Patent Application
20170134416
Technical Field
The disclosure relates to security techniques on inter-terminal communications within the same Service Set Identifier (SSID) under the same Access Point (AP) using OpenFlow®.
Description of Related Art
Software-Defined Networking (SDN) is a technological concept which defines a network with software. In a related-art network device, hardware components, and software components for controlling the hardware components and defining network functions are configured in a singular device. Moreover, the above-mentioned software components are device vendor-specific. Software-Defined Networking (SDN) is a concept which integrally manages the software from Software-Defined Networking (SDN) controller with a common protocol.
Standardized techniques for realizing Software-Defined Networking (SDN) include OpenFlow®, which includes operation definitions of devices such as switches and routers, and protocols for controlling these devices. JP5408243B, for example, discloses a configuration of a network system which is based on OpenFlow®. The disclosed network system includes an OpenFlow® switch which controls transmission and reception of a packet according to flow entries that are retained in a flow table. Each of the flow entries contains a matching condition showing a communication flow of the packet and an action showing processing on the packet that corresponds to the matching condition. The communication flow of the packet may refer to a sequence of the packet from a source to a destination thereof.
VXLAN, which stands for Virtual eXtensible Local Area Network, is one of overlay network techniques which make it possible to build a plurality of network services on an existing network. In VXLAN (Virtual eXtensible Local Area Network), packets from terminals are tunneled to implement logical network segmentation.
A related-art technique for separating communications between wireless terminals and controlling communications using Software-Defined Networking (SDN)/OpenFlow® and VXLAN (Virtual eXtensible Local Area Network) is disclosed, for example, in a non-patent publication called “Present and Future of Software-Defined Networking (SDN)/OpenFlow® technique provided by Stratosphere” by Stratosphere Inc. (Tokyo, Japan) and Japanese patent application publication JP2014-212507A. The above-described related-art technique separates traffic from a wireless terminal to an upper-level network with one Service Set Identifier (SSID) using Software-Defined Networking (SDN)/OpenFlow® and VXLAN (Virtual eXtensible Local Area Network).
Terminals such as a personal computer (PC), a mobile phone, an Android terminal, smartphone terminals such as iPad, iPhone, etc., a printer, a multi-functional peripheral (MFP), etc., having the same Service Set Identifier (SSID) that are connected to one wireless Access Point (AP) in the normal infrastructure mode are permitted to communicate with one another.
However, with the normal infrastructure mode according to the related art, when one of the terminals within the same Service Set Identifier (SSID) is infected with malware codes such as computer viruses, adware, etc., for example, the infected terminal can easily access another of the terminals within the same network without going through the upper-level network. As an example, a certain Access Point (AP) and a Service Set Identifier (SSID) being penetrated in a terminal in which a static IP is set may cause launching of an attack on another terminal within the same Service Set Identifier (SSID).
To prohibit communications between the terminals connected to the one wireless Access Point (AP), a privacy separator (also called a privacy selector) technique such as that used in a public wireless LAN (local area network) to which an unspecified number of terminals are connected may be used. JP2014-195215A, for example, discloses a privacy separator technique in which relaying of communications between individual terminals which belong to a wireless LAN (local area network) is prohibited by switching from a setting for relaying communications between the individual terminals to a setting for not relaying communications between the individual terminals to maintain security within the wireless LAN (local area network).
However, the envisaged use of the privacy separator according to the related art is a function which envisages a personal internet access such as a free wi-fi (wireless fidelity) spot, etc. Here, a network access between neighboring terminals (i.e., the terminals A and B, the terminals B and C in
When an Access Point (AP) device is brought to the setting for not relaying communications between the individual terminals to maintain security within the wireless LAN (local area network), the individual terminals connected to the Access Point (AP) device may not be able to execute communications therebetween via the Access Point (AP) device. The above-described publication JP2014-195215A discloses a related-art technique as a countermeasure for the privacy separator technique. It discloses a multi-function peripheral specifying a cause of prohibition of communications between terminals via an Access Point (AP) to cause a message corresponding to the cause to be displayed on a display. However, even though the above-described related-art technique may allow a user to release the terminals from being prohibited from the communications therebetween, the user cannot specify which communications to be prohibited and which communications to be permitted.
According to some embodiments of the present invention, a security management method may be provided. The security management method includes receiving, by an SDN controller, a security check list from a security monitoring device configured to be communicatively connected to the SDN controller. The security check list contains a list of one or more security issues found by the security monitoring device on one of a plurality of terminals configured to be communicatively connected within one SSID under one AP device of at least one AP device to which the SDN controller is configured to be communicatively connected. The SDN controller is included in a security management system which monitors communications between the plurality of terminals, and which perform shutoff and separation of communications. The one SSID is one of a plurality of SSIDs. The security management system has the one AP device including a radio module provided with the plurality of SSIDs and configured to be communicatively connected to the plurality of terminals. The communications includes file sharing permitted between the plurality of terminals. The one AP device also is configured to be communicatively connected to a plurality of networks including a normal network and a separated network; preparing, by the SDN controller, a communication flow in which communications by the one terminal on which the one or more security issues are found are conducted in the separated network; transmitting, by the SDN controller, the prepared communication flow to the one AP device; and providing, by the SDN controller to the one AP device, instructions to move the one terminal on which the one or more security issues are found from the normal network to the separated network.
Other aspects of the invention will be apparent from the following description and the appended claims.
The embodiments are illustrated by way of example, and not by limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements.
Reference will now be made in detail to various embodiments, examples of which are illustrated in the accompanying drawings. While the claimed embodiments will be described in conjunction with various embodiments, it will be understood that these various embodiments are not intended to limit the scope of the embodiments. On the contrary, the claimed embodiments are intended to cover alternatives, modifications, and equivalents, which may be included within the scope of the appended claims. Furthermore, in the following detailed description of various embodiments, numerous specific details are set forth in order to provide a thorough understanding of the claimed embodiments. However, it will be evident to one of ordinary skill in the art that the claimed embodiments may be practiced without these specific details. In other instances, well known methods, procedures, components, and circuits have not been described in detail as not to unnecessarily obscure aspects of the claimed embodiments.
Some portions of the detailed descriptions that follow are presented in terms of procedures, logic blocks, processing, and other symbolic representations of operations on data bits within a computer memory. These descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. In the present application, a procedure, logic block, process, or the like, is conceived to be a self-consistent sequence of operations or steps or instructions leading to a desired result. The operations or steps are those utilizing physical manipulations of physical quantities. Usually, although not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated in a computer system or computing device. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as transactions, bits, values, elements, symbols, characters, samples, pixels, or the like.
It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following discussions, it is appreciated that throughout the present disclosure, discussions utilizing terms such as “receiving,” “transmitting,” “storing,” “determining,” “sending,” “querying,” “providing,” “accessing,” “configuring,” “initiating,” or the like, refer to actions and processes of a computer system or similar electronic computing device or processor. The computer system or similar electronic computing device manipulates and transforms data represented as physical (electronic) quantities within the computer system memories, registers or other such information storage, transmission or display devices. For our purposes the term “device” may include hardware components and software components.
It is appreciated that present systems and methods can be implemented in a variety of architectures and configurations. For example, present systems and methods can be implemented as part of a distributed computing environment, a cloud computing environment, a client server environment, etc. Embodiments described herein may be discussed in the general context of computer-executable instructions residing on some form of computer-readable storage medium, such as program modules, executed by one or more computers, computing devices, or other devices. By way of example, and not limitation, computer-readable storage media may include computer-readable storage media and communication media. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or distributed as desired in various embodiments.
Computer-readable storage media can include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules, or other data. Computer-readable storage media can include, but is not limited to, random access memory (RAM), read only memory (ROM), electrically erasable programmable ROM (EEPROM), flash memory, or other memory technology, compact disk ROM (CD-ROM), digital versatile disks (DVDs) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store the desired information and that can be accessed to retrieve that information.
By way of example and not limitation, communication media can include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), infrared and other wireless media. Combinations of any of the above can also be included within the scope of computer-readable storage media.
In light of the foregoing, some embodiments of the present invention are to add the degree of freedom such that communications between terminals are permitted in a privacy separator which separates one terminal from another with one Service Set Identifier (SSID) and to also make it possible to freely change the communications propriety with an upper-level network. Some embodiments of the present invention achieve the above by providing security management systems and methods which monitor communications between a plurality of terminals which are connected within the same Service Set Identifier (SSID) under the same Access Point (AP) using OpenFlow® techniques including an use of a wireless Access Point (AP) flow table and which perform shutoff and separation of communications.
In the above-described security management method according to some embodiments of the present invention, the instructions to move the one terminal on which the one or more security issues are found from the normal network to the separated network may include an instruction to change an entry representing the one or more security issues on the one terminal in a connection-permitted terminal address table for the one terminal on which the one or more security issues are found.
The above-described security management method according to some embodiments of the present invention may further include determining, by the SDN controller, whether a permission of communications to the one terminal of the plurality of terminals within the one SSID of the plurality of SSIDs under the one AP device is specified, in case the one AP device is in a privacy separator mode in which the communications to the one terminal of the plurality of terminals within the one SSID of the plurality of SSIDs under the one AP device are prohibited; and permitting, by the SDN controller, the communications to the determined one terminal if the permission of the communications to the one terminal is determined to be specified.
In the above-described security management method according to some embodiments of the present invention, permitting, by the SDN controller, the communications to the determined one terminal may include releasing, by the SDN controller, the AP device from the privacy separator mode.
In the above-described security management method according to some embodiments of the present invention, permitting, by the SDN controller, the communications to the determined one terminal may include connecting, by the SDN controller, the one terminal to an SSID which is different from the one SSID of the plurality of SSIDs.
In the above-described security management method according to some embodiments of the present invention, the security management system may further include the plurality of terminals.
In the above-described security management method according to some embodiments of the present invention, the security management system may further include the plurality of networks.
In the above-described security management method according to some embodiments of the present invention, the security management system may further include the security monitoring device.
In the above-described security management method according to some embodiments of the present invention, the security monitoring device may be a vulnerabilities monitoring device, the security issue list may be a vulnerabilities list, and the list of the one or more security issues may be a list of one or more vulnerabilities.
According to some embodiments of the present invention, a non-transitory computer-readable storage medium having stored thereon a computer program product including instructions to cause a computer to perform a security management method is provided, the security management method including receiving, by an SDN controller, a security check list from a security monitoring device configured to be communicatively connected to the SDN controller, the security check list containing a list of one or more security issues found by the security monitoring device on one of a plurality of terminals configured to be communicatively connected within one SSID under one AP device of at least one AP device to which the SDN controller is configured to be communicatively connected, the SDN controller being included in a security management system which monitors communications between the plurality of terminals, and which perform shutoff and separation of communications, the one SSID being one of a plurality of SSIDs, the security management system having the one AP device including a radio module provided with the plurality of SSIDs and configured to be communicatively connected to the plurality of terminals, the communications including file sharing permitted between the plurality of terminals, the one AP device also being configured to be communicatively connected to a plurality of networks including a normal network and a separated network; preparing, by the SDN controller, a communication flow in which communications by the one terminal on which the one or more security issues are found are conducted in the separated network; transmitting, by the SDN controller, the prepared communication flow to the one AP device; and providing, by the SDN controller to the one AP device, instructions to move the one terminal on which the one or more security issues are found from the normal network to the separated network.
In the above-described non-transitory computer-readable storage medium according to some embodiments of the present invention, the instructions to move the one terminal on which the one or more security issues are found from the normal network to the separated network may include an instruction to change an entry representing the one or more security issues on the one terminal in a connection-permitted terminal address table for the one terminal on which the one or more security issues are found.
In the above-described non-transitory computer-readable storage medium according to some embodiments of the present invention, the security management method may further include determining, by the SDN controller, whether a permission of communications to the one terminal of the plurality of terminals within the one SSID of the plurality of SSIDs under the one AP device is specified, in case the one AP device is in a privacy separator mode in which the communications to the one terminal of the plurality of terminals within the one SSID of the plurality of SSIDs under the one AP device are prohibited; and permitting, by the SDN controller, the communications to the determined one terminal if the permission of the communications to the one terminal is determined to be specified.
In the above-described non-transitory computer-readable storage medium according to some embodiments of the present invention, permitting, by the SDN controller, the communications to the determined one terminal may include releasing, by the SDN controller, the AP device from the privacy separator mode.
In the above-described non-transitory computer-readable storage medium according to some embodiments of the present invention, permitting, by the SDN controller, the communications to the determined one terminal may include connecting, by the SDN controller, the one terminal to an SSID which is different from the one SSID of the plurality of SSIDs.
In the above-described non-transitory computer-readable storage medium according to some embodiments of the present invention, the security management system may further include the plurality of terminals.
In the above-described non-transitory computer-readable storage medium according to some embodiments of the present invention, the security management system may further include the plurality of networks.
In the above-described non-transitory computer-readable storage medium according to some embodiments of the present invention, the security management system may further include the security monitoring device.
In the above-described non-transitory computer-readable storage medium according to some embodiments of the present invention, the security monitoring device may be a vulnerabilities monitoring device, the security issue list may be a vulnerabilities list, and the list of the one or more security issues may be a list of one or more vulnerabilities.
According to some embodiments of the present invention, a security management system is provided, the security management system including at least one AP device, under which one AP device of the at least one AP device a plurality of terminals being configured to be communicatively connected within one SSID, the security management system to monitor communications between the plurality of terminals and to perform shutoff and separation of communications, the one SSID being one of a plurality of SSIDs, the one AP device including a radio module provided with the plurality of SSIDs and configured to be communicatively connected to the plurality of terminals, the communications including file sharing permitted between the plurality of terminals, the one AP device also being configured to be communicatively connected to the plurality of networks including a normal network and a separated network; and an SDN controller which is configured to be communicatively connected to the one AP device and which is further configured to receive a security issue list from a security monitoring device which is communicatively connected to the SDN controller, the security issue list containing a list of one or more security issues on one of the plurality of terminals that are found by the security monitoring device; prepare a communication flow in which communications by the one terminal on which the one or more security issues are found are conducted in the separated network; transmit the prepared communication flow to the AP device; and provide, to the AP device, instructions to move the one terminal on which the one or more security issues are found from the normal network to the separated network.
In the above-described security management system according to some embodiments of the present invention, the instructions to move the one terminal on which the one or more security issues are found from the normal network to the separated network may include an instruction to change an entry representing the one or more security issues on the one terminal in a connection-permitted terminal address table for the one terminal on which one or more security issues are found.
In the above-described security management system according to some embodiments of the present invention, the SDN controller may further be configured to determine whether a permission of communications to the one terminal of the plurality of terminals within the one SSID of the plurality of SSIDs under the one AP device is specified, in case the one AP device is in a privacy separator mode in which the communications to the one terminal of the plurality of terminals within the one SSID of the plurality of SSIDs under the one AP device are prohibited; and permit the communications to the determined one terminal if the permission of the communications to the one terminal is determined to be specified.
In the above-described security management system according to some embodiments of the present invention, the SDN controller may further be configured to release the AP device from the privacy separator mode.
In the above-described security management system according to some embodiments of the present invention, the SDN controller may further be configured to connect the one terminal to an SSID which is different from the one SSID of the SSIDs.
The above-described security management system according to some embodiments of the present invention may further include the plurality of terminals.
The above-described security management system according to some embodiments of the present invention may further include the plurality of networks.
The above-described security management system according to some embodiments of the present invention may further include the security monitoring device.
In the above-described security management system according to some embodiments of the present invention, the security monitoring device may be a vulnerabilities monitoring device, the security issue list is a vulnerabilities list, and the list of the one or more security issues is a list of one or more vulnerabilities.
Embodiments of the present invention make use of a related-art privacy separator function utilized in wireless LAN (local area network) services. While the related-art privacy separator function prohibits communications between the same access point (AP) within the same Service Set Identifier (SSID), embodiments of the present invention make it possible to select communications to be prohibited and communications to be permitted, not prohibiting all inter-terminal communications. Thus, embodiments of the present invention make it possible to permit a use of a neighboring access point (AP) for corporate use.
With reference to
Below, two general use cases for the security management system according to some embodiments of the present invention, which is Secure Flow AP, are described.
First, with reference to
The upper portion in
When, after communications are started with a terminal to which network communications are permitted, such as in the normal communications as shown in
The first general use case, which is concerned with communications shutoff and separation of a terminal permitted to conduct network communications, may be further exemplified in a specific use case in which a terminal with security issues is separated with reference to
Here, as shown in
Actions of the security management system according to some embodiments of the present invention, which is Secure Flow AP, when the security issues such as vulnerabilities, viruses, behavior, IT asset management issues are found on the terminal C are shown as follows:
The security monitoring devices include devices which monitor and detect security issues such as vulnerabilities including malware infections, viruses, unauthorized behaviors in the networking environment, IT asset management issues, etc., and realize automatic separation and monitoring of terminals, and automatic blocking of the access to malicious websites in cooperation with a Software-Defined Networking (SDN) controller.
The security monitoring devices include applications to find vulnerabilities in the corporate IT environment.
Commercially-available applications to find vulnerabilities in the corporate IT environment, such as so-called “security holes” etc., include, for example, ISM CloudOne from QualitySoft Corporation (Tokyo, Japan). In the ISM CloudOne, the ISM CloudOne agent reports the ISM CloudOne server of information on vulnerability checking (so-called “inventory information”) through a batch process (a night-time batch process, etc.). The ISM CloudOne server checks vulnerabilities, collects information on the individual terminals, and reports results on the information collection, such as a MAC address of terminals, timing on vulnerability checking, determination on “OK” (meaning Good)/“NG” (meaning No Good) of the terminals, etc., via an API to a Software-Defined Networking (SDN) controller, which instructs an OpenFlow®-compliant network device to move a terminal determined to be “NG” (meaning No Good) to a quarantine network, which is separate from a normal network.
However, the above-described applications to find vulnerabilities in the corporate IT environment are not sufficient to find vulnerabilities in the networking environment, such as advanced persistent threats (APT) and the latest generation of malware. There are commercially-available applications to find such vulnerabilities in the networking environment. They include, for example, Deep Discovery Inspector (DDI) from Trend Micro Inc. (Tokyo, Japan). The Deep Discovery Inspector (DDI) detects a possibly-threated terminal by checking communications in front of a proxy server, in front of important servers, and at the gate of a department network to be protected, and reports on the possibly-threated terminal detected (e.g., a MAC address, an IP address of the possibly-threated terminals, the level and nature of threats, etc.) via an API to a Software-Defined Networking (SDN) controller, which instructs an OpenFlow®-compliant network device to move the possibly-threated terminal to a separated network.
The security management system according to some embodiments of the present invention, which is Secure Flow AP, in the present use case may establish communications in a separated network and facilitate cooperation with security engines. In the related-art solutions for the above-described separation function, a different Service Set Identifier (SSID) needs to be assigned to a terminal to be separated and MAC authentication thereto needs to be set. Moreover, the terminal to be separated needs to manually set separately a process of connection to the different Service Set Identifier (SSID).
As described above, some embodiments of the present invention make it possible to specify communications to be prohibited within all inter-terminal communications, thus not prohibiting all inter-terminal communications. Therefore, some embodiments of the present invention make it possible to permit a use of a neighboring access point (AP) for corporate use in communications such as file sharing, etc.
Moreover, some embodiments of the present invention make it possible to perform, when security issues are found on a certain terminal, an action of shutting off communications from the terminal.
Furthermore, some embodiments of the present invention make it possible to perform the above-mentioned action at any time, thus permitting communications as usual in circumstances such as at the initial stage of starting communications, at the time of booting a terminal, etc., and, thereafter, making it possible to perform, after connecting to an access point (AP), shutting off of communications with the access point (AP) upon reporting of security issues.
Next, with reference to
The upper portion in
This second use case according to some embodiments of the present invention may permit communications within the Service Set Identifier (SSID) by specifying a terminal using file sharing, etc., while the security management system according to some embodiments of the present invention, which is Secure Flow AP, is used in the privacy separator mode and inter-terminal communications are prohibited for strengthening security.
The present second generic use case in some embodiments of the present invention provides the security management system according to some embodiments of the present invention, which is Secure Flow AP, which includes settings for permitting communications within the same Service Set Identifier (SSID), such as releasing the privacy separator mode on the access point (AP) side, or connecting the terminal to a different Service Set Identifier (SSID) (permitting terminal communications).
Hereinbelow, specific mechanisms to select communications to be prohibited and communications to be permitted in the security management system according to some embodiments of the present invention, which is Secure Flow AP, are described.
The connection-permitted terminal address table includes one set of fields shown as “MAC”, “VLAN”, “CONNECTION PERIOD”, and “CONNECTION LOCATION” that is set by the operator via CSV, GUI, etc., and another set of fields shown as “APPLICATION A: VULNERABILITIES” and “APPLICATION B” (also collectively shown as “CONNECTED-TERMINAL STATE”) that is set by asset management software, security services, anti-virus software, etc. via API, Log.
Commercially available asset management software products and security services providers include ISM CloudOne and QualitySoft, which have been described earlier. Commercially available anti-virus software products include “Kaspersky Anti-Virus” from Kaspersky Lab (Paddington, United Kingdom).
The entries shown as “ADDRESS A”, “ADDRESS B”, “ADDRESS C”, “ADDRESS D”, “ADDRESS E”, and “ADDRESS F” in the MAC field represent address data on terminals for connection permission. The entries shown in the VLAN field represent network setting data on terminals for connection permission. The entries shown in the connection period field represent data on time for connection. The entries shown in the connection location field represent data on location for connection permission. The entries shown in the connected-terminal state fields including the application A: vulnerabilities field and the application B field represent data on setting by application for connection permission.
When communications to be prohibited are to be selected in the above-described first generic and specific use cases according to some embodiments of the present invention, the portion of the entries shown in the application A: vulnerabilities field is changed from A to B.
As described above, some embodiments of the present invention make it possible to specify communications to be prohibited within all inter-terminal communications, thus not prohibiting all inter-terminal communications. Therefore, some embodiments of the present invention make it possible to permit a use of a neighboring access point (AP) for corporate use in communications such as file sharing, etc.
Moreover, some embodiments of the present invention make it possible to perform, when security issues such as vulnerabilities are found in a certain terminal, an action of shutting off communications from the terminal.
The upper half of
If the matching condition that the result of “source address Check” being source=C, for example, is matched, the action being the process of transferring a packet to the destination address is executed (on the wireless network side) when the matching condition that the result of “destination address Check: terminal under AP” being source=a or b, for example is matched, while the action being the process of transferring a packet having applied a VLANtag=normal network VLANtag to the destination address is executed when the matching condition that the result of “destination address Check: upper-level network terminal” being source=other than a or b, for example, is matched.
The lower half of
If the matching condition that the result of “source address Check” being source=C, for example, is matched, the action being the process of dropping a packet is executed, which means that the packet is not transferred, when the matching condition that the result of “destination address Check: terminal under AP” being source=a or b, for example is matched, while the action being the process of transferring a packet having applied a VLANtag=separated network VLANtag to the destination address is executed when the matching condition that the result of “destination address Check: upper-level network terminal” being source=other than a or b, for example, is matched.
While preferred embodiments of the invention have been described and illustrated above, it should be understood that these are exemplary of the invention and are not to be considered as limiting. Additions, omissions, substitutions, and other modifications can be made without departing from the scope of the present invention. Accordingly, the invention is not to be considered as being limited by the foregoing description, and is only limited by the scope of the appended claims.
