The present invention relates in general to data processing systems, and more particularly, to a system and method for generating Virtual Private Network (VPN) policies for all devices in a computer network.
A Virtual Private Network (VPN) provides end users a means to securely transport information from an intranet across a public Internet Protocol (IP) network such as the Internet. This is accomplished by creating a secure tunnel between two network entities using security mechanisms such as authentication and encryption. A VPN may be made up of layer-2 tunnels, Internet Protocol Security (IPsec) tunnels and policies. The layer-2 tunnels provide VPN capabilities for remote dial-in users. The IPsec tunnels provide VPN capabilities for IP users. The policies provide access control to resources.
IPsec is a framework of open standards for ensuring secure private communications over the Internet. Based on standards developed by the Internet Engineering Task Force (IETF), IPsec ensures confidentiality, integrity, and authenticity of data communications across a public network. IPsec provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy.
IPsec defines a tunnel mechanism to securely transport IP traffic across a public IP network. IPsec tunnels are actually implemented using a pair of tunnels. There is an IPsec key management and an IPsec data management tunnel, both of which are described more fully below.
IPsec tunneling can directly provide authentication, integrity and encryption. Authentication is the property of knowing that the data received is the same as the data that was sent and that the claimed sender is in fact the actual sender. The IPsec authentication method can be either a manually entered pre-shared key or a digital signature. In addition to authentication, a digital signature guarantees that the message is uniquely associated with the sender and unforgeable by the recipient. Message Digest 5 (MD5: 128 bit hashing) and the Secure Hash Algorithm (SHA: 160 bit hashing) are commonly used algorithms in the IPsec tunnel authentication scheme.
Integrity is the property of ensuring that data is transmitted from the source to the destination without undetected alteration. Hashed Message Authentication Code As Message Digest 5 (HMAC-MD5: 2xc3x97128 bit hashing) and the Hashed Message Authentication Code Message Secure Hash Algorithm (HMAC-SHA: 2xc3x97160 bit hashing) are the commonly used algorithms in the IPsec integrity scheme.
Confidentiality is the property of communicating such that the intended recipients know what was sent but unintended parties cannot determine what was sent. Encapsulation and encryption are used by IPsec to provide confidentiality. The original IP data packet is encapsulated in an IPsec data packet. The original IP header and payload are encapsulated in tunnel mode which is typically used by gateways. In contrast, only the original payload is encapsulated in transport mode which is typically used by hosts. Data Encryption Standard (DESxe2x80x9456 bit encryption), Triple Data Encryption Standard (DES-3xe2x80x943xc3x9756 bit encryption) and the Commercial Data Masking Facility (CMDFxe2x80x9440 bit encryption) are commonly used in the IPsec encryption scheme.
A security association (SA) is a relationship between a given set of network connections that establishes a set of shared security information. Security associations are negotiated based on secret keys, cryptographic algorithms, authentication algorithms and encapsulation modes. The Diffie-Hellman key agreement protocol (Group-1: 768 bit keying, Group-2: 1024 bit keying) is used by Internet Key Exchange (IKE) to generate a shared secret, i.e., a key, between the two IPsec entities. It should be noted that IKE was formerly known as ISAKMP/Oakley (Internet Security Association Key management Protocol/Oakley). The duration of an SA is specified by a lifetime (duration in seconds) or a life-size (duration in Kbytes).
An IPsec key management tunnel is often referred to as an Internet Key Exchange (IKE) tunnel or an IPsec Phase-1 tunnel and is a control tunnel for one or more follow-on IPsec Phase-2 user-data tunnels. The IPsec key management tunnel is negotiated in either main mode which utilities a six message exchange or aggressive mode which utilities a three message exchange. The negotiation entails authenticating the entities, establishing a shared secret and establishing parameters for the security association. After the successful completion of the negotiation, the IPsec key management tunnel uses a single bi-directional security association (SA) for communication. Throughout the lifetime of a given IPsec key management tunnel, the SA may expire and a new one may be created.
An IPsec data management tunnel is often referred to as an IPsec Phase-2 user-data tunnel or as an IPsec tunnel and is used to securely transport IP traffic. The IPsec data management n tunnel is negotiated in quick mode which utilizes a three message exchange. The negotiation entails exchanging identities, deciding whether or not to enforce replay prevention, generating a key if perfect forward secrecy is required, agreeing on the future handling of the xe2x80x9cdon""t copyxe2x80x9d fragment bit and establishing parameters for the security association(s). The security parameters may consist of an authentication header (AH) and/or encapsulating security payload (ESP) processing attributes. While both AH and ESP provide packet integrity and data origin authentication, only ESP provides encryption. The IPsec data management tunnels use one or more inbound SAs and one or more outbound SAs. Throughout the lifetime of a given IPsec data management tunnel, the SA(s) may expire and a new one(s) may be created. During this switch-over period, there are actually two SAs (one with a status of CURRENT and one with a status of EXPIRING) for each original SA.
Authentication is performed on a tunnel basis and optionally on a packet basis. Tunnel authentication is performed by the IKE peers using either a pre-shared key or a digital signature. Packet authentication can be done by either the AH or ESP processing using either the HMAC-MD5 or HMAC-SHA algorithm.
Encryption is optionally performed on a packet basis by the ESP processing. Packet encryption employs either the DES, DES-3 or CMDF algorithm. Integrity is optionally performed on a packet basis. Integrity can be done by either the AH or ESP processing and employs either the HMAC-MMD5 or HMAC-SHA algorithm.
A VPN policy consists of a condition and an action. The condition defines the time frame and traffic characteristics under which the action should be performed. The action is actually a set of actions or sub-actions which are used for IPsec key management, IPsec data management, Differentiated Services (DiffServ) and ReSerVation Setup Protocol (RSVP). When a packet is received from the network, the VPN device searches the defined conditions for a match. If a condition match is found, the VPN devices perform one of more defined actions. Multiple policy instances may be created from a single defined policy.
Defining a VPN policy with the correct set of attributes is not a trivial task. Once a policy has been defined, there may be overlaps and conflicts with other policies defined on the same network device. This may result in unexpected behavior in the network or a loss of traffic due to the IKE negotiation failures.
At present, all networking vendors define VPN policies on a device-by-device basis. For example, in a network having 1000 VPN devices that are to be connected together, the network administrator would have to configure 1000 policies on 1000 devices. Furthermore, if the network administrator wanted to add a device or change a parameter of a policy definition, he would need to repeat or add the change on 1000 devices. The current process is very labor intensive and prone to error.
The foregoing objective is achieved by the system, method and program product of the present invention in which a Virtual Private Network (VPN) is defined by the sum of a plurality of policy segments. Each policy segment, in turn, is composed of a policy segment name, a policy segment type, a VPN device list, a policy template, a quality of service template, a connection type and a hub name (for star connection types). The policy segment type can include Internet Protocol Security (IPsec), Differential Services (DiffServ) or Reservation Protocol (RSVP), the latter two being quality of service (QoS) policy segment types. For IPsec policy segments, mesh, star and device-to-device connection types are used to describe the topology of the network.
The group of devices in a policy segment are specified in a device list. The device list is a collection of other device lists and/or device interface profiles. A device interface profile contains the device specific information needed to generate traffic profiles and action components for a policy segment. A specific device can have multiple device interface profiles with each having a different definition or view of device specific information.
The group of common policy components are specified in a policy template. Policy templates contain the condition and action references that are used to generate policies for the policy segment. The condition reference includes a validity period and a traffic profile. The action reference includes at least one of an IPsec action, a DiffServ action or an RSVP action.
The device list, connection type, and policy template are combined to generate all of the policies for a policy segment.