The present invention relates to apparatus and methods for implementing security in data communication. More particularly, the present invention relates to host-based security in data communication applications.
With the rise of data networking in general and the Internet in particular, businesses and organizations have become increasingly dependent on computer networks for their communications needs. Nowadays, it is not uncommon for vast quantities of data, often critical or confidential data, to be sent from computer to computer across private and public networks.
As users become increasingly dependent on computer networks for their data communication and data storage needs, network administrators are becoming increasingly concerned about data security. When a data packet is transmitted from one computer to another computer, that data packet may traverse both the private network(s) and the pubic network (such as the Internet). At every hop in the network, the data packet is handled by a network node (such as a router, a switch, a bridge, gateway, or the like) in order to pass that data packet on to the appropriate next hop toward its destination. Since the public network nodes, as well as the public network communication media (such as optical, wired, or wireless) that interconnect the public network nodes, are typically not under the control of any one entity, it has long been recognized that there are inherent security risks whenever data traverses the public network. Accordingly, data security in public networks has long been the focus of study and development.
To facilitate discussion, FIG. 1 shows a data communication arrangement for ensuring data security when data traverses across public networks. The security arrangement shown in FIG. 1 is known as perimeter security or network-edge security because security is applied to the data at the perimeter or the edge of private networks to ensure that when data leaves the private network and enters the public network, that data is secure against unauthorized access and/or tampering.
Referring now to FIG. 1, there is shown a private network 102, representing for example the intranet of an exemplary organization. Private network 102 includes a plurality of computers 104, 106, and 108, representing for example the computers and workstations in a local area network or a virtual private network. Private network 102 also includes a server 110, representing for example a mail server or a data storage facility. To allow computers 104, 106, and 108 to access facilities in other networks as well as to allow remote computers to access the facilities of private network 102, there is shown a virtual private network (VPN) gateway 112 coupled to private network 102.
To implement perimeter security, security capabilities are provided at the VPN gateways. For example, data communication from private network 102 are authenticated and/or encrypted at VPN gateway 112 prior to being sent out to a public network 114. A similar VPN gateway 132 is shown coupled between another private network 134 and pubic network 114 to encrypt data transmitted from one of the computers associated with private network 134, such as a computer 136. If computer 136 in private network 134 wishes to communicate with computer 104 in private network 102, for example, the data flow between computer 136 and 104 is authenticated by VPNs 112 and 132. If authentication is successful, data packets from computer 136 are encrypted by VPN gateway 132 associated with private network 134 and remains encrypted as they traverse public network 114 until they are decrypted by VPN gateway 112 associated with private 102 prior to being sent to computer 104. Encryption/decryption also happens analogously for data packets sent from computer 104 to computer 136. Thus, the data communication between gateway 132 and gateway 134 across public network 114 is secure.
FIG. 1 also shows a remote computer 140, representing for example a laptop computer of a traveling corporate employee. Remote computer 140 is typically provided with its own VPN gateway functionalities, including authentication and/or encryption/decryption capabilities. In the typical case, remote access from remote computer 140 to facilities within private network 102 or 134 is accomplished via a relatively slow connection, such as a dial-up connection at about 56 Kbps, a DSL (digital subscriber line) connection at about 1 Mbits/sec or slower, or a cable modem connection at analogous speeds. Because high data communication speed is not an issue, the VPN gateway functions may be implemented via a variety of conventional ways, using hardware, software, or a combination of both within remote computer 140.
In some implementations, certain strategic servers within a private network may be provided with security capabilities as well. For example, the mail server 110 within private network 102 may be provided with authentication and/or encryption/decryption capabilities to ensure that data communication to and from mail server 110 is properly encrypted and authenticated.
It has been learned over time that perimeter-based security arrangements have failed to address one serious source of security threats. For example, it has been learned over time that a significant percentage of security breaches detected in a given corporate network may be traceable to users within the corporate private network itself. In other words, even if the data communication never leaves the private network, there is still a significant risk that data security may be compromised as data is sent from one computer within a private network to another computer within that same private network or even as data is stored in one of the computers or servers connected to the private network. This form of security risk, i.e., security risks from internal users of the private network, is not addressed by perimeter-based security arrangements since perimeter-based security arrangements only address data security transmitted beyond the network perimeter. Within the network perimeter, such as within private network 102 for example, data communication between computer 108 and computer 104 is essentially unprotected in a perimeter-based security scheme.
The implementation of data security within private networks is further complicated by technical challenges associated with high data speeds. Users within corporate networks and private networks have been conditioned to expect high speed data communication. For example, in a class of applications known as block storage, data storage is centralized in a server on the network, and individual users' computers would employ a block storage protocol, such as iSCSI (essentially SCSI over TCP), in order to access stored data in the network whenever they are connected to the network. Centralized data storage offers many advantages to an organization, among which are centralized control and management over the data, improved data security since there are fewer storage locations to defend, the ability to archive and perform archival/purging functions dependably, and the like. Obviously, this class of application requires, in addition to a secure connection, a very low latency, high bandwidth connection between the user's computer and the network data storage facility. This is because users have been conditioned to expect that data access occurs with almost no delay, as the case has always been when data storage is local on their own computer's hard drive. If the connection between the user's computer and the network data storage facility is slow, centralized data storage will not succeed as users will simply revert to the less painful method of storing data, even critical, sensitive data, on their own hard drives.
On the other hand, security implementations, due to their intensive mathematical nature and multitudes of security rules, tend to worsen the data communication delay. For this reason, there has not been a technically satisfactory and economical solution to data security that addresses the internal security risks as well as satisfies the high data speed requirement within private networks, particularly for bandwidth and latency-sensitive applications such as block storage.