Patent Application
20110131648
1. Field
The present application relates generally to communication security, and more particularly to computer-implemented security techniques for implementing a ghost/virtual network to protect a client network.
2. Background
The primary method of protecting a computer network from attacks is a device called a firewall. The majority of modern firewalls protect a network by limiting what communication channels or “ports” are used by outside users wishing to connect with a protected network. In a standard firewall no additional investigation of the incoming communications is done beyond confirming that the incoming message is going to an allowed or authorized port that has been left open for the use of visitors by the network administrator. Other ports are turned off and no communication is allowed through them.
A common method of abusing this means of network protection is cloaking attack data within packets that are labeled differently so that the firewall allows the data to pass through an authorized port to the network. The cloaked communications then reach an unprotected application within the protected network and use weaknesses in the design of that application to continue on to do the intended abuse and or damage.
Other more powerful and expensive types of firewalls go further in interrogating the incoming information, however this is an expensive, time consuming and highly customized application of firewall technology and as a result is not used widely on the Internet as a security method. Accordingly, there is a need for a network security system that overcomes the above-described disadvantages of firewalls and known communication security techniques.
In accordance with one or more embodiments and corresponding disclosure thereof, various aspects are described in connection with a method performed by a virtual entity (e.g., virtual computing device, processor, or application). The method may generally relate to generating and using a ghost or virtual duplicate of components (e.g., server(s) and/or application(s)) of a protected network to pre-screen data. The method may involve receiving a data packet (e.g., from a firewall). The method may involve running an inspection of the received data packet within a virtual network, the virtual network duplicating at least a portion of a protected network. The method may involve sending the inspected data packet (or portion and/or modified version thereof) to the protected network, in response to the data packet passing the inspection within the virtual network.
In related aspects, the protected network may comprise at least one protected server. The at least one protected server may comprise at least one protected application. The virtual network may comprise at least one virtual server, the at least one virtual server being a ghost of the at least one protected server. The at least one virtual server may comprise at least one virtual application, the at least one virtual application being a virtual duplicate of the at least one protected application.
In further related aspects, running the inspection may involve applying a pre-application security utility. In addition, or in the alternative, running the inspection may involve applying a post-application security utility. In yet further related aspects, the method may involve blocking passage of the data packet to the protected network, in response to the data packet failing the inspection.
In accordance with aspects of the embodiments described herein, there is provided a system for network security, comprising: a protected network comprising at least one protected server; and a virtual network comprising at least one virtual server. The at least one virtual server may be a ghost of the at least one protected server and may be configured to: receive a data packet; run an inspection of the received data packet; and send the inspected data packet to the protected network, in response to the data packet passing the inspection. In one embodiment, the virtual network is a virtual duplicate of the protected network. In another embodiment, the virtual network may include ghost(s) of a subset of the components (e.g., server(s) and/or application(s)) of the protected network.
To the accomplishment of the foregoing and related ends, one or more aspects comprise the features hereinafter fully described and particularly pointed out in the claims. The following description and the annexed drawings set forth in detail certain illustrative aspects and are indicative of but a few of the various ways in which the principles of the aspects may be employed. Other novel features will become apparent from the following detailed description when considered in conjunction with the drawings and the disclosed aspects are intended to include all such aspects and their equivalents.
Various embodiments are now described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of one or more embodiments. It may be evident, however, that such embodiment(s) can be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing one or more embodiments.
In existing network security devices, such as a firewall, attempts to send information using the wrong port number are thwarted by disabling the corresponding port on the firewall. This in turn limits access to the protected network by allowing communications through the network to legitimate existing applications. However even this security measure may be thwarted by the cloaking of damaging data inside seemingly legitimate packets of information that will eventually allow access to the client network environment behind the firewall.
The embodiments described below present techniques for implementing a virtual network to protect a client/internal/secure/trusted/protected network. It is desirable that, for end-users, each of the network services have the appearance of working together seamlessly on one operating system residing on a single server. Such an outcome may be achieved by: emulating network engineering through software on a single appliance; and isolating each service in the platform individually without affecting the performance or reliability of the service, and without preventing communication with other “co-hosted” services within the appliance.
In accordance with aspects of the embodiments described herein, the network security techniques described herein may be deployed in a virtual network zone, which is analogous to a demilitarized zone. With reference to
In related aspects, the system 200 may treat the protected network 230 as alien and untrusted, but may be configured to seamlessly work with the protected network 230 over a Local Area Network (LAN) infrastructure or the like. Similarly, the virtual network 220 be configured to have the same seamless capacity to work with multiple alien networks that may be located remotely (i.e., securely over the Internet). Therefore, the system is able to work bi-directionally whereby traffic destined for the remote networks (including the Internet), public or otherwise, can be interrogated in a manner equal to that of traffic destined for the protected network.
With reference to
The virtual network 330, optionally via a switching device 322 or the like, may be in communication with an internal firewall 340. The internal firewall 340 may be in communication with an internal secure/trusted network 350, optionally via a switching device 342 or the like. The protected network 350 may include one or more servers, wherein each server may include one or more applications, as explained in further detail below.
It is noted that the virtual network 330 is shown to be located in between the perimeter firewall 320 and the internal firewall 340 in the embodiment of
In accordance with aspects of the embodiments described herein, techniques are provided for addressing network security issues by producing a duplicate safe clone or ghost of the protected network and allowing intelligent system level interrogation of the incoming network requests and data to be executed before the request is passed on to the protected network, servers, and applications.
An advantage of this technique is that the data inspection and security utility 423 that inspects data before use and the utility 425 that inspects data after use by the application 424 can also be used by the ghost application 421 and its pre-application security utility 420 and post application data security utility 422 on the ghost network 412 before the data is handed over for use by the application 424 on the protected network 416. The result is that the powerful and well maintained security and anti-hacking countermeasures (e.g., system hardening, traffic filtering and scanning (bi-directionally), reverse proxies, connection authorization, and/or service isolation) can be used to pre-screen data in a safe ghost network 412 environment before it enters a secure internal protected network 416.
It is noted that a ghost virtual network need not be a complete duplicate of the internal network it protects. In one embodiment, the virtual network may comprise one duplicate application on a single server or virtual server configured to pre-process incoming data or requests and verifying the information before sending it on to the destination application.
It is further noted that a system 400 for network security may include a protected network 416 that comprises at least one protected server (e.g., servers 417, 418, and 419), as well as a virtual network 412 that comprises at least one virtual server (e.g., virtual servers 413, 414, and 415). The at least one virtual server (e.g., virtual servers 413, 414, and 415) may be a ghost of the at least one protected server (servers 417, 418, and 419, respectively) and may be configured to: receive a data packet (e.g., data 410); run an inspection of the received data packet; and send the inspected data packet to the protected network (e.g., internal network 416), in response to the data packet passing the inspection. In related aspects, the virtual network 412 may be a ghost or virtual duplicate of the protected network 416. The at least one virtual server may receive the data packet from a firewall or the like.
In further related aspects, the at least one protected server may comprise at least one protected application. The at least one virtual server may comprise at least one virtual application, the least one virtual application being a virtual duplicate of the protected application. For example, the at least one virtual server may run the inspection by applying a pre-application security utility (e.g., intrusion detection/prevention, incoming packet filtering, or the like, or combinations thereof). In addition, or in the alternative, the at least one virtual server may run the inspection by applying a post-application security utility (e.g., outgoing packet filtering, service traffic control (e.g., email), or the like, or combinations thereof). In yet further related aspects, the at least one virtual server may block passage of the data packet to the protected network, in response to the data packet failing the inspection.
In view of exemplary systems shown and described herein, methodologies that may be implemented in accordance with the disclosed subject matter, will be better appreciated with reference to various flow charts. While, for purposes of simplicity of explanation, methodologies are shown and described as a series of acts/blocks, it is to be understood and appreciated that the claimed subject matter is not limited by the number or order of blocks, as some blocks may occur in different orders and/or at substantially the same time with other blocks from what is depicted and described herein. Moreover, not all illustrated blocks may be required to implement methodologies described herein. It is to be appreciated that functionality associated with blocks may be implemented by software, hardware, a combination thereof or any other suitable way (e.g., device, system, process, or component). Additionally, it should be further appreciated that methodologies disclosed throughout this specification are capable of being stored on an article of manufacture to facilitate transporting and transferring such methodologies to various devices. Those skilled in the art will understand and appreciate that a methodology could alternatively be represented as a series of interrelated states or events, such as in a state diagram.
In accordance with one or more aspects of the embodiments described herein, there is provided a method for network security. With reference to
In related aspects, the protected network may comprise at least one protected server. The at least one protected server may comprise at least one protected application. The virtual network may comprise at least one virtual server, the at least one virtual server being a ghost of the at least one protected server. The at least one virtual server may comprise at least one virtual application, the at least one virtual application being a virtual duplicate of the at least one protected application.
With reference to
In accordance with one or more aspects of the embodiments described herein, there are provided devices and apparatuses for executing the pre-screening of data, as described above with reference to
As illustrated, in one embodiment, the apparatus 700 may comprise an electrical component or module 702 for receiving a data packet. The apparatus 700 may comprise an electrical component 704 for running an inspection of the received data packet within a virtual network, the virtual network duplicating at least a portion of a protected network. The apparatus 700 may comprise an electrical component 706 for sending the inspected data packet (or portion and/or modified version thereof) to the protected network, in response to the data packet passing the inspection within the virtual network.
In related aspects, the apparatus 700 may optionally include a processor component 710 having at least one processor, in the case of the apparatus 700 configured as a computing network entity, rather than as a processor. The processor 710, in such case, may be in operative communication with the components 702-706 via a bus 712 or similar communication coupling. The processor 710 may effect initiation and scheduling of the processes or functions performed by electrical components 702-706.
In further related aspects, the apparatus 700 may include a communication component 714 (e.g., an Ethernet interface module, radio transceiver module, etc.). The apparatus 700 may include a component for storing information, such as, for example, a memory device/component 716. The computer readable medium or the memory component 716 may be operatively coupled to the other components of the apparatus 700 via the bus 712 or the like. The memory component 716 may be adapted to store computer readable instructions and data for effecting the processes and behavior of the components 702-706, and subcomponents thereof, or the processor 710, or the methods disclosed herein. The memory component 716 may retain instructions for executing functions associated with the components 702-706. While shown as being external to the memory 706, it is to be understood that the components 702-716 can exist within the memory 716.
It is understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged while remaining within the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not meant to be limited to the specific order or hierarchy presented.
Those of skill in the art would understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The various illustrative logical blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices.
In one or more exemplary embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk and Blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
This application claims the benefit of U.S. Provisional Application No. 61/265,196, entitled “Method for Digital Communication Security Using Computer Systems,” filed Nov. 30, 2009, which is hereby expressly incorporated in its entirety by reference herein.
| Number | Date | Country | |
|---|---|---|---|
| 61265196 | Nov 2009 | US |
