This invention relates generally to network data transmission security and, more particularly, relates to an improved method and system for deployment of IPSec security policy in a centralized manner.
The prevalence of network technology has increased dramatically in recent years. From the Internet to intranets, computers throughout the world have become massively interconnected. Businesses, institutions, and private users alike routinely place sensitive information onto networks and rely upon the security of the network to protect the security of such information.
A majority of network traffic utilizes the Internet Protocol (IP) for data transmission. The Internet Protocol, part of the TCP/IP communications protocol, implements the network layer (layer 3) of the protocol, which contains a network address used to route messages. IP has no default security scheme associated with it, and accordingly, IP packets are often easily intercepted, read, copied, corrupted, mimicked and so on.
The IP Security Protocol (IPSec) was designed by the Internet Engineering Task Force (IETF) for IP. IPSec supports network-level authentication, data integrity, and encryption, as well as anti-replay and non-repudiation protection. In contrast to Secure Sockets Layer (SSL) and other transport layer security protocols, IPSec operates at the network layer to secure most types of IP packets. IPSec, as defined by the IETF, uses an authentication header (AH) format and/or an encapsulated security payload (ESP) format to secure IP datagrams. The authentication header provides data communication with source authentication and integrity, while the encapsulated security payload provides confidentiality as well as a limited degree of source authentication.
The keying scheme specified by the IETF for IPSec is the Internet Key Exchange protocol (IKE), documented mainly in IETF RFC 2409. This describes a method whereby the sender and recipient negotiate trust and security settings, including the generation of shared secret cryptographic keys to be used for application data encryption in the AH and ESP IPSec formats. If the authentication data in each IPSec packet is valid, the recipient can be confident that the communication originated from the sender and that it was not altered after transmission.
Windows 2000 implements the Identify Protect Mode of the Internet Key Exchange protocol. In this version of IKE, before application data IP packets can be transmitted from one computer to another, three security associations (SAs) must be established between the communicating parties. The first is called the IKE security association (Main Mode or Phase 1 SA), which serves a high level trusted channel established between the two parties. Then two IPSec security associations (Quick Mode, or Phase 2 SAs) are established; one from peer A to peer B, the other from B back to A. An SA is a set of parameters that defines the services and mechanisms, such as keys, to be used to protect communications. The Internet Security Association Key Management Protocol (ISAKMP) defines a framework for supporting the establishment of security associations without being linked to any specific algorithm or key generation method. The Oakley Key Exchange protocol provides a secure method for exchanging cryptographic key material such that an observer of the communication cannot easily discover the secret shared key generated by the two parties. The Internet Key Exchange (RFC 2409) and the IPSec Domain of Interpretation for ISAKMP (RFC 2408) provide detailed specifications from whence ISAKMP and Oakley are integrated to produce a single IPSec-specific key exchange protocol.
The collection of IPSec parameters applicable to a machine are referred to as an EPSec security policy. Although there may be many possible security policies, a given machine may generally have only one security policy active at a given time. A security policy contains certain policy-wide parameters such as the polling interval to be used to detect changes in policy, as well as parameters such as key lifetimes usable for negotiation of a Main Mode security association. Finally, a security policy also contains one or more rules, each of which further contains several other sets of parameters.
It may often be necessary or desirable for ease of administration to configure security policy for a group of machines, such as a corporate network, in a centralized manner. Thus, for example, a network administrator may establish a source of policy information, such as on a directory service, to be periodically downloaded by specific machines to replace their existing security policy. While this provides for ease of policy change and ease of administration, it is important that each machine have the most up-to-date policy available. Furthermore, if there is a temporary loss of connectivity between a machine and the directory service, it is desirable that the machine in question not suffer a lapse in security by having no policy at all in place at any time. There is needed a method of efficiently obtaining new policy information and updating and applying a machine""s IPSec security policy such that there is substantially always a security policy in place on a machine if a policy is assigned to that machine, and such that there is never a significant lull in security coverage.
The invention provides an improved method and system for the maintenance of centrally deployed IPSec security policy information on individual machines. In an embodiment of the invention, a four-state finite state machine is employed to track and maintain the security policy information of a given machine. By residing in and transitioning between the four states, the state machine effectively maintains the security policy of the machine with the most current security policy information accessible.
The invention provides a mechanism for maintaining the security policy on a machine from a number of sources, namely a directory service, a cache, and a local store. The state machine has four states: xe2x80x9cInitial,xe2x80x9d xe2x80x9cDS,xe2x80x9d xe2x80x9cLocal,xe2x80x9d and xe2x80x9cCache.xe2x80x9d The state machine starts in the initial state, and sequentially tries to plumb, or obtain and apply, the DS policy, Cache policy, and local Store policy. Success at any stage will divert the state machine to the appropriately named state. For example, if plumbing the DS policy succeeds, the state machine transitions to a DS state. From the various states, polling occurs to check for a change in the assigned policy. If the assigned policy has changed, the state machine transitions appropriately to obtain the new policy.