCING SECURITY GROUPS IN A NETWORK OF DATA PROCESSORS filed Aug. 11, 2006, which describes a service layer approach to implementing group security functions.
Deploying Group VPNs and Creating Security Groups
Leveraging this architecture for the generation and distribution of security policies and encryption keys, enterprise networks can deploy multiple Group VPNs inside their boundaries. A Group VPN provides a secure virtualized network for a given security group. Internal and/or external enterprise users and resources are logically partitioned based on their memberships to a security group. Network traffic within corporate LANs and between sites/hubs is protected within virtualized security groups. A security group defines networks that can be accessed by a certain type of clients and/or applications.
Security group types can include:
A client or an application can belong to more than one security group.
When identification of the security groups is established, security policies can be created, “per group,” by the MAP and distributed to the KAPs. Each KAP negotiates the encryption keys associated with the security group policies with its peer KAP. The KAP then distributes the keys to its associated PEPs.
Large enterprise networks covering multiple remote sites and/or distributed over multiple countries can use a network of distributed MAPs, such as one per site, instead of implementing a centralized MAP. In that case, administrator knowledge of the security group requirements can be limited to his or her site administration responsibilities.
Additional information about the details of the generation and distribution of security policies and encryption keys are contained in the patents incorporated by reference above.
Integrating Group VPN with Endpoint and Application Security
Network access of the members of a security group can leverage endpoint access control solutions. The client is authenticated via the LAN switching infrastructure, implementing the IEEE 802.1x and the Extensible Authentication Protocols (EAP) by the access control server using RADIUS or any other server authentication method.
If remediation is required, the client accesses the remediation server. When the client is allowed to access the network, its PEP receives its security group membership with its security policies and encryption keys from the MAP through the KAP. The PEP may be integrated to the client or be an external device.
A number of emerging technologies that does not require software agents at the client, such as virtual machines that can isolate clients, or extensions to Dynamic Host Configuration Protocol (DHCP) that can re-route client access to an isolated LAN, are other alternatives to client authentication using 802.1x and EAP.
Whether the authentication mechanism for the client requires a software agent for the client, as in the case with 802.1x and EAP, or no software agent, security groups can be used in both cases after client authentication has been performed to deliver its security policies and encryption keys to its PEP.
Security groups can also leverage other existing types of enterprise security policies for users, applications and any organizational groups that can be stored, for instance into LDAP servers. In that case, the MAP will just have to input the various members and their associations from that source.
The Group VPN infrastructure can be designed in conjunction with application access, client security access and any types of enterprise security policies defined for users and applications.
The foregoing will be apparent from the following more particular description of example embodiments of the invention, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead is placed upon illustrating embodiments of the present invention.
A description of example embodiments of the invention follows.
The diagram in the top half of
Therefore, using IPSec with IKE for key generation alone does not enable a network 150 to be load-balanced or redundant. In other words, IKE cannot be used between four endpoints if the traffic is expected to be routed equally between each possible pair of endpoints as illustrated in the bottom half of
The only way to encrypt traffic between two networks, network A (100-A) and network B (100-B) as in
This could lead to the solution provided in
One layer provides the security policies that can be viewed as the management plane. Another layer provides the encryption keys that can be viewed as the control plane. Encryption keys are generated according to the security policies.
In the preferred architecture, the device providing the security policy is called a Management Authority Point (MAP) 200, whereas the device providing the encryption keys is called a Key Authority Point (KAP) 210.
The MAP 200 interfaces to the KAP 210 that interfaces itself to the PEP 120.
The KAP 210 can be redundant. All policies and keys can be securely stored and distributed. Policies for re-key can be clearly enabled. Each node (MAP, KAP and PEP) should be securely authenticated and authorized to accomplish its function.
Applying the concepts developed in
In
For each IP address or subnet connected to a PEP 120, policies are defined by the MAP 200 and distributed to the KAP 210. As defined in the IPSec standard, policies can be encryption, clear or drop policies.
Traffic through a PEP 120 is essentially the same as traffic through any other IPSec appliance, except that on outbound traffic the source and destination IP addresses can be copied from the original, unencrypted packet.
Now, assume that different remote IP addresses and subnets belong to one security group, and for that group, policies and keys are specific.
As an example,
Each member of a group uses the same outbound encryption keys generated and distributed by its local KAP 210. KAPs 210 exchange outbound keys between themselves, and distribute them to their PEPs 120 as described previously in
Security group knowledge is defined in the MAP 200 (which may be distributed or not) and shared between MAPs 200. Each MAP 200 knows in its site domain, the IP addresses and/or subnets that are part of a given security group. Therefore, each MAP 200 can trigger its associated KAPs 210 to exchange keys for any given security group with other KAPs 210 that have group members of the same security group.
Since encryption keys can be exchanged without knowledge of the physical location of group members, these Group VPNs scale quite well in networks with complex boundaries. In particular, Group VPNs can scale well for large enterprise networks with numerous remote sites and/or international sites where group member locations can change often, but where group membership changes less frequently.
Therefore, Group VPNs significantly reduce the complexity of the network design and management.
Security groups can accommodate various types of users, such as remote and external users, without any change to the overall architecture. Remote users can connect to their respective PEP 120 as if they were connected to their LANs. For instance, a KAP 210 could be dedicated to remote access clients.
External users can be prevented to have full network access inside the enterprise. External users can be a specific group and can have a protected connection to the Internet.
Ideally when deploying Group VPNs, network access are enforced since security policies and encryption keys must be giving to trusted points in the network. As shown in
801.1x requires a client software called supplicant. Most 802.1x implementations use RADIUS servers for authentication of user names and passwords. Generally, RADIUS servers communicate with enterprise LDAP directory servers 430 to allow the same user names and passwords to be used both for desktop and network access.
When a client user logs into an Ethernet switch, via 802.1x, the switch 270 communicates with the Network Access Control (NAC) server 410. The NAC server 410 routes that information to a RADIUS server 440 to check the user client credentials. When the RADIUS server authenticates the client, the NAC server 410 verifies that the client 140 is in sync with the security policies. If not, the client 140 is routed to the remediation server 420 to get the required software upgrades to meet the security policies.
The client user PEP 120 will need to acquire its security policies and encryption keys from its associated KAP 210 after the client 140 is given permission to access the network and acquire its IP address from a DHCP server (not shown). This is before they can send or receive data that needs encryption.
In order to achieve that, the RADIUS server and/or the enterprise LDAP directory server 430 will share the client security group user memberships. Both the NAC server 410 and the MAP 200 are also linked to provide the same security group memberships.
When the NAC server 410 allows the client 140 network access, it shall inform the MAP 200 so that the MAP 200 can trigger the KAP 210 to provide to the PEP 120 associated with the client user 140 the necessary encryption keys and the security policies.
Security groups can leverage other existing types of enterprise security policies for user and application access control for any functional and/or organizational groups that can be stored in enterprise LDAP directory servers 430. In that case, the MAP 200 will just have to input the various members and their associations for the application access control from the source, as its does for client network access control.
As shown in
As shown in
The Group VPN infrastructure can be designed in conjunction with application and client security access and any type of enterprise security policies defined for users and applications as proposed.
While this invention has been particularly shown and described with references to example embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention encompassed by the appended claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5237611 | Rasmussen et al. | Aug 1993 | A |
| 5577209 | Boyle et al. | Nov 1996 | A |
| 5898784 | Kirby et al. | Apr 1999 | A |
| 5940591 | Boyle et al. | Aug 1999 | A |
| 6035405 | Gage et al. | Mar 2000 | A |
| 6061600 | Ying | May 2000 | A |
| 6173399 | Gilbrech | Jan 2001 | B1 |
| 6275859 | Wesley et al. | Aug 2001 | B1 |
| 6330562 | Boden et al. | Dec 2001 | B1 |
| 6484257 | Ellis | Nov 2002 | B1 |
| 6556547 | Srikanth et al. | Apr 2003 | B1 |
| 6591150 | Shirota | Jul 2003 | B1 |
| 6658114 | Farn et al. | Dec 2003 | B1 |
| 6697857 | Dixon et al. | Feb 2004 | B1 |
| 6711679 | Guski et al. | Mar 2004 | B1 |
| 6823462 | Cheng et al. | Nov 2004 | B1 |
| 6915437 | Swander et al. | Jul 2005 | B2 |
| 6920559 | Nessett et al. | Jul 2005 | B1 |
| 6981139 | Enokida | Dec 2005 | B2 |
| 6986061 | Kunzinger | Jan 2006 | B1 |
| 7103784 | Brown et al. | Sep 2006 | B1 |
| 7373660 | Guichard et al. | May 2008 | B1 |
| 7509491 | Wainner et al. | Mar 2009 | B1 |
| 7594264 | Meyers et al. | Sep 2009 | B2 |
| 20020067725 | Oguchi et al. | Jun 2002 | A1 |
| 20020129271 | Stanaway et al. | Sep 2002 | A1 |
| 20020154782 | Chow et al. | Oct 2002 | A1 |
| 20020162026 | Neuman et al. | Oct 2002 | A1 |
| 20030135753 | Batra | Jul 2003 | A1 |
| 20030191937 | Balissat et al. | Oct 2003 | A1 |
| 20040005061 | Buer et al. | Jan 2004 | A1 |
| 20040044891 | Hanzlik et al. | Mar 2004 | A1 |
| 20040062399 | Takase | Apr 2004 | A1 |
| 20040160903 | Gai et al. | Aug 2004 | A1 |
| 20040210320 | Pandya | Oct 2004 | A1 |
| 20040268124 | Narayanan | Dec 2004 | A1 |
| 20050010765 | Swander et al. | Jan 2005 | A1 |
| 20050066159 | Poussa et al. | Mar 2005 | A1 |
| 20050125684 | Schmidt | Jun 2005 | A1 |
| 20050138369 | Lebovitz et al. | Jun 2005 | A1 |
| 20050149732 | Freeman et al. | Jul 2005 | A1 |
| 20050190758 | Gai et al. | Sep 2005 | A1 |
| 20060072748 | Buer | Apr 2006 | A1 |
| 20060072762 | Buer | Apr 2006 | A1 |
| 20060187942 | Mizutani et al. | Aug 2006 | A1 |
| 20060198368 | Guichard et al. | Sep 2006 | A1 |
| 20070186281 | McAlister | Aug 2007 | A1 |
| 20080040775 | Hoff et al. | Feb 2008 | A1 |
| 20080083011 | McAlister et al. | Apr 2008 | A1 |
| 20090100514 | Jin et al. | Apr 2009 | A1 |
| Entry |
|---|
| Frankel, S. “Demystifying the IPsec Puzzle,” Artech House, Ch. 5, pp. 87-127, Ch. 9, pp. 179-205 (2001). |
| International Search Report of the International Search Authority issued Jun. 17, 2008, in corresponding PCT Application No. PCT/US2007/020811, 2 pages. |
| International Preliminary Report on Patentability, with Written Opinion, issued on Mar. 31, 2009, in corresponding PCT Application No. PCT/US2007/020811, 7 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20080127327 A1 | May 2008 | US |
