Patent Grant
11297036
This disclosure is related is to simplifying networking setup complexity in agent-based cybersecurity computing environments by facilitating a secure single whitelisted ingress endpoint on one-way and two-way transport layer security (TLS) connections.
Modern centralized cloud-based cybersecurity platforms (e.g., cloud platforms) can deploy agents for data collection and analysis (DCA). An agent is lightweight software that can be installed on various supported computing assets in the cloud or on-premises to centralize and monitor data. The agent provides endpoint visibility and detection by collecting live system information (e.g., basic asset identification information, running processes, and logs) from computing assets and sends this data back to the cloud platform for analysis.
Deployments of agents require proper connectivity to function. For example, customers require whitelisting rules to configure on their computing assets so that their corresponding agents can communicate with the cloud platform. Unfortunately, network load balancing (NLB) for transport layer security (TLS) connections associated with a single whitelisted ingress endpoint greatly increases networking setup complexity for customers of the cloud platform.
Disclosed herein is a single whitelisted ingress endpoint method and system for one-way and two-way transport layer security (TLS) connections. One such method involves routing agent-based network traffic and non-agent-based network traffic through a single whitelisted internet protocol (IP) endpoint, separating out the non-agent-based network traffic, and terminating the non-agent-based network traffic on an elastic load balancer.
In one embodiment, the agent-based network traffic represents two-way TLS traffic associated with a TLS connection. In another embodiment, the non-agent-based network traffic represents one-way TLS traffic associated with the TLS connection.
In some embodiments, separating out the one-way TLS traffic includes tunneling the TLS connection from a network load balancer to a reverse proxy based on one or more server name indication (SNI) fields in a TLS header of the TLS connection. In other embodiments, the method involves determining whether a service routed to the network load balancer is the one-way TLS traffic or the two-way TLS traffic based on the TLS header.
In certain embodiments, the TLS connection is a multiplexed TLS connection that includes the one-way TLS traffic and the two-way TLS traffic. In this example, the one-way TLS traffic and the two-way TLS traffic share the TLS header.
In one embodiment, the method involves terminating the two-way TLS traffic terminates on one or more server instances and terminating the one-way TLS traffic on the elastic load balancer. In another embodiment, the method involves decrypting a request for the service and forwarding the decrypted request for the service to one or more server instances.
The foregoing is a summary and thus contains, by necessity, simplifications, generalizations and omissions of detail; consequently those skilled in the art will appreciate that the summary is illustrative only and is not intended to be in any way limiting. Other aspects, features, and advantages of the present disclosure, as defined solely by the claims, will become apparent in the non-limiting detailed description set forth below.
The present disclosure may be better understood, and its numerous objects, features and advantages made apparent by referencing the accompanying drawings and/or figures.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiments of the disclosure are provided as examples in the drawings and detailed description. It should be understood that the drawings and detailed description are not intended to limit the disclosure to the particular form disclosed. Instead, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope of the disclosure as defined by the appended claims.
Modern centralized cloud-based cybersecurity platforms (e.g., a cloud platform like the Insight Platform provided by Rapid7®, Inc. of Boston, Mass.) can deploy agents for data collection and analysis (DCA) purposes. An agent is lightweight software that can be installed on various supported computing assets in the cloud or on-premises to centralize and monitor data. The agent provides endpoint visibility and detection by collecting live system information (e.g., computing asset identification information, running processes, and logs) from computing assets and sends this data back to the cloud platform for analysis.
As noted, deployments of agents require proper connectivity to function. For example, customers require whitelisting rules to configure on their computing assets so that their corresponding agents can communicate with the cloud platform. Unfortunately, also as noted, network load balancing (NLB) on transport layer security (TLS) connections greatly increases networking setup complexity for customers of the cloud platform. For example, customers of the cloud platform described above (and other comparable cloud platforms) often require at least the following three technical steps, which must happen in tandem: (1) a single internet protocol (IP) port whitelisting rule for the customer to setup that does not need changes or updates, (2) handling of both one-way and two-way transport layer security (TLS) connections, and (3) termination of the one-way TLS connection on a load balancer (e.g., for cost efficiency).
First, it is extremely cumbersome and resource and cost prohibitive to require customers of the cloud platform described above (and other comparable cloud platforms) to use multiple whitelisting rules and/or to require customers to change and/or update existing whitelisting rules. Customers typically prefer using a single whitelisting rule (that will not need to be changed and/or updated) to receive and route data from multiple endpoints (e.g., to/from multiple vendors, cloud storage providers, agents, and the like) because doing so greatly simplifies networking setup complexity and reduces computing resource consumption. Using a single whitelisting rule in a centralized cloud cybersecurity computing environment means adopting the single whitelisting rule to be readily applicable to various disparate endpoint destinations (e.g., in the cloud such as Amazon® S3) and data collection destinations (e.g., agents).
Second, the cloud platform must be able to handle both one-way and two-way TLS connections. TLS and its predecessor, SSL (secure sockets layer), are cryptographic protocols to facilitate communication security (e.g., confidentiality, integrity, non-repudiation, and the like), over a network. In one-way TLS, a server certificate is created by a certificate authority (CA) that a client can trust when the clients wants to connect to a server. A server can be configured to allow connections from any client (e.g., like in one-way TLS) or the server can be configured to request authentication from any client that attempts to connect to the server. In two-way TLS authentication, a client certificate is involved in addition to the server certificate for bolstering the authentication process. Just like a server certificate, a client certificate includes basic information about the client's identity, a public key of the client, and a digital signature of a CA.
Certain applications use one-way TLS and others require two-way TLS. For example, accessing an electronic mail service (e.g., Gmail) uses one-way TLS (e.g., by the use of a password for login). Two-way TLS connections are preferred in scenarios where a server is configured to only accept TLS connections from a limited group of permitted clients (e.g., when a customer wants to limit TLS connections to a server to certain vendors or partners). Whitelisting alone is not a good security practice, as the IP can be spoofed. Therefore, two-way TLS in addition to a single whitelisting rule is a preferred implementation mechanism for many customers.
In the cloud platform disclosed and described herein, one-way TLS traffic can include several external endpoints routinely encountered (and required) by the cloud platform (e.g., hypertext transfer protocol (HTTP) traffic, connections to cloud-based object storage such as S3, and the like). On the other hand, agent-based traffic requires two-way TLS connections given the highly sensitive and confidential nature of agent-collected data (e.g., data in the cybersecurity realm such as user information, asset identity, running processes, log data, and the like). Therefore, the cloud platform must be configured to route both one-way and two-way TLS connections.
Third, the cloud platform must be able to perform load balancing (e.g., for cost efficiency purposes). For example, in addition to implementing a network load balancer that distributes incoming one-way and two-way TLS traffic across multiple targets, the cloud platform must be able to selectively terminate only the one-way TLS connection on a different load balancer (e.g., an elastic load balancer for the one-way TLS connection).
Disclosed herein are methods, systems, and processes that securely facilitate the provision and configuration of a single whitelisted ingress endpoint on both one-way and two-way TLS connections that at least: (a) uses a single whitelisting rule (that does not need changes/updates), (b) handles both one-way and two-way TLS connections, and (c) selectively terminates the one-way TLS connection on a load balancer for cost efficiency.
Example of Existing Ingress Endpoint Implementation(s)
Unfortunately, the existing implementation depicted in
Example Platform Gateway Service for Single Whitelisted Ingress Endpoint
SNI is a header in the TLS protocol (e.g., a TLS header) that permits a TLS request to specify a desired host's name. This enables a server to host several websites or services on the same network address or port. As noted, customers are inconvenienced when required by the cloud platform to reconfigure their whitelisting rules or use multiple whitelisting rules (e.g., as part of a firewall as discussed with respect to application Ser. No. 16/558,485). Therefore, to later segregate or separate out one-way TLS traffic for selective termination, the system of
In one embodiment, a request from agent 205 (e.g., agent-based network traffic) and non-agent source(s) 210 (e.g., non-agent-based network traffic) is routed to network load balancer 215 using a single whitelisting rule. For example, in order for the customer to be able to use just a single whitelisting rule, a domain name system (DNS) record is used to route both agent-based network traffic and non-agent-based network traffic to network load balancer 215. As described in application Ser. No. 16/558,485, the two-way TLS agent-based network traffic and the one-way TLS non-agent-based network traffic can be multiplexed and transmitted to platform gateway service 220 from network load balancer 215 (as shown in
In certain embodiments, platform gateway service 220 separates out (or segregates) the non-agent-based network traffic (e.g., the one-way TLS traffic) from the agent-based network traffic (e.g., the two-way TLS traffic). Because agent 205 is managed by platform gateway service 220, platform gateway service 220 can analyze a TLS header in the routed TLS connection to determine which portion of the TLS connection is one-way TLS traffic and which portion of the TLS connection is two-way TLS traffic. For example, platform gateway service 220 separates out the one-way TLS traffic by tunneling (e.g., using a tunneling protocol) the TLS connection from network load balancer 215 to an SNI reverse proxy (e.g., provided by platform gateway service 220) based on one or more SNI fields in a TLS header of the TLS connection. Therefore, because platform gateway service 220 acts as a SNI reverse proxy, platform gateway service 220 can determine whether a service routed to network load balancer 215 is one-way TLS traffic or two-way TLS traffic based on the TLS header of the (multiplexed) TLS connection (where the TLS header is shared by both the one-way and two-way TLS connections).
Finally, in some embodiments, once separated out, segregated, or separately identified by gateway platform service 220, the one-way TLS traffic (e.g., the non-agent-based network traffic) is terminated on elastic load balancer 225. In other embodiments, the two-way TLS traffic (e.g., the agent-based network traffic) is terminated on endpoint ingress API 230(1) and endpoint ingress API 230(2) accepts new HTTP traffic. For example, the two-way TLS traffic is terminated on one or more server instances, the one-way TLS traffic is terminated on elastic load balancer 225, and a request for the service is decrypted and forwarded to one or more server instances.
Example Command and Control Mechanism for Ingress Endpoint(s)
Platform gateway service 220 identifies and separates out the various one-way and two-way TLS connections in the multiplexed TLS connection based on at least a TLS header that is shared by the three TLS connections shown in
The network design(s) illustrated in
As noted, currently it is not possible to satisfy all three technical requirements of a single whitelisted IP endpoint, one-way and two-way TLS connection handling, and selective termination of one-way TLS traffic on a load balancer. By leveraging systems, methods, and processes for “Secure Multiplexed Routing” disclosed in application Ser. No. 16/558,485 along with the identification/determination of which endpoint services are one-way or two-way TLS connections, the systems and methods disclosed herein can identify and separate disparate TLS connections accordingly as well as terminate two-way TLS connections on server instances and terminate one-way TLS connections on load balancers (which can then forward the decrypted requests to the server instances (e.g., endpoint ingress APIs)).
Example Process to Implement a Platform Gateway Service
At 440, the process infers and/or determines the one-way and two-way TLS traffic from the (shared) TLS header. For example, because agent 205 is managed by the same cloud platform that also manages platform gateway service 220, the SNI reverse proxy can determine which portion of the multiplexed TLS connection is one-way TLS traffic and which portion of the multiplexed TLS is two-way TLS traffic. At 450, the process separates out the one-way TLS traffic (from the single TLS connection). In some embodiments, the TLS connection can be demultiplexed by platform gateway service 220. The process ends at 460 by terminating the one-way TLS traffic on an elastic load balancer (e.g., elastic load balancer 225).
Example Computing and Networking Environment
Processor 555 generally represents any type or form of processing unit capable of processing data or interpreting and executing instructions. In certain embodiments, processor 555 may receive instructions from a software application or module. These instructions may cause processor 555 to perform the functions of one or more of the embodiments described and/or illustrated herein. For example, processor 555 may perform and/or be a means for performing all or some of the operations described herein. Processor 555 may also perform and/or be a means for performing any other operations, methods, or processes described and/or illustrated herein.
Memory 560 generally represents any type or form of volatile or non-volatile storage devices or mediums capable of storing data and/or other computer-readable instructions. Examples include, without limitation, random access memory (RAM), read only memory (ROM), flash memory, or any other suitable memory device. In certain embodiments computing system 500 may include both a volatile memory unit and a non-volatile storage device. In one example, program instructions implementing platform gateway service 220 and one or more other components illustrated in
In certain embodiments, computing system 500 may also include one or more components or elements in addition to processor 555 and/or memory 560. For example, as illustrated in
Memory controller 520 generally represents any type/form of device capable of handling memory or data or controlling communication between one or more components of computing system 500. In certain embodiments memory controller 520 may control communication between processor 555, memory 560, and I/O controller 835 via communication infrastructure 505. In certain embodiments, memory controller 520 may perform and/or be a means for performing, either alone or in combination with other elements, one or more of the operations or features described and/or illustrated herein. I/O controller 835 generally represents any type or form of module capable of coordinating and/or controlling the input and output functions of a computing device. For example, in certain embodiments I/O controller 835 may control or facilitate transfer of data between one or more elements of computing system 500, such as processor 555, memory 560, communication interface 545, display adapter 515, input interface 525, and storage interface 540.
Communication interface 545 broadly represents any type/form of communication device/adapter capable of facilitating communication between computing system 500 and other devices and may facilitate communication between computing system 500 and a private or public network. Examples of communication interface 545 include, a wired network interface (e.g., network interface card), a wireless network interface (e.g., a wireless network interface card), a modem, and any other suitable interface. Communication interface 545 may provide a direct connection to a remote server via a direct link to a network, such as the Internet, and may also indirectly provide such a connection through, for example, a local area network. Communication interface 545 may also represent a host adapter configured to facilitate communication between computing system 500 and additional network/storage devices via an external bus. Examples of host adapters include, Small Computer System Interface (SCSI) host adapters, Universal Serial Bus (USB) host adapters, Serial Advanced Technology Attachment (SATA), Serial Attached SCSI (SAS), Fibre Channel interface adapters, Ethernet adapters, etc.
Computing system 500 may also include at least one display device 510 coupled to communication infrastructure 505 via a display adapter 515 that generally represents any type or form of device capable of visually displaying information forwarded by display adapter 515. Display adapter 515 generally represents any type or form of device configured to forward graphics, text, and other data from communication infrastructure 505 (or from a frame buffer, as known in the art) for display on display device 510. Computing system 500 may also include at least one input device 530 coupled to communication infrastructure 505 via an input interface 525. Input device 530 generally represents any type or form of input device capable of providing input, either computer or human generated, to computing system 500. Examples of input device 530 include a keyboard, a pointing device, a speech recognition device, or any other input device.
Computing system 500 may also include storage device 550 coupled to communication infrastructure 505 via a storage interface 540. Storage device 550 generally represents any type or form of storage devices or mediums capable of storing data and/or other computer-readable instructions. For example, storage device 550 may include a magnetic disk drive (e.g., a so-called hard drive), a floppy disk drive, a magnetic tape drive, an optical disk drive, a flash drive, or the like. Storage interface 540 generally represents any type or form of interface or device for transmitting data between storage device 550, and other components of computing system 500. Storage device 550 may be configured to read from and/or write to a removable storage unit configured to store computer software, data, or other computer-readable information. Examples of suitable removable storage units include a floppy disk, a magnetic tape, an optical disk, a flash memory device, or the like. Storage device 550 may also include other similar structures or devices for allowing computer software, data, or other computer-readable instructions to be loaded into computing system 500. For example, storage device 550 may be configured to read and write software, data, or other computer-readable information. Storage device 550 may also be a part of computing system 500 or may be separate devices accessed through other interface systems.
Many other devices or subsystems may be connected to computing system 500. Conversely, all of the components and devices illustrated in
The computer-readable medium containing the computer program may be loaded into computing system 500. All or a portion of the computer program stored on the computer-readable medium may then be stored in memory 560, and/or various portions of storage device 550. When executed by processor 555, a computer program loaded into computing system 500 may cause processor 555 to perform and/or be a means for performing the functions of one or more of the embodiments described/illustrated herein. Alternatively, one or more of the embodiments described and/or illustrated herein may be implemented in firmware and/or hardware.
Network(s) 565 generally represents any type or form of computer networks or architectures capable of facilitating communication between the systems of
In some examples, all or a portion of the systems and components illustrated in
Various functions described herein may be provided through a remote desktop environment or any other cloud-based computing environment. In addition, one or more of the components described herein may transform data, physical devices, and/or representations of physical devices from one form to another. For example, platform gateway service 220 may transform the behavior of computing system 500 to perform selective load balancing for a single whitelisted ingress endpoint on both one-way and two-way TLS connections.
Although the present disclosure has been described in connection with several embodiments, the disclosure is not intended to be limited to the specific forms set forth herein. On the contrary, it is intended to cover such alternatives, modifications, and equivalents as can be reasonably included within the scope of the disclosure as defined by the appended claims.
The present application claims the benefit of pending U.S. Utility patent application Ser. No. 16/558,485 titled “Secure Multiplexed Routing” and filed on Sep. 3, 2019, the disclosure of which is incorporated by reference as if set forth in its entirety herein. The present application is a continuation-in-part (CIP) of application Ser. No. 16/558,485.
| Number | Name | Date | Kind |
|---|---|---|---|
| 10015205 | Cohen | Jul 2018 | B1 |
| 10122748 | Currie | Nov 2018 | B1 |
| 10193864 | Toy | Jan 2019 | B2 |
| 10270687 | Mithyantha | Apr 2019 | B2 |
| 10348767 | Lee | Jul 2019 | B1 |
| 10367746 | Xu | Jul 2019 | B2 |
| 10382401 | Lee | Aug 2019 | B1 |
| 10389736 | Dawes | Aug 2019 | B2 |
| 10423309 | Kitchen | Sep 2019 | B2 |
| 10425446 | Kasbekar | Sep 2019 | B2 |
| 10430263 | Polar Seminario | Oct 2019 | B2 |
| 10447553 | Biran | Oct 2019 | B2 |
| 10462057 | Kachmarck | Oct 2019 | B1 |
| 10484334 | Lee | Nov 2019 | B1 |
| 10492102 | Raleigh et al. | Nov 2019 | B2 |
| 10496432 | Zhang | Dec 2019 | B1 |
| 10523658 | Brouchier | Dec 2019 | B2 |
| 10542097 | Agarwal et al. | Jan 2020 | B2 |
| 10616075 | Dawes | Apr 2020 | B2 |
| 10623390 | Rosenhouse | Apr 2020 | B1 |
| 10645172 | Hussain | May 2020 | B1 |
| 10666666 | Saurabh | May 2020 | B1 |
| 10671726 | Paithane | Jun 2020 | B1 |
| 10680831 | Abraham | Jun 2020 | B2 |
| 10680945 | Ye et al. | Jun 2020 | B1 |
| 10708233 | Goyal et al. | Jul 2020 | B2 |
| 10721214 | Bhat et al. | Jul 2020 | B2 |
| 10728288 | Miriyala | Jul 2020 | B2 |
| 10742557 | Miriyala | Aug 2020 | B1 |
| 10750327 | Patel | Aug 2020 | B2 |
| 10771351 | Douglas et al. | Sep 2020 | B2 |
| 10778684 | Gupta et al. | Sep 2020 | B2 |
| 10791118 | Konda et al. | Sep 2020 | B2 |
| 10791168 | Dilley | Sep 2020 | B1 |
| 10805104 | Chen et al. | Oct 2020 | B2 |
| 10805352 | Ithal et al. | Oct 2020 | B2 |
| 10826691 | Rohel | Nov 2020 | B2 |
| 10826905 | Gujarathi | Nov 2020 | B2 |
| 10826916 | Nedbal | Nov 2020 | B2 |
| 10831454 | Pathak | Nov 2020 | B2 |
| 10833949 | Liguori | Nov 2020 | B2 |
| 10841336 | Cahana et al. | Nov 2020 | B2 |
| 10848974 | Bachmutsky et al. | Nov 2020 | B2 |
| 10887380 | Pahwa et al. | Jan 2021 | B2 |
| 10904342 | Tollet et al. | Jan 2021 | B2 |
| 10911409 | Wang et al. | Feb 2021 | B2 |
| 10930157 | Spector | Feb 2021 | B2 |
| 10944723 | Ahuja | Mar 2021 | B2 |
| 10944836 | Olds et al. | Mar 2021 | B2 |
| 10951589 | Neystadt et al. | Mar 2021 | B2 |
| 10958625 | Thornewell et al. | Mar 2021 | B1 |
| 10958649 | Delcourt | Mar 2021 | B2 |
| 10963565 | Xu | Mar 2021 | B1 |
| 10977140 | Hu et al. | Apr 2021 | B2 |
| 10997303 | Kraft | May 2021 | B2 |
| 11025601 | Arisankala | Jun 2021 | B2 |
| 11159569 | Janakiraman | Oct 2021 | B2 |
| 11171950 | Zhuravlev | Nov 2021 | B1 |
| 11184398 | Narayanaswamy | Nov 2021 | B2 |
| 11245729 | Monni | Feb 2022 | B2 |
| 20180270257 | Haelion | Sep 2018 | A1 |
| 20190149538 | Friel et al. | May 2019 | A1 |
| 20190245894 | Epple | Aug 2019 | A1 |
| 20190260599 | Williams | Aug 2019 | A1 |
| 20190268270 | Fattah | Aug 2019 | A1 |
| 20190312838 | Grimm | Oct 2019 | A1 |
| 20190312843 | Grimm | Oct 2019 | A1 |
| 20190318100 | Bhatia | Oct 2019 | A1 |
| 20190319969 | Rodniansky | Oct 2019 | A1 |
| 20190325135 | David | Oct 2019 | A1 |
| 20190327135 | Johnson | Oct 2019 | A1 |
| 20190342315 | Smelov | Nov 2019 | A1 |
| 20190349356 | McElwee | Nov 2019 | A1 |
| 20190349426 | Smith | Nov 2019 | A1 |
| 20200004966 | Mohinder | Jan 2020 | A1 |
| 20200045131 | Nigam | Feb 2020 | A1 |
| 20200057737 | Chidambaram Nachiappan | Feb 2020 | A1 |
| 20200059492 | Janakiraman | Feb 2020 | A1 |
| 20200065405 | Gandenberger | Feb 2020 | A1 |
| 20200067935 | Carnes, III | Feb 2020 | A1 |
| 20200076902 | Huang et al. | Mar 2020 | A1 |
| 20200076910 | Kuperman | Mar 2020 | A1 |
| 20200159776 | Kitchen | May 2020 | A1 |
| 20200162432 | Ludin et al. | May 2020 | A1 |
| 20200186600 | Dawani | Jun 2020 | A1 |
| 20200235990 | Janakiraman | Jul 2020 | A1 |
| 20200236114 | Patil et al. | Jul 2020 | A1 |
| 20200314128 | Hild | Oct 2020 | A1 |
| 20200329117 | Arbatti | Oct 2020 | A1 |
| 20200336316 | Jain | Oct 2020 | A1 |
| 20200366717 | Chaubey | Nov 2020 | A1 |
| 20200389469 | Litichever | Dec 2020 | A1 |
| 20210029170 | Gupta | Jan 2021 | A1 |
| 20210067556 | Tahan | Mar 2021 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 16558485 | Sep 2019 | US |
| Child | 16886972 | US |
