The field of the present disclosure relates generally to firewalls, and more particularly, to systems, devices and methods of a container based application proxy firewall.
Some traditional application firewall systems may provide forward proxying or reverse proxying. A forward proxy routes internal queries or communications from an internal client out to the internet and a reverse proxy routes external internet queries to an internal application server. For example, some web application firewalls (WAF) may provide a HTTPS proxy with some content inspection (e.g., JSON), where most only do reverse proxying. Additionally, most firewalls that do forward proxying can proxy HTTPS, but do not provide for JSON inspection parsing.
It would be desirable to provide systems and methods for efficient and versatile application proxy firewalls.
In one aspect, an embodiment of the present disclosure relates to a method including method including receiving, during a development of a container based application proxy firewall system, application source code for an application; analyzing, during the development of the container based application proxy firewall system, the source code to determine a data flow for the application; generating, during the development of the container based application proxy firewall system, inspection rules for a application specific proxy firewall; and incorporating the generated inspection rules into the application specific proxy firewall system.
In other embodiments, a system including a processor may execute a process disclosed herein. In yet another example embodiment, a tangible medium may embody executable instructions that can be executed by a processor-enabled device or system to implement at least some aspects of the systems and applications of the present disclosure.
These and other features, aspects, and advantages of the present disclosure will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:
Unless otherwise indicated, the drawings provided herein are meant to illustrate features of embodiments of this disclosure. These features are believed to be applicable in a wide variety of systems comprising one or more embodiments of this disclosure. As such, the drawings are not meant to include all conventional features known by those of ordinary skill in the art to be required for the practice of the embodiments disclosed herein.
In the following specification and the claims, a number of terms are referenced that have the following meanings.
The singular forms “a”, “an”, and “the” include plural references unless the context clearly dictates otherwise.
“Optional” or “optionally” means that the subsequently described event or circumstance may or may not occur, and that the description includes instances where the event occurs and instances where it does not.
In some aspects, proxy application 120 (and similar proxy applications) may be characterized as being run as a normal application. As such, proxy application 120 can see everything on the host 105. In mandatory access control terms, proxy application 120 is a privileged guard process and is able to violate integrity rules. In some regards, since proxy application 120 performs all of the complex tasks and functions such as content inspection, logging, and forwarding, its implementation may require a rather large and complex program (e.g., 300K lines of code). For such a large program, it may be difficult to trace, inspect, and log all data flow paths managed by the application. Furthermore, monolithic proxy application 120 may act as a single point of failure, where a compromise of the proxy application might result in the system 100 being at risk or otherwise compromised (e.g., without firewall protection).
Outside container module 215 operates to connect and communicate only with outside network 235. Inside container module 220 only connects and communicates with inside network 230. Inspector module 220 runs in its own container and provides a data path between inside container module 220 and outside container module 215. In some embodiments, inspector module 225 may provide the only data path between outside container module 215 and inside container module 220. Inspector module 225 may provide a single point of inspection for application proxy firewall 210.
In some embodiments, inspector module 225, inside container module 220, and outside container module 215 may be at least one of deployable and configurable within a common or same application. In some embodiments, each of the inspector module 225, inside container module 220, and outside container module 215 are at least one of being deployable and configurable deployed in an application, independent of the other modules (i.e., different programs). In some embodiments, the modularized containers may be reused in combination with other module container implementations to form an application proxy firewall suitably compatible with internal and external networks and devices, as well as multiple different protocols. In some aspects, the modular container components comprising an application proxy firewall disclosed herein may be individually customized to interface with other module containers (i.e., inside container module, outside container module, and inspector module), resources, devices, and network as needed to effectively interface with such other entities.
In some aspects, application proxy firewall 210 may be simpler, easier, and more efficient to implement than, for example, traditional monolithic application firewalls. In some aspects, instead of one large application proxy firewall 210 (e.g., 300K lines of code) each of outside container module 215, inside container module 220, and inspector module 225 may independently operate within its own container. By executing within its own container, each of outside container module 215, inside container module 220, and inspector module 225 may be isolated from each other, as well as from other processes operating of platform 205.
In some embodiments, isolation between outside container module 215, inside container module 220, and inspector module 225 may facilitate improved verification as compared to a traditional proxy application (e.g.,
As a further example, outside container 215 may only communicate with outside network 235 and cannot communicate with the inside network. Accordingly, even if outside container module 215 is somehow compromised, platform 205 or other containerized modules 220 and 225 will not be compromised since the outside(inside) container module cannot talk/communicate directly with inside(outside) container module. In some aspects, if outside container module 215 is corrupted by an attack from outside network 235, outside container module 215 cannot see any inside traffic (via inside container module 220) or otherwise compromise any other processes running on platform 205.
In some embodiments, there is a directed path of point-to-point connections from inside container module 220 to inspector module 225 and a directed path of point-to-point connections from inspector module 225 to outside container module 215.
In some embodiments, all data is communicated through inspector module 225. In some embodiments, the only way to get data in or out of the platform 205 is through inspector 225.
In some embodiments, in mandatory access control terms, only inspector module 225 of proxy application 210 is a privileged guard process, able to violate integrity rules. In some aspects, constraints of the inspector module's container might limit its ability to violate integrity rules and other aspects. In some embodiments, data flows in the individual containerized modules comprising container based application proxy firewalls such as proxy application 210 might be detected, logged, and/or inspected more efficiently and/or easier as compared to a traditional monolithic application proxy firewall. In some embodiments, a compromise (e.g., bug, fault, attack., etc.) of any one or more of the outside container module 215, inside container module 220, and inspector module 225 can be fully contained within the compromised container module.
In some use-cases and operational environments, there may be one or more security requirements applicable to application communications. In some environments, such as but not limited to, power plant control management systems and other business use-cases, there may be requirement(s) that all application communications going to or from a platform's controllers and other devices to external network(s) and device(s) be inspected and filtered. The firewall must proxy all applications with content inspection on all inbound and outbound communications. Some requirements might specify that a firewall must proxy and inspect all such traffic, and be able to log, alert, block, and potentially modify the data (e.g., outbound data might be modified for transparent redirection to local resource(s)). In some embodiments, application proxy firewalls herein may also be configured to be operable to provide traditional packet level filtering, notwithstanding any additional functionalities disclosed herein for some embodiments.
In some embodiments, an application-level proxy firewall is provided that includes an ability for an operator (or other entity) to monitor interactive proxied connections. In some embodiments such as the example container based application proxy firewall 210 of
A developer of the outside and inside applications will be knowledgeable of the types (e.g., format, protocol, etc.) of the data generated and/or used by the inside and outside applications at the application level. In some instances, a single entity may be the developer of both the inside and outside containers. Such a developer might provide outside and inside application(s) in an effort to, for example, support or provide an “end-to-end” solution to a particular business, environment, or use-case. For example, having developed the inside and/or outside applications, the developer may know that there are 100 different permissible messages and each message confirms to a standard format. Accordingly, the developer will know that valid messages will conform to the specific format (i.e., the developer has knowledge of the communication requirements of the inside and outside applications). Therefore, the developer can create a “whitelist” of legal or permissible message or data types for a corresponding application specific proxy.
In some embodiments, an inspecting module may be created based on knowledge of developed inside and outside applications. Knowing the requirements of the inside and outside applications, one can understand the types of communication data flows that are compatible with the developed applications. In accordance with some embodiments herein, an automated process and system is provided to analyze an application and create a compatible corresponding proxy container in a containerized proxy firewall.
Referring to the illustrative schematic block diagram of
Apparatus 400 includes processor 405 operatively coupled to communication device 415 to communicate with other systems, data storage device 430, one or more input devices 410 to receive inputs from other systems and entities, one or more output devices 420 and memory 425. Communication device 415 may facilitate communication with other systems and components, such as other external computational assets and data. Input device(s) 410 may comprise, for example, a keyboard, a keypad, a mouse or other pointing device, a microphone, knob or a switch, an infra-red (IR) port, a docking station, and/or a touch screen. Input device(s) 410 may be used, for example, to enter information into apparatus 400. Output device(s) 420 may comprise, for example, a display (e.g., a display screen) a speaker, and/or a printer.
Data storage device 430 may comprise any appropriate persistent storage device, including combinations of magnetic storage devices (e.g., magnetic tape, hard disk drives and flash memory), solid state storages device, optical storage devices, Read Only Memory (ROM) devices, Random Access Memory (RAM), Storage Class Memory (SCM) or any other fast-access memory. Data storage device 430 might store speech pattern profiles.
Program 435 may comprise program instructions executed by processor 405 to cause apparatus 400 to perform any one or more of the processes described herein, including but not limited to aspects of the container based application proxies disclosed herein. Processing logic 435 may be used for controlling processor 405. Embodiments herein are not limited to execution of these processes by a single apparatus.
Data 440 (either cached or a full database) may be stored in volatile memory such as memory 425. Data storage device 430 may also store data and other program code for providing additional functionality and/or which are necessary for operation of apparatus 400, such as device drivers, operating system files, etc. Data 440 may include data related different protocols.
Although specific features of various embodiments of the disclosure may be shown in some drawings and not in others, this is for convenience only. In accordance with the principles of the disclosure, any feature of a drawing may be referenced and/or claimed in combination with any feature of any other drawing.
This written description uses examples to disclose the embodiments, including the best mode, and also to enable any person skilled in the art to practice the embodiments, including making and using any devices or systems and performing any incorporated methods. The patentable scope of the disclosure is defined by the claims, and may include other examples that occur to those skilled in the art. Such other examples are intended to be within the scope of the claims if they have structural elements that do not differ from the literal language of the claims, or if they include equivalent structural elements with insubstantial differences from the literal language of the claims.