NETWORK SECURITY

Abstract

There is provided a network node coordinator system. Communication circuitry communicates, via a network, with one or more network nodes. Receive circuitry receives a global policy that describes a security policy to be applied across the network. Policy processing circuitry specialises the global policy and produces, for each of the one or more network nodes, an associated local policy specific to that network node. Transmit circuitry transmits, to each of the one or more network nodes, the associated local policy specific to that network node.

Description

Claims

1. A network node coordinator system comprising: communication circuitry to communicate, via a network, with one or more network nodes;receive circuitry configured to receive a global policy that describes a security policy to be applied across the network;policy processing circuitry to specialise the global policy and to produce, for each of the one or more network nodes, an associated local policy specific to that network node; andtransmit circuitry configured to transmit, to each of the one or more network nodes, the associated local policy specific to that network node.

2. The network node coordinator system according to claim 1, wherein the associated local policy for each network node in the one or more network nodes indicates a security policy in respect of communications between one or more execution environments that are configured to execute on that network node and the network.

3. The network node coordinator system according to claim 1, comprising: registration circuitry to perform registration of a new execution environment that has started execution on one of the network nodes in response to a notification received by the receive circuitry, wherein in response to the registration, the policy processing circuitry specialises the global policy to reproduce, for each of the one or more network nodes, the associated local policy specific to that network node, and causes the transmit circuitry to retransmit, to each of the one or more network nodes, the associated local policy specific to that network node.

4. The network node coordinator system according to claim 3, wherein in response to the registration when the global policy omits behaviour of the new execution environment, the policy processing circuitry is configured to produce the associated local policy for at least one of the network nodes on which the execution environment is located in which traffic from the new execution environment to the network is blocked.

5. The network node coordinator system according to claim 1, wherein the global policy is written in a Domain Specific Language.

6. The network node coordinator system according to claim 1, wherein the one or more network nodes are first-class entities in the global policy.

7. The network node coordinator system according to claim 1, wherein the one or more network nodes are heterogeneous.

8. The network node coordinator system according to claim 1, wherein the global policy is platform-agnostic.

9. The network node coordinator system according to claim 1, wherein the associated local policy of each of the network nodes is platform-agnostic.

10. The network node coordinator system according to claim 1, wherein in response to the receive circuitry receiving an updated global policy, the policy processing circuitry specialises the global policy to reproduce, for each of the one or more network nodes, the associated local policy specific to that network node, and causes the transmit circuitry to retransmit, to each of the one or more network nodes, the associated local policy specific to that network node.

11. The network node coordinator system according to claim 1, wherein the global policy comprises one or more rules; at least some of the rules are applied to entities in the network having one or more labels; andthe network node coordinator system is adapted to assign the one or more labels dynamically.

12. The network node coordinator system according to claim 1, wherein each of the global policy, and the associated local policy for each of the one or more network nodes, is configured to indicate at least one of: allowed traffic flows in the network and prohibited traffic flows in the network.

13. The network node coordinator system according to claim 1, wherein each of the global policy, and the associated local policy for each of the one or more network nodes, is configured to indicate required security for communications.

14. The network node coordinator system according to claim 13, wherein the required security for communications requires that at least one end-point of communications are to be authenticated.

15. The network node coordinator system according to claim 1, wherein each of: the global policy, and the associated local policy for each of the one or more network nodes, is configured to implement a Zero Trust Networking security pattern.

16. A method comprising: communicating, via a network, with one or more network nodes;receiving a global policy that describes a security policy to be applied across the network; andspecialising the global policy to produce, for each of the one or more network nodes, an associated local policy specific to that network node; and transmitting, to each of the one or more network nodes, the associated local policy specific to that network node.

17. A network node comprising: network interface circuitry configured to enable communication via a network;receive circuitry configured to receive a local policy from a network node coordinator system;barrier circuitry configured to restrict use of the network interface circuitry based on the local policy; andprocessing circuitry configured to provide one or more encapsulated execution environments, wherein network traffic from each of the one or more encapsulated execution environments is restricted to flowing via the barrier circuitry.

18. A method comprising: receiving a local policy from a network node coordinator system;providing a barrier that restricts use of network interface circuitry based on the local policy; andproviding one or more encapsulated execution environments, wherein network traffic from each of the one or more encapsulated execution environments is restricted to flowing via the barrier.