1. Field of the Invention
The present invention relates to the field of network security and more particularly to security enforcement point processing of encrypted data in a communications path.
2. Description of the Related Art
Internet security has increasingly become the focus of information technologists who participate in globally accessible computer networks. In particular, with the availability and affordability of broadband Internet access, even within the small enterprise, many computers and small computer networks enjoy continuous access to the Internet. Notwithstanding, continuous, high-speed access is not without its price. Specifically, those computers and computer networks which heretofore had remained disconnected from the security risks of the Internet now have become the primary target of malicious Internet malfeasors.
To address the vulnerability of computing devices exposed to the global Internet, information technologists intend to provide true, end-to-end security for data in the Internet through secure communications. The Internet Security Protocol, known in the art as “IPsec” represents a common form of secure communications for use over the Internet. In IPsec, communications between source and destination nodes over communications path in the Internet can be administered in accordance with a security association (SA). An SA can include one or more rules that define the IPsec processing that is applied to the communication. IPsec is defined in the Request for Comment (RFC) 2401 superseded by RFC 4301 among other RFCs.
In IPsec, whether the transmission of a packet is denied or permitted with or without IPsec processing is determined by matching the attributes of a packet within the security rules in a security policy database (SPD). To make this determination, both the static rules of a security policy and dynamic rules negotiated as part of an Internet Key Exchange (IKE), each which refers to an SA as described in RFC 2401, can be subjected to a filtered search in the order of most specific to least specific attributes for both outgoing and incoming packets. The filtering of the attributes of a packet within the security rules can be based upon the source and destination address for the paired nodes engaging in secured communications.
The secured communications path defined between two IPsec endpoints often incorporate one or more security enforcement points such as a virtual private network (VPN)/firewall. Security enforcement points generally are no different than any other computing device excepting that the computing device supporting a security enforcement point hosts logic including program code enabled to support security services such as IP packet filtering, intrusion detection, load balancing and quality of service (QoS) setting management. Security enforcement points also perform IPsec SA endpoint management where the security enforcement point also functions as an IPsec endpoint. Security enforcement points, however, often are positioned in the midst of an IPsec secure communications path and perform no IPsec SA processing. In this circumstance, a security enforcement point positioned within the secure communications path will have no access to cleartext data in a traversing IPsec SA. Consequently, the security function of a security enforcement point in a secure IPsec communications path will have become inoperable as most security functions require access to unencrypted, cleartext data.
U.S. Pat. No. 7,055,027 to Gunter et al. for SYSTEM AND METHOD FOR TRUSTED INSPECTION OF A DATA STREAM relates to the problem of intermediately disposed security enforcement points in a secure communications path. As taught in Gunter, to permit the inspection of data within a secure communications path, an encrypted form of the session key can be received from an originating IPsec endpoint so as to be able to decrypt data flowing from the originating IPsec endpoint to a terminating IPsec endpoint in the secure communications path. Of course, to do so requires the originating IPsec endpoint to have knowledge of the security enforcement point. Moreover, to do so requires knowledge of the public key of the security enforcement point in the originating IPsec endpoint.
Gunter, however, does not provide anything other than the encrypted form of the session key. In fact, Gunter fails to pass an indication of an encryption algorithm to use with the session key, nor does Gunter provide sufficient information to identify a relevant SA. Thus, in Gunter, an enforcement point cannot match a received packet to an SA. Thus, the integral coupling of the originating IPsec endpoint to the security enforcement point inhibits scalability in a model where one or more security enforcement points are positioned within the secure communications path on an ad hoc basis.