The present invention relates to a dynamic synchronization mechanism, provided between security agents or between security appliances, to share a load and capability of information, particularly to generating a packet inspection policy for each policy enforcement point in a centralized management environment according to data of a network topology in a network infrastructure and capability of each policy enforcement point; and a method, an appliance, and a computer program product which dynamically adjusts the packet inspection policy of each policy enforcement point according to the capability of each policy enforcement point, metadata, and running status of each policy enforcement point.
Network security operation has been an important issue in the field of network technology, such as Data Loss Prevention (DLP), Secure Sockets Layer (SSL) Inspection, Firewall (FW), Malware detection, intrusion detection system (IDS) or intrusion prevention system (IPS), but it is known to those skilled in the art that the technology is not limited thereto. Security technology generally involves inspection of a traffic packet, and the packet inspection is usually very dependent on resources.
For appliances with relatively low computing ability, a comprehensive packet inspection represents a resource hog. Therefore, only critical inspections are performed on such appliances. For appliances which cannot perform packet inspection (e.g. mobile appliance), packet inspection can only be performed by devices set on packet routes, e.g. performed by a network security device on a packet route. However, there may not be only one network security device on the packet route. Thus, packets may be inspected repeatedly, and the system performance is impacted.
FIG. 1(a) is a schematic diagram of a conventional network infrastructure. In an uncontrolled zone 103 the user of external end-points 101 via the extranet 102 enters a network coupling device 106 served as a demilitarized zone (DMZ) 105 of an intranet. The network coupling device 106 may be a device capable of controlling the flow of network packets, such as a switch, a bridge, or a router. The demilitarized zone (DMZ) 105 is also provided as a buffer between an uncontrolled zone and the intranet. Access control can be deployed in the demilitarized zone (DMZ) 105 to control and monitor the resources of the other controlled zone (e.g. intranet resources 107 used as the resources of the intranet) or restricted zone 109.
The restricted zone 109 supports the function of strict access control. In general, the restricted zone cannot be directly accessed by an uncontrolled zone, and can substantially be bounded by one or more firewalls (FW) which filters input and output traffic. For example, the restricted zone may comprise a hypervisor, such as a VMware ESX hypervisor, with a virtual server protection (VSP) generally installed, e.g. IBM ISS VSP, to protect the virtual machine being executed.
The access to the secured zone 111 is tightly controlled. The zone can only be accessed by a small number of authorized users. For example, the zone may comprise an IBM Security SiteProtector™ System which is a centralized management system providing a consistent management and analysis of servers, appliances, and security agents in the network infrastructure. More information about the SiteProtector™, can found within the IBM Security SiteProtector™ System V3.1.0 documentation at IBM's Knowledge Center website.
More information related to the network infrastructure may be referred to IBM Redbooks Web site Enterprise, “Security Architecture using IBM Tivoli Security Solutions, SG24-6014”.
The architecture of the network coupling device 106 may be referred to Cisco's switch product, Cisco Catalyst 3550 Series Switch. The intranet resources 107 are not limited to specific appliances or servers, and each of the intranet resources 107 may contain an unlimited number of appliance or server or a combination thereof For example, the intranet resources 107 may represent a local area network (LAN). Such appliances, also commonly known as Internet appliances, are devices with network capability and certain specific functions. Contrary to the general-purpose computer apparatus, the appliances have relatively higher performance since they are generally designed in accordance with specific purposes or specific services for a particular transaction.
The intranet resources 107 may be a virtual local area network (VLAN). For the internal resources of the business or organization, through a virtual LAN technology, different physical LAN devices can be logically grouped by administrator, and more complete information security can be provided.
In another aspect, to ensure the security of internal data, the general corporation or organization may use the virtual private network (VPN) and thus provide a VPN server in the demilitarized zone (DMZ) 105 for users to access internal resources from external connections. Examples can be referred to the technical documents published on the applicant's official website, WebSphere Everyplace Connection Manager: increasing mobile security, reducing wireless costs. The VPN server is coupled to a network coupling device 106. The user of the external end-point 101 has to register on the virtual private network server. After authentication and authorization, the network coupling device 106 can be connected through the VPN. It should be noted that, the VPN server may not be necessary in some embodiments. That is, the user of external end-points 101 does not have to connect the network coupling device 106 and the intranet resources 107 through the virtual private network VPN. It should be noted that although not illustrated, any other hardware and software component (e.g. an additional computer system, router, firewall (FW)) may be configured in the Internet 103 between the VPN server (or the network coupling device 106) and the external end-points 101.
More information may be referred to technical documents published by Andrew Jones et al. on the applicant's official website, IBM SmartCloud Enterprise tip: Build multiple VPNs and VLANs: VPN and VLAN features and capabilities in IBM SmartCloud Enterprise 2.0 and IBM SmartCloud Enterprise tip: Span virtual local area networks Provision and configure an instance that spans a public and private VLAN.
Administrators are normally unable to determine whether a traffic packet from another network segment has been inspected or not, and unknowing whether the other security agent or security appliance has capability, like decryption of Secure Sockets Layer (SSL) required by HTTPS protocol, to inspect the received traffic packet or not. In general corporations or organizations, to ensure the security of network communications and internal data, the intranet network security policies are provided on the internal end-points linked to intranet. Such intranet network security policies are security agents like firewall (FW), anti-virus software, intrusion detection system (IDS) or intrusion prevention system (IPS). The internal end-point may be a host computer (e.g. a router, workstation, or server), or a data circuit-terminal equipment (DCE) (e.g. a bridge or a switch). In practical, normally for the sake of security, to install a security agent, such as PSL (Linux), PSU (UNIX), and PSW (Windows), on a machine is required no matter the machine is physical or virtual.
In addition, sometimes a security agent may not be installed on each machine. Therefore, in view of network security, to set up security appliances at an edge of each zone in the network infrastructure is necessary. In the network infrastructure as shown in FIG. 1(a), a plurality of network security appliances 113-116 (e.g. firewall (FW), intrusion detection system (IDS), or intrusion prevention system (IPS)) are usually deployed at the junction of each zone, i.e. the edge of each zone.
In the network infrastructure as shown in FIG. 1(a), the packet route may involve repeated operations for packet inspection in connection to multiple security agents or security appliances, such as the intranet file sharing service as shown in FIG. 1(b) and the public internet access from intranet operation as shown in FIG. 1(c).
In the intranet file sharing service as shown in FIG. 1(b), the administrator sets a virtual machine to perform file sharing services at VMA within the restricted zone 109. When the end-point B in the intranet needs to access the file sharing services, the packet sent by the end-point B will be inspected five times, that is:                1. Inspected by a security agent installed at the end-point B;        2. Inspected by the intrusion prevention system (IPS) 114 in an edge of the intranet resources 107;        3. Inspected by the intrusion prevention system (IPS) 115 in an edge of the restricted zone 109;        4. Inspected by a virtual server protection (VSP) installed in a hypervisor, e.g. VMware ESX hypervisor to protect a virtual machine; and        5. Inspected by a security agent executed in the VMA.        
In the public internet access from intranet operation as shown in FIG. 1(c), the administrator sets a proxy server in the demilitarized zone (DMZ) 105. When an end-point C in the intranet needs to download a file from Dropbox in the uncontrolled zone 103, the packet sent by the Dropbox to the end-point C will be inspected four times, that is:                1. Inspected by the intrusion prevention system (IPS) 113 in an edge of the uncontrolled zone 103;        2. Inspected by the security agent in the demilitarized zone (DMZ) 105, which protects the proxy server;        3. Inspected by the intrusion prevention system (IPS) 114 in an edge of the intranet resources 107; and        4. Inspected by the security agent installed at the end-point C.        
As seen from the aforementioned embodiments, each security agent or security appliance in the physical network usually repeatedly inspects packets due to incapability to share the load and the capability of information, for example, lacking of the previous processing status about the received traffic packet that has been inspected and sent by a security agent or a security appliance within other network segments, and/or lacking of the capability to inspect the received traffic packet. Thus the system resources are wasted, resulting in the deterioration of the overall performance of the network infrastructure. The security agent or security appliance can be referred as a policy enforcement point.
In addition, each policy enforcement point is usually in a predetermined static configuration to provide a packet inspection policy for each policy enforcement point. The policy enforcement point in static configuration fails to dynamically adjust its configuration (i.e. packet inspection policies) in response to the load changes of each policy enforcement point in the network infrastructure for optimizing the overall performance of the network infrastructure.
Therefore, it is advantageous to provide a dynamic synchronization mechanism between each policy enforcement point (security agent or security appliance) to share information of load and capability, and overcome the conventional shortcomings of repeatedly inspecting packets and incapability to dynamically adjust the configuration of each policy enforcement point.