Field of the Invention
The present invention relates in general to the field of computers and similar technologies, and in particular to software utilized in this field. Still more particularly, it relates to a method, system and computer-usable medium for automated network security policy deployment in a dynamic environment.
Description of the Related Art
In many known networking environments having physical switches and servers, the security policy for any particular network security control element (e.g. firewalls, intrusion prevention) often remains relatively static. Because the network and applications remain relatively static and the policy depends on the network configuration and application workload, the changes to the security policy occur relatively infrequently. This allows security administrators to customize security policy for each security control element. For example, referring to FIG. 1, labeled Prior Art, certain known firewall (FW) policy intrusion prevention system (IPS) policies depend on the particular network and application configuration. The policy of a particular IPS (IPS 3) associated with a particular subnet may have a user based policy when that particular subnet has users accessing servers on that subnet and then out to the Internet. However, another subnet IPS (IPS 2) does not require a user based policy because this subnet is only inspecting traffic between servers. Finally, another subnet IPS (IPS 1) has a policy suitable to an Internet gateway location, and may include policies around users, applications, and IP reputation. Referring to FIG. 2, labeled Prior Art, shows an example of a network environment where the applications are executing within virtual machines in a hypervisor (e.g. an ESX hypervisor, a kernel based virtual machine (KVM) hypervisor, an XenServer hypervisor, etc.). With this network environment, a subnet IPS (IPS 2) executes as a virtual appliance (hypervisor guest). In this environment, the location of the virtual machine (VM) is dynamic. To support load balancing, a VM can be moved from one host to another. Because of the dynamic nature of the environment, the task of enforcing network security policy for all VMs can be more difficult. One known method of enforcing a network security policy is to have the same security policy enforced for every VM in every subnet. For example, a known IPS deployment in a virtual environment can require each IPS entity to load the same security policy, so when the VM is moved from one host to another host, or one subnet to another, the same security policy is enforced on the migrated VM.
Referring to FIG. 3, labeled Prior Art, an example enterprise or public cloud based environment is shown using technology such as an OpenStack cloud computing platform or a CloudStack cloud computing platform and Software Defined Networking (SDN) principles to provide a SDN network environment. SDN principles separate a network topology from the physical network infrastructure and add an abstraction layer in between the network topology and the network infrastructure to define the network topology by software. Using SDN principles and virtualization, the entire network topology may be constructed using virtual network objects, including virtual switches, virtual routers, virtual network segments, etc. Moreover, the network overlay technology provided with SDN principles separates the physical boundary between traditional data centers, e.g., two servers in different data centers may be located in the same virtual network segment.
With such an environment it can be challenging to enforce intrusion prevention system policies. With such a cloud based environment, network topology can change frequently when compared to a traditional data center. New virtual network are often dynamically added to the environment. With known intrusion prevention system policies, more and more scenarios are added to the security policy even though not all of the scenarios will apply to every VM, creating a relatively large policy for every VM. The large policies lead to more memory consumption on the IPS and also introduce more computational overhead when processing network traffic. Additionally the policy can become confusing for security administrators. Not only can the VMs be moved in a SDN network environment but also the entire network topology can be changed in real time, thus creating an extra-dynamic network environment. The extra-dynamic nature of SDN exposes all the assets, including physical assets and virtual assets to a rapidly changing network environment, which can make designing a comprehensive security policy challenging. It is thus desirable to provide a security solution to allow effective network security policy management in a highly dynamic environment, such as posed by a SDN network environment.