Patent Application
20080080714
In the following description, like reference characters designate like or corresponding parts throughout the several views. Also in the following description, it is to be understood that such terms as “forward,” “rearward,” “front,” “back,” “right,” “left,” “upwardly,” “downwardly,” and the like are words of convenience and are not to be construed as limiting terms.
As referred to herein, the term “encryption” includes aspects of authentication, entitlement, data integrity, access control, confidentiality, segmentation, information control, and combinations thereof.
The present invention provides a key and policy management software-based solution that enables secure data access and user interactions, and that enables users to securely access and interact with data they need and are authorized to access on predetermined, regular, and/or transactional bases from any point on the network without requiring changes in the existing infrastructure. The present invention system and method controls and manages the establishment and activity for trusted, secure connections across a network that are created by end point security technologies. This flexible software solution does not require a separate infrastructure to affect changes in network access, key or policy management.
Preferably, the system and methods of the present invention provide a network-independent solution layer or overlay that functions over the existing network infrastructure to control the policies, secure associations (SAs), and keys provided by a universal key authority point (KAP) to a multiplicity of policy enforcement points (PEPs) for enabling secure communications and data access to authorized users at any point within the network to other points, based upon the policies managed and provided by a management and policy server (MAP). The present invention provides for essentially unlimited scalability and address management that is commercially practical to implement network-wide for all secure communication, data access, applications, and devices, regardless of the type or form of encryption used by a particular device or hardware within the network. Also, the flexible software overlay for MAP and KAP functions within the system provides for dynamic modifications in real time without requiring changes to existing infrastructure or hardware, and without regard to the form of encryption thereon. Therefore, use and implementation of the present invention is not limited to traditional networking or infrastructure and is not limited to a single encryption form or type.
The present invention provides a method and a system for automatically securing communication between two or more nodes in a distributed network that use a single shared key or separate keys generated and distributed by a universal key authority point based upon a policy or policies managed by a management and policy server for the entire network.
A distributed network includes multiple nodes that are interconnected by multiple routers, bridges, etc. and that may be connected in a variety of different network topologies. In a distributed network, a node may be part of a smaller network such as an office LAN, or even a single node directly connected to the internet. The node can be connected to an unprotected network such as the Internet either directly or through a gateway, router, firewall and/or other such devices that allow one or more nodes to connect to a network via a single point. The nodes include computing devices such as, by way of example and not limitation, laptops, desktops, handheld devices, mobile devices, cable access systems, and other devices capable of connecting to a network, or a network of such devices.
These nodes communicate with each other, or servers providing services such as web pages, email, voice over internet protocol (VoIP), video broadcasting, multicasting applications, streaming audio or video via unprotected networks. In certain cases, when the communication is between two nodes that are using the same network, this communication may be protected. However, most of the communication over the internet is unprotected. This means that the communication can be intercepted by anyone. This communication is protected by using cryptographic keys. One or more nodes are grouped together so that they communicate over the unprotected networks via at least one policy enforcement point (PEP). Typically there are several PEPs in a distributed network. The PEPs receives policies from a management and policy server (MAP). The MAP defines the policies that govern the communication of the PEPs and the nodes under the PEPs. There are one or more key authority points (KAP) that communicate with the MAP and generate one or more cryptographic keys for PEPs. There are several configurations operable for arranging PEPs and KAPs within a network according to the present invention. By way of example, the system is operable for multiple KAPs, including peer KAPs, for one or more PEPs. Alternatively, the system and methods are functional where there is a single KAP that provides the keys for all the PEPs in a distributed network.
Based on the policies received from the MAP, the universal KAP of the present invention generates one or more cryptographic keys for each of the PEPs, or a single key to be shared by PEPs, within its network as defined by the MAP. The PEPs use the cryptographic keys to encrypt communication from the nodes and networks that they protect to unprotected networks, decrypt communication from unprotected networks to the nodes and networks that they protect or both. The universal KAP receives the policy definition from a single MAP. This policy definition informs the KAP about the PEPs it is responsible for, which networks the PEPs protect, and which KAP units they use. The KAP distributes the keys and policies associated with its networks and nodes to the appropriate PEPs.
In a system according to the present invention, a user defines the global networks and the MAP policy is established consistent with those definitions. The MAP then pushes down a meta policy to a universal KAP, which turns it into specific policies and corresponding keys for individual PEPs within the network. In one embodiment, the PEPs use a tunnel mode that includes a separate header for source and destination to provide a gateway for point to point connection. The inner header is copied to an outer header so that the same source and destination and layer 2 address is provided. This enables its use for load balancing or multicasting because the universal KAP and keys provided thereby to the PEPs provide for secure associations and communication across the network regardless of the form of encryption. The key(s) provided by the KAP enable any authorized PEP to communicate securely on the network even if the routing or distribution channel is modified for load balancing or multicasting.
In one embodiment, the universal KAP sends cryptographic keys to the PEPs or to peer KAPs based upon the policy communicated to the KAP by the MAP. Peer KAPs provide for separate distributors for separate networks. The keys are encrypted at the universal KAP with an encrypting key, which may include a pre-shared private key. Preferably, the universal KAP includes a secure hardware module that stores the pre-shared private key and encrypts the cryptographic keys. The secure hardware module is tamper-proof and disables access if the KAP is attacked. The use of the secure hardware module prevents exposure of the cryptographic keys in memory or backplane, where they can be accessed in clear text. The secure hardware module's tamper-proof feature enables it to shut down when it detects that it has been removed from the KAP. Hence, during attack, the cryptographic keys cannot be accessed, since they are stored in the secure hardware module which shuts down when it detects attack. Attack can be in the form of removal of the secure hardware module so that its memory can be independently accessed to gain access to the cryptographic key. In any case, the keys provided by the KAP to the PEPs or to peer KAPs provide for secure, authorized communication across the network regardless of the form of encryption used by devices and/or hardware at nodes on the network.
The present invention provides management techniques or methods and systems to provide secure networks with distributed keys wherein the key sharing and distribution is simplified, i.e., management of key sharing and distribution is handled by a MAP in secure communication with key authority point(s) (KAP) that generate the keys in accordance with communicated MAP policy or policies. The KAPs define the internet protocol (IP) address and name for each policy enforcement point (PEP), which define the nodes of the network. The KAP obtains IP address and name for each PEP automatically from a cryptoview software program. Then the KAP defines network sets, which include the list of networks or IP addresses that are protected by a given set of PEPs; peer KAPs provide for separate distributors for separate networks and corresponding PEPs. The universal KAP then distributes keys to the authenticated and authorized PEPs or peer KAPs according to the prior step. In one embodiment of the present invention, when two PEPs are protecting the subnet, then the KAP provides the network set to be equivalent to the network.
By way of example, in a mesh network configuration, wherein five (5) PEPs are included in the mesh, the mesh is fully interconnected automatically via a hub and spoke arrangement wherein the hubs are the PEPs and secure communication functions across network channels therebetween. One group of a network set is the hub, and the rest are spokes. In a secure mesh of this configuration, hubs are authorized to communication or “talk” to spokes but not spokes to spokes. According to the present invention, if there are two (2) network sets, then they are treated as a single entity and a multicast of data or communication is automatically operable on that secure network.
In a multicast arrangement, the destination on a secure network is always a multicast or a broadcast. In a multicast, a source and at least one destination is involved, or both, which is a conference.
Preferably the systems and methods of the present invention are applicable and operable over existing network management schemes without requiring a change in the hardware or configuration of the network.
In a particular embodiment as applied to IPSec, grouping of PEPs and KAPs in networks is protected, wherein the grouping is considered one entity that can be used in the policy. This provides for key sharing for multiple paths on PEPs and key distributors according to the present invention. This support for KAP and multiple PEPs provides for automatic predetermination of the configuration of the secure network.
More particularly, present invention provides systems and methods for simplified management of secured networks with distributed keys and management of same for a data and/or communications network through a universal KAP to PEPs or to peer KAPs for separate networks.
In such a system for simplified management of secure networks including at least one management server constructed and configured for communication through at least one network to at least one point or node on the network or subnets including remote communication device(s) each having at least one key, or a single key for multiple PEPs, with associated policies to ensure secure association within the network with other devices thereon.
Another aspect of the present invention provides methods for distributing keys to end point communication devices through network channels including providing a server-based key management system from a server on the network, the server including software operating thereon for providing a MAP having at least one policy or policies for distributing keys through a universal KAP to a multiplicity of policy end points (PEPs) and/or to peer KAPs on the network for authenticated devices requesting secure access to the network, wherein the keys are distributed through previously authenticated authorized PEPs operating on the secured network.
In a preferred embodiment, the present invention provides systems and methods for providing a secure mesh network including at least one management server constructed and configured for communication through network channels to a multiplicity of PEPs on the network including nodes having remote communication device(s) each having at least one key, or a single key for several PEPs, the key(s) provided through the universal KAP for a given network, with associated policies managed by a MAP to ensure secure association within that network, wherein the steps include a device on the network requesting a particular network configuration or topography, automatically authenticating and authorizing the PEPs and corresponding nodes and their respective device(s) through the MAP and KAP secure communication and distribution of keys to the PEPs, regardless of the encryption form used for any given device or hardware at the nodes.
Thus, the present invention provides automatic security solutions for enterprise data and communications management within a secure network wherein the policies and keys are managed and distributed by MAP and universal KAPs, respectively, to PEPs for automatically configuring a network topography within the network for secure communication and/or data access by authenticated and authorized communication nodes and devices operating on the network.
The present invention provides a simplifying method to configure security settings for networks and subnets. Preferably, the system wherein the method is applied includes network sets having nodes distributed across the network. The policy enforcement points (PEPs) protect the nodes and provide security across the network and nodes using keys for security authorization and for encryption/decryption that are provided to the PEPs by the universal KAP, directly or indirectly.
The system and method of the present invention are operable for a user to combine network sets to form a network topography wherein nodes across the network are functional to communicate across the network with other nodes and/or networks. By way of example, network topographies are selected from arrangements such as a mesh, hub-and-spoke, point-to-point, and combinations thereof. A network topography for a mesh arrangement provides for any node across the network to communicate directly to any other node within that network. A hub-and-spoke arrangement provides for communication from hub to spoke and spoke to hub, but does not permit hub-to-hub or spoke-to-spoke interaction. In the case of multicast, networks or nodes across a network are operable to function as senders, receivers, or both. Where separate networks are provided, separate distributors or KAPs are operable to distribute the keys and policies from the universal KAP to the PEPs on those networks.
Significantly, systems and methods according to the present invention provide for a single configuration point for the combined network sets based upon the type of policy but not being dependent upon the type or form of encryption at any node or for any packet or data communicated on the network. Settings for the combined network set are defined by the MAP and pushed out through the MAP to KAP to PEPs for enforcement at the PEP level of the network without the user having to manually configure each node or network set within the network. This is uniquely provided by the present invention for the EDPM scenario wherein an entire network is configured and functions to provide a secure network for enterprise data policy management through a single MAP to KAP to a multiplicity of PEPs automatically, based upon the policy established at the MAP, which provides for key generation and distribution through the KAP to any PEPs authenticated and authorized according to the policy, regardless of the network configuration or topography. The nodes or network sets are combinable and configurable or re-configurable for cross communication based upon the established policy pushed down from the MAP to the KAP, the keys from which enable the communication at any PEP.
As best seen in
The KAPs 304 function as a distribution layer; they are the key authority for the PEPs 306 to generate and distribute security associations (SAs) and keys to PEPs, monitoring PEP operation, supporting tunnel, transport, and network modes, and allow distributed and redundant deployment of keys to PEPs, and combinations thereof. The PEPs 306 are hardware or software-based PEPs, providing support for clients, blades, and appliances. The PEP policy and keys are enforced by the KAPs 304, while a PEP 306 authenticates KAP 304. The KAP 304 ensures that keys are sent only to the right places within the network, which provides for manageable scalability regardless of the number of PEPs 306 or SAs required.
Furthermore, in a preferred embodiment of the present invention, the KAP is a universal KAP within the EDPM, and provides universal key generation and distribution services for the PEPs on the network. As such, the universal KAP ensures network infrastructure protection, Ethernet protection, disk protection, server protection, email protection, notebook computer protection, application protection, 802.1AE protection, IPSEC protection, database protection, SSL protection, other protection and combinations thereof, as shown in the schematic of
The software overlay solution ensures flexibility for multi-vendor support as illustrated in
By sharp contrast to the prior art illustrated in
Thus, the present invention provides a system for providing secure networks including a communication network having a network infrastructure; and an intelligent software overlay operating on a server in connection to the network for providing security for the network; wherein the intelligent software overlay further includes: a management and policy (MAP) server coupled to the network for communication with at least one key authority point (KAP), wherein the MAP includes at least one policy for providing secure association (SA) within the network; wherein the at least one KAP is operable to generate and manage keys provided to a multiplicity of policy end points (PEPs) through an open API; and wherein the intelligent overlay to the network independent of the network infrastructure, thereby providing a secure, flexible network security solution. This intelligent overlay provides centralized management by software over the hardware and network infrastructure without changing it, and is dynamically modifiable to reconfigure secure PEP interactivity without requiring change to the network infrastructure. The present invention also provides a method for providing secure interactivity between points on a network including the steps of:
providing a communication network having a network infrastructure between at least two policy end points (PEPs);
providing an intelligent software overlay that is independent of the network infrastructure, the software overlay operating on a server in connection to the network for providing security for the network; wherein the intelligent software overlay further includes: a management and policy (MAP) server coupled to the network for communication with at least one key authority point (KAP), including a universal KAP;
the MAP establishing and managing at least one policy for providing secure association (SA) between PEPs within the network;
the universal KAP generating and managing keys and providing them to the PEPs and/or to peer KAPs through an open API;
and the PEPs having secure exchange over the network using the keys provided directly or indirectly by the KAP, regardless of the form of encryption on any device or corresponding node on the network.
As set forth hereinabove, the system and methods of the present invention provide for functional, dynamic security groups on a given network both inside and outside organizational boundaries and across geographical locations. The result is a flexible security solution that is operable to be responsive to different security requirements for different groups of users and applications.
Certain modifications and improvements will occur to those skilled in the art upon a reading of the foregoing description. The above mentioned examples and embodiments are provided to serve the purpose of clarifying the aspects of the invention and it will be apparent to one skilled in the art that they do not serve to limit the scope of the invention. All modifications and improvements have been deleted herein for the sake of conciseness and readability but are properly within the scope of the following claims.
