Patent Application
20100050229
The present invention relates to computer network security.
A network security policy comprises a collection of policy rules. The policy rules comprise conditions and actions. The condition portion of the rule describes the conditions that must be present before a rule action is taken. Example conditions include information in a packet header (IP (Internet protocol) addresses, ports, protocols), direction of packet, user ID, application name, and time of day. Policy conditions for a rule can be configured to use any combination of allowed condition attributes. Actions describe the security actions to take under specified circumstances, such as deny or drop a packet, allow a packet, or require network encryption protocols (e.g., IP security (IPSec) or transport layer security (TLS)).
The policy rules are typically established by one or more network administrators. A network may have hundreds of policy rules in place, and the rules are often changed by an administrator as new connectivity is desired or applications are added. Because of the numerous combinations of possible conditions, it is difficult to verify that a network security policy is functioning as desired. Once a policy is created, it is difficult for an administrator to know whether the security policy is properly implemented in all enforcement points. It is difficult to predict the effect of adding or deleting additional rules after initial policy creation. Administrators also would like to verify and document that the policy rules implement the correct security policy over a time period.
The present invention may provide the ability to determine the actions triggered by a network security policy given a set of conditions. Embodiments of the invention involve testing the security policy at specified times, documenting and analyzing the test results for compliance, recording the results for auditing purposes, writing events to warn of non-compliance findings, and dynamically taking defensive action to prevent security breaches as the result of non-compliance findings.
In one embodiment of the invention, a method for validating network security policy compliance comprises creating a plurality of condition simulators for testing a network security policy, each condition simulator having a corresponding expected result, and comparing a result of a test of the network security policy using one of the condition simulators to the expected result corresponding to the one of the condition simulators.
Each of the plurality of condition simulators may comprise at least packet header information and packet direction. The packet header information may comprise a destination Internet Protocol address, a source Internet Protocol address, a communication protocol, a destination port, and a source port. Each of the plurality of condition simulators may further comprise at least one of a time of day, a user identity, and an application name.
The method may further comprise sending the one of the condition simulators to a network security enforcement point at which the test of the network security policy is performed, and receiving the result of the test of the network security policy.
The method may further comprise performing one or more remedial actions if the result of the test of the network security policy using the one of the condition simulators does not conform to the expected result corresponding to the one of the condition simulators.
In addition to the method for validating network security policy compliance, as described above, other aspects of the present invention are directed to corresponding systems and computer program products for validating network security policy compliance.
Having thus described the invention in general terms, reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein:
Referring now to
A set of condition simulators used to drive a policy compliance check are created, and stored in database 38. The condition simulators are used to simulate the behavior of the security policy if a “live” packet that contained the same 5-tuples (destination IP address, source IP address, protocol, destination port, source port) as the condition simulators, under a certain set of other conditions (e.g., direction, time), were processed by the policy search logic. For example, one condition simulator may contain the following information:
For each condition simulator there is an associated expected result, also stored in database 38. Such an expected result may include overall action (deny, allow), type of network security required (IPSec, TLS), encryption algorithm required, and authentication algorithms required. An example of an expected result for a given condition simulator test packet is:
The policy compliance manager 30 may comprise a simulator scheduler 32 configured for conducting policy validation tests on a scheduled or ad hoc basis. The scheduler retrieves one or more condition simulators from the database 38 and sends them over the network to the policy enforcement point 50 (the remainder of the method will be described as if only one condition simulator is sent from the policy compliance manager to the policy enforcement point). The policy enforcement point comprises software code to implement a condition simulator processor 52. The condition simulator processor receives the condition simulator and invokes the policy search logic 54. The policy search logic 54 works as described above, retrieving the appropriate filter rules from the policy database 58 and applying the rules to determine if the condition simulator should be allowed or denied. Other security session information is also determined according to the policy rules, such as security protocol type (e.g., IPSec or TLS) and cryptographic algorithms associated with the condition simulator.
The result of the test from the policy search logic is sent via the condition simulator processor to the policy compliance manager. The policy compliance manager comprises a results analyzer 34 which compares the received test result to the result that is expected for the condition simulator that was used. A remediation element 36 may then take one or more actions based on the results of the analysis. If the analysis shows a mismatch between the returned results and the expected results, a non-compliance condition occurs. The action taken if a non-compliance condition is found may be determined based on when policy verification is performed (i.e., before or after implementation of a security policy). The number and type of action taken may vary depending on the severity of the non-compliance condition and/or the number of rules that yield non-compliance conditions.
In the event of a non-compliance condition resulting from a pre-installation test, the remedial action would generally be to not install the tested policy. In the event of a non-compliance condition for live policy check, as mentioned above the type of action taken may vary depending on the severity of the non-compliance condition and/or the number of rules that yield non-compliance conditions. For example, if the non-compliance condition is that one filter that controls access from a business partner to FTP fails, the remediation element 36 may write a message to a security administrator and install a defensive filter rule to block access to FTP from that source IP address for 30 minutes. In another example, if the non-compliance condition is that multiple filters for access to FTP fail, the remediation element 36 may write message to a security administrator and install defensive filter rule to block all access to FTP for 30 minutes.
As will be appreciated by one skilled in the art, the present invention may be embodied as a system, method or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, the present invention may take the form of a computer program product embodied in any tangible medium of expression having computer-usable program code embodied in the medium.
Any combination of one or more computer usable or computer readable medium(s) may be utilized. The computer-usable or computer-readable medium may be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a transmission media such as those supporting the Internet or an intranet, or a magnetic storage device. Note that the computer-usable or computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory. In the context of this document, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The computer-usable medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave. The computer usable program code may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc.
Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
The present invention is described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
“Computer” or “computing device” broadly refers to any kind of device which receives input data, processes that data through computer instructions in a program, and generates output data. Such computer can be a hand-held device, laptop or notebook computer, desktop computer, minicomputer, mainframe, server, cell phone, personal digital assistant, other device, or any combination thereof.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
