Network security is becoming increasingly important as the information age continues to unfold. Network threats/attacks may take a variety of forms (e.g., unauthorized requests or data transfers, viruses, malware, large volumes of traffic designed to overwhelm resources, and the like). Many of these threats use the Internet to access and attack enterprise computer resources/assets, as follows: Immobile, or fixed, enterprise hosts such as desktop computers, on-premises or cloud enterprise applications servers, public-facing web servers, and the like, may be directly attached to private TCP/IP networks that are owned and/or operated and administrated by enterprises. These enterprise networks are in turn directly connected to the Internet so that (a) an individual enterprise's geographically distributed private networks and associated assets can access each other by using the Internet to interconnect them; (b) an individual enterprise's hosts can access other publicly addressed Internet-attached hosts (e.g., public web servers and application servers); and (c) other Internet-attached hosts can access the enterprise's public-facing hosts (e.g., e-commerce web servers). However, Internet-attached hosts may include hosts that are owned, operated, or otherwise controlled by malicious actors. These malicious actors use the Internet not only to access and attack an enterprise's public-facing hosts, but also to attack an enterprise's private resources when they are able to, for example, when they have managed to subvert the network perimeter defense structures that the enterprise uses to protect its private assets.
A conventional approach for an enterprise to protect its fixed/immobile networked assets from Internet threats is to secure its private networks at the Internet access points, also known as the enterprise network perimeter, or boundary. The enterprise defines a security policy that specifies which network traffic may be allowed to cross the boundary, in either direction (e.g. originating from hosts directly attached to, or inside, the enterprise network and destined towards Internet hosts; or conversely, originating from Internet hosts and destined towards hosts attached to the enterprise network). The security policy is enforced by various devices located at or near the Internet access points, such as network firewalls, web proxies, SSL/TLS proxies, intrusion prevention systems (IPS), intrusion detection systems (IDS) (which may be provided out-of-band), threat intelligence gateways (TIGs), and the like. This collection of devices may be called a security stack or enterprise network security stack. The effectiveness of the protections provided by the security stack may be determined by the quality, scope, and fidelity of the network security policy combined with the capabilities of the devices to efficiently enforce the policy without degrading network performance to unacceptable levels.
The conventional enterprise security stack, however, may be unable to protect an enterprise's mobile hosts/devices, such as enterprise users' personal mobile smartphones, portable tablets, and portable desktops, from Internet threats. This is because such devices may directly connect to the Internet via radio access networks such as cellular networks and Wi-Fi networks. In such scenarios, these mobile devices may communicate directly with Internet hosts but without filtering the associated network traffic through the enterprise security stack. Thus, malicious Internet hosts and actors can readily attack the mobile devices and can readily infect the mobile devices with malware or otherwise may gain control of resources and applications on the mobile devices. Furthermore, the mobile devices may serve as vehicles-of-entry for malicious actors to penetrate the enterprise network and attack the enterprise's fixed networked assets. For example, the enterprise mobile devices and/or applications that the devices host may have privileged and authorized access to enterprise application servers that are located behind the security stack. As another example, mobile users may sometimes attach their mobile devices directly to the enterprise network via a Wi-Fi access point. In both of these examples, the malicious actors may gain direct and unfettered access to enterprise network assets. The malicious actors may then leverage the mobile device's access to assets behind the security stack to attack the enterprise assets.
A conventional approach to securing an enterprise's mobile assets is to (a) configure (secure) tunnels between each enterprise mobile device and a tunnel gateway located behind the enterprise security stack; and (b) send most or all of the mobile devices' Internet communications through the tunnel. When the communications exit the tunnel gateway, the communications may be sent through the enterprise security stack. An enterprise security policy may be applied to the communications, while on their way to Internet hosts. Any responsive communications sourced by the Internet hosts may be similarly filtered through the security stack. There are multiple practical issues with this approach, however, that may cause enterprises not to use it and/or may cause mobile device users to reject it, which may result in an enterprise not effectively securing mobile devices, and therefore the enterprise networked assets, from Internet threats.
One of the most challenging issues is the inefficiency of tunneling substantially all of the mobile devices' Internet traffic back to the tunnel gateways so that the traffic can be filtered through the security stack to detect communications that may be associated with Internet threats. Typically only a very small percentage of Internet communications originating from an enterprise's mobile devices are communicating with Internet threats, and thus only this threat-associated traffic needs to be filtered. Also, as the enterprise workforce becomes increasingly mobile, and because enterprise users overwhelmingly prefer to use their own personal mobile devices (e.g., smartphones) for both personal and work/enterprise communications—a market phenomenon called “Bring your own device” or “BYOD”—much of a mobile device's Internet traffic may be personal communications (e.g. high-bandwidth videos) that (a) are not threats to the enterprise, and (b) are private communications that the user may not want to subject unnecessarily to the enterprise's security policies and corporate usage policies. Also, local privacy protection laws or regulations may factor in to whether or not the enterprise is allowed to filter these personal communications. Thus, enterprise network resources used to secure mobile device traffic may be wasted. Also, the mobile devices may waste many resources, including battery power, by unnecessarily encrypting and tunneling traffic that is legitimate and/or benign. As the next generation of cellular networks are deployed, which provide for even higher bandwidths, even more bandwidth consumption by applications, and even more resource consumption by mobile devices, it is expected that the costs and other inefficiencies of conventionally securing mobile devices' Internet traffic and associated enterprise networks will increase and may become prohibitive.
Accordingly, there is a need to efficiently secure an enterprise's mobile assets with the enterprise's network security policy and thereby protect the enterprise's networked assets from Internet threats.