The present invention relates to security policy enforcement. In particular, it relates to enforcing a security policy for communication over a network having transport layer security.
Transport layer security provides communication security for information transmitted between endpoints (i.e., “network endpoints”) over a computer network. Transport layer security protocols specify how network endpoints interoperate to create a secure communication path with mechanisms to reduce the prospect of eavesdropping and tampering. An example of transport layer security is defined in protocols such as Secure Sockets Layer (SSL) and the Transport Layer Security (TLS) protocol specified in RFC 2246, RFC 4346 and RFC 5246 (RFC documents published by the Internet Engineering Taskforce (IETF)).
Implementation of a transport layer security protocol is the responsibility of network endpoints, such as software, services and devices communicating over a network. For example, a first software endpoint such as a web browser can initiate communication with a second software endpoint, such as a server. The initiation phase of such communication is undertaken by exchanging messages between the endpoints using a protocol defined “handshake” mechanism. Conventionally, the initiator of such communications is known as the client and the recipient of such initiation messages is known as the server. This convention for describing endpoints as client and server for the purpose of transport layer security does not necessarily reflect the substantive role of, or relationships between, the endpoints in other respects.
During the handshake process, the endpoints select a mutually supported security policy to apply to substantive communications between them. The initiating endpoint (client) indicates which security standards are supported in a handshake message, and the responding endpoint (server) will determine an appropriate, mutually supported, security standard to apply.
The handshake process also includes authentication and authorization steps which are undertaken by one or both endpoints to validate the identity and authority of the other endpoint. Authentication can be undertaken using certificates and authorization using suitable access control mechanisms.
Network service providers rely on individual endpoints to fully and effectively implement transport layer security mechanisms with appropriate and safe security standard selection, authentication and authorization. With these security features implemented by the communication endpoints, network service providers cannot be assured that necessary security policies, such as certificate revocation, expiration and validation policies for authentication, or minimum security standard policies are being adhered to. Further, the requirement for endpoints to undertake authorization functions is a burden on the endpoints, with multiple endpoints undertaking authorization functions resulting in a duplication of functionality across the network.