This invention pertains to network security, and more particularly to establishing a uniform security policy.
As computers become a more and more important part of our lives, the security of the computers becomes increasingly important. All too often, news reports describe the vulnerability of computers in one form or another. Between hackers breaking into “secure” computers, virus alerts, and warnings about newly discovered vulnerabilities in computer operating systems, computer security is kept in the public eye.
To help address security issues, many security devices have become commonplace in computer networks. Businesses have awakened to the need for firewalls, intrusion detection systems, virus scanning software and logging/monitoring devices (the last item used to analyze an attack on the corporate network after the immediate threat has been addressed). And with the increasing concern about employees using business computers for non-business tasks, employers are also using proxy servers. Proxy servers watch outgoing traffic and block inappropriate activities (such as visits to offensive web sites or the use of software, such as Java or ActiveX that should not be used).
But the way a security policy is implemented on these security devices is somewhat haphazard. Policy is set at the top of the corporate pyramid, and propagated downward to the persons who manage the various security devices. Each security device receives its own programming to define the security policy as it is to be enforced by the individual security device. There is no coordination between the various security devices to ensure that all the holes are filled. And while there are firewalls capable of providing inputs to other firewalls (expecting different inputs), these are a special case.
An additional problem arises with devices that may be taken outside the corporate network. An employee may use a computer outside the network (such as a laptop computer supplied by the company, the employee's home computer, or wireless devices, such as Personal Digital Assistants (PDAs)) to access the corporate network from outside. There is currently no way for the corporate security policy to be enforced with respect to mobile devices. For example, although corporate policy may dictate that ActiveX be disabled in computer browsers, the user on the remote computer may enable ActiveX with a few simple commands. And since the remote computer connects to the Internet without going through the corporate proxy server, this violation of the corporate policy may not be detected.
A need remains for a way to addresses these and other problems associated with the prior art.
Workstations 105 connect to internal server 110. Internal server 110 stores information available within the corporate network. For example, internal server 110 may store corporate web sites not available to the general public via the Internet, or corporate data. A person skilled in the art will recognize other types of data that may be stored on internal server 110.
To access data outside the corporate network, users at workstations 105 connect to proxy server 115, which in turn connects with network 125. Proxy server 115 is responsible for determining that data requests are appropriate for devices within the corporate network. For example, proxy server 115 may block a request to access a web site with inappropriate content. Or proxy server 115 may determine that workstation 105 is set to use ActiveX, contrary to corporate policy, and to block the ActiveX objects on the web site from running. A person skilled in the art will recognize other functions that proxy server 115 may perform.
One function that proxy server 115 may perform is logging communications between workstations 105 and sites outside the corporate network. The log may then be used to review corporate workstation use, to determine if any of the corporate workstations have been used for purposes outside the scope of an employee's duties. Logging/monitoring device 120 is responsible for logging the communications. Logging/monitoring device 120 may be implemented as software within proxy server 115, or it may be a separate component of the corporate network security system.
Protecting the corporate network from outside attack are firewall 130 and intrusion detection system 135. Firewall 130 is responsible for filtering data requests coming from outside the corporate network. Intrusion detection system 135 is responsible for monitoring the corporate network for probes by hackers, and for stopping attacks if possible.
Opening a door in the corporate security policy for legitimate users, server 140 is responsible for receiving incoming requests for communication. Server 140 may receive requests for communication via a direct dial-up (i.e., a direct telephone line connects to server 140, which legitimate users may dial to directly connect to the corporate network). Server 140 may also be configured to process requests to open a Virtual Private Network (VPN) between the corporate network and a device connected to network 120. A person skilled in the art will recognize other ways in which server 140 may be configured to permit legitimate communication with the corporate network. For example, server 140 may be configured to process wireless communications from outside the corporate network.
Assisting server 140 in enforcing corporate security policy is remote system security controller (RSSC) 145. RSSC 145 is responsible for determining that outside devices granted access to the corporate network are properly configured to enforce the corporate security policy. The operation of RSSC 145 will be discussed further with reference to
When a device outside the corporate network wants to access data within the corporate network, server 140 receives the request for a connection. In
Once server 140 has received the request, server 140 may authenticate the request. This typically involves receiving from the user a log in identification and password, but a person skilled in the art will recognize other ways in which authentication may be performed. Authentication may also be skipped, if desired. If the user requesting the connection is unable to authenticate himself, server 140 denies the connection request without further ado.
If the user is authenticated, then server 140 interrogates the remote device to determine if the remote device includes the remote system security agent (RSSA). The RSSA is responsible for configuring the security of the remote device, and works in coordination with RSSC 145. If the RSSA is not present, then server 140 denies the connection request. Otherwise, server 140 passes control to RSSC 145 to ensure that the remote device is properly configured to maintain the security of the corporate network, according to the established security policy.
Although
Once defined, policy database 205 may include security definitions that apply to many security devices. It is the job of translator/filter 210 to separate policy database 205 into separate files for each individual security device in the corporate network. Translator/filter 210 scans policy database 205 and eliminates any entries not pertinent to the particular security device. This is also discussed further with reference to
Translator/filter 210 may also translate from the language in which policy database 205 is stored into a language understood by the individual security devices. The individual security devices may understand languages with different semantics and syntaxes. Translator/filter 210 is designed to “speak” the language of the individual security devices and to translate policy database 205 into the various languages.
For example, translator/filter 210 is shown in
Notice also that in
In
As shown in
RSSC 145 begins by interrogating remote device 150 for the security tools installed in remote device 150, as shown by arrow 425. The remote device responds with the list of installed security tools, as shown by arrow 430. This exchange serves two purposes. First, it enables RSSC 145 to know whether remote device 150 has the necessary tools to comply with the corporate security policy. Second, it lets RSSC 145 know the “language” of the tools used by remote device 150 to enforce security, so that RSSC 145 may translate the security settings into a language understood by the tools.
If remote device 150 lacks a required security tool (for example, if remote device 150 does not have firewall 420 installed), RSSC 145 may deny the connection request. Otherwise, RSSC 145 may send updates to the installed tools, as shown by arrow 435. To accomplish this, RSSC 145 includes translator/filter 440. Translator/filter 440 operates very similarly to translator/filter 205 of
As shown,
As discussed above with reference to
One benefit of centralized policy control is the capability to update the policy database based on feedback from the various devices enforcing the policy.
Although the term “security alert” suggests that the individual devices only provide feedback when someone is attempting to circumvent the policy, a person skilled in the art will recognize that the individual devices can issue any type of feedback to centralized security manager 715. For example, an individual security device might receive an update from an external site regarding the general programming of the individual security device, which might impact the network policy.
A person skilled in the art will recognize that an embodiment of the invention described above may be implemented using a computer. In that case, the method is embodied as instructions that comprise a program. The program may be stored on computer-readable media, such as floppy disks, optical disks (such as compact discs), or fixed disks (such as hard drives). The program may then be executed on a computer to implement the method.
Having illustrated and described the principles of the invention in an embodiment thereof, it should be readily apparent to those skilled in the art that the invention may be modified in arrangement and detail without departing from such principles. All modifications coming within the spirit and scope of the accompanying claims are claimed.
Number | Name | Date | Kind |
---|---|---|---|
5751967 | Raab et al. | May 1998 | A |
5903732 | Reed et al. | May 1999 | A |
5987611 | Freund | Nov 1999 | A |
6088804 | Hill et al. | Jul 2000 | A |
6289462 | McNabb et al. | Sep 2001 | B1 |
6298445 | Shostack et al. | Oct 2001 | B1 |
6393474 | Eichert et al. | May 2002 | B1 |
6477651 | Teal | Nov 2002 | B1 |
6530024 | Proctor | Mar 2003 | B1 |
6539427 | Natarajan et al. | Mar 2003 | B1 |
6678835 | Shah et al. | Jan 2004 | B1 |
6701441 | Balasubramaniam et al. | Mar 2004 | B1 |
6874088 | Stevens | Mar 2005 | B1 |
6957348 | Flowers et al. | Oct 2005 | B1 |
6990527 | Spicer et al. | Jan 2006 | B2 |
7003562 | Mayer | Feb 2006 | B2 |
7117526 | Short | Oct 2006 | B1 |
7130854 | Beadles et al. | Oct 2006 | B2 |
7225460 | Barzilai et al. | May 2007 | B2 |
7263719 | Jemes et al. | Aug 2007 | B2 |
20020116639 | Chefalas et al. | Aug 2002 | A1 |
20020143923 | Alexander | Oct 2002 | A1 |
20020194486 | Heinrich et al. | Dec 2002 | A1 |
20030037040 | Beadles et al. | Feb 2003 | A1 |
20030051161 | Smith et al. | Mar 2003 | A1 |
20030061482 | Emmerichs | Mar 2003 | A1 |
20030135749 | Gales et al. | Jul 2003 | A1 |
20030163728 | Shaw | Aug 2003 | A1 |
20030177389 | Albert et al. | Sep 2003 | A1 |
20030188189 | Desai et al. | Oct 2003 | A1 |
20040103315 | Cooper et al. | May 2004 | A1 |
Number | Date | Country | |
---|---|---|---|
20040064727 A1 | Apr 2004 | US |