1. Field of the Invention
The present invention relates to the field of network security and more particularly to the field of security services management for distributed security enforcement points.
2. Description of the Related Art
Internet security has increasingly become the focus of both corporate and home computer users who participate in globally accessible computer networks. In particular, with the availability and affordability of broadband Internet access, even within the small office home office environment, many computers and small computer networks enjoy continuous access to the Internet. Notwithstanding, continuous, high-speed access is not without its price. Specifically, those computers and computer networks which heretofore had remained disconnected from the security risks of the Internet now have become the primary target of malicious Internet crackers and script kiddies, collectively referred to as “malicious intruders”.
Notably, many such unauthorized intruders continuously scan the Internet for Internet Protocol (IP) addresses and ports of vulnerable computers communicatively linked to the Internet. At the minimum, those vulnerable computers can experience nuisance damage such as unauthorized file access, file deletion or file modification or defaced Web pages. Yet, at the other extreme, for the unsuspecting end-user their computer can become the staging area for “zombies” with which more malicious attacks can be launched resulting in the crippling of segments of the Internet. Of note, damage can result not only from the external actions of a malicious intruder, but also from the unsuspecting and unintentional actions of an internal, authorized user who either has accessed the assigned authorization to that user, or who unsuspectingly has become the proxy for an external, malicious force.
To combat the threat of malicious hacking, information technologies have devised complicated computing architectures designed to selectively limit access to different network resources according to the type of resource accessed and the identity of the user attempting access to the resource. Generally, network security measures deployed to combat malicious hacking can be broadly grouped into perimeter defenses, end-point defenses and intermediate security enforcement points. Perimeter defenses typically refer to firewall and other restrictive technologies deployed at the perimeter of the network. By comparison, end-point defenses generally refer to application level, client-side mechanisms such as client-side anti-virus software and software implemented personal firewalls.
Security enforcement points form the balance of the requisite security measures within a computing network. Security enforcement points refer to network mechanisms including gateway mechanisms within the network that separate a less-trusted portion or zone of the network from a more-trusted portion or zone of the network. Typically, security enforcement points are implemented in network and host infrastructure according to tiers of layers. The layering approach of the tiered architecture is intended to isolate certain services from direct exposure to users of the services based upon the sensitivity of the data exposed within the tier and the perceived risk of exposure from a set of users.
While data can be protected by a conventional tiering approach, security enforcement points with sensitive data relating to security often are located in relatively hostile zones in the network. In addition, as security enforcement points can be aggregation points for traffic, continuous availability of the systems in these relatively hostile zones can be critical. Finally, in order to control the operation of the network and to receive management data such as security events, one or more management nodes in relatively secure zones that have direct connectivity must all maintain an awareness of the multitude of security enforcement points and also must have direct connectivity to the security enforcement points—even those in hostile zones.