Facilitating enforcement of security policies by and on behalf of a perimeter network security device by providing enhanced visibility into interior traffic flows

US 10,038,671 B2
Filed: 12/31/2016
Issued: 07/31/2018
Est. Priority Date: 12/31/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a network security appliance separating a private network from an external network and controlling external network traffic that is transmitted between the private network and the external network, internal network information collected by a plurality of Layer 2 or Layer 3 (Layer 2/3) network devices of the private network that communicatively couple a plurality of internal host devices of the private network and the network security appliance, wherein the plurality of Layer 2/3 network devices switch/route internal network traffic among the plurality of internal host devices without the internal network traffic passing through or being observed by the network security appliance and switch/route the external network traffic between the network security appliance and the plurality of internal host devices, wherein the internal network information includes one or more of (i) information regarding internal network flows and (ii) information extracted from forwarding or routing tables of one or more of the plurality of Layer 2/3 network devices;

deriving, by the network security appliance, a topology of the private network based on the internal network information; and

identifying, by the network security appliance, existence of potential malicious activity involving an internal host device of the plurality of internal host devices by evaluating the internal network information;

responsive to said identifying;

creating, by the network security appliance, a traffic policy to control transmission of network traffic originated by or directed to the internal host device; and

causing, by the network security appliance, the traffic policy to be enforced.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing network traffic by a perimeter network security device based on internal network traffic or configuration information are provided. According to one embodiment, a network security appliance of a private network receives internal network information collected by multiple Layer 2/3 network devices of the private network. The Layer 2/3 network devices switch/route internal network traffic among multiple internal host devices without the network traffic passing through the network security device and switch/route external network traffic between the network security appliance and the internal host devices. A topology of the private network is derived based on the internal network information. Existence of potential malicious activity involving an internal host device is identified by evaluating the internal network information. Responsive thereto (i) a traffic policy is created to control transmission of network traffic associated with the internal host device; and (ii) the traffic policy is enforced.

Citations

19 Claims

1. A method comprising:
- receiving, by a network security appliance separating a private network from an external network and controlling external network traffic that is transmitted between the private network and the external network, internal network information collected by a plurality of Layer 2 or Layer 3 (Layer 2/3) network devices of the private network that communicatively couple a plurality of internal host devices of the private network and the network security appliance, wherein the plurality of Layer 2/3 network devices switch/route internal network traffic among the plurality of internal host devices without the internal network traffic passing through or being observed by the network security appliance and switch/route the external network traffic between the network security appliance and the plurality of internal host devices, wherein the internal network information includes one or more of (i) information regarding internal network flows and (ii) information extracted from forwarding or routing tables of one or more of the plurality of Layer 2/3 network devices;
  
  deriving, by the network security appliance, a topology of the private network based on the internal network information; and
  
  identifying, by the network security appliance, existence of potential malicious activity involving an internal host device of the plurality of internal host devices by evaluating the internal network information;
  
  responsive to said identifying;
  
  creating, by the network security appliance, a traffic policy to control transmission of network traffic originated by or directed to the internal host device; and
  
  causing, by the network security appliance, the traffic policy to be enforced.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the internal network information is associated with a control plane protocol.
  - 3. The method of claim 1, where in the control plane protocol comprises one or more of:
    - Address Resolution Protocol (ARP);
      
      Routing Information Protocol (RIP);
      
      Border Gateway Protocol (BGP);
      
      Dynamic Host Configuration Protocol (DHCP);
      
      Domain Name System (DNS); and
      
      Open Shortest Path First (OSPF).
  - 4. The method of claim 1, wherein the internal network information comprises traffic samples from the internal network traffic captured by one or more of the plurality of Layer 2/3 network devices using a flow export protocol.
  - 5. The method of claim 4, wherein the flow export protocol comprises sampled flow (sFlow), NetFlow or Internet Protocol Flow Information Export (IPFIX).
  - 6. The method of claim 1, wherein said identifying, by the network security appliance, existence of potential malicious activity involving an internal host device of the plurality of internal host devices comprises identifying network activity by the internal host device that violates one or more security policies of the private network.
  - 7. The method of claim 6, further comprising determining, by the network security appliance, a Layer 2/3 network device of the plurality of Layer 2/3 network devices to which the internal host device is connected based on the topology.
  - 8. The method of claim 7, wherein the traffic policy comprises an internal traffic policy and wherein said causing, by the network security appliance, the traffic policy to be enforced comprises causing the traffic policy to be enforced by the determined Layer 2/3 network device.
  - 9. The method of claim 8, wherein said causing the traffic policy to be enforced by the determined Layer 2/3 network device comprises configuring the determined Layer 2/3 network device to allow or block network traffic on a port of the determined Layer 2/3 network device to which the internal host device is connected to the determined Layer 2/3 network device by issuing configuration commands, by the network security appliance, to the determined Layer 2/3 network device or by configuring, by the network security appliance, the determined Layer 2/3 network device via an application programming interface (API) of the determined Layer 2/3 network device.
  - 10. The method of claim 1, further comprising:
    - inspecting, by the network security appliance, the external network traffic between the plurality of internal host devices and the external network; and
      
      wherein said identifying, by the network security appliance, existence of potential malicious activity involving an internal host device of the plurality of internal host devices comprises based on said inspecting, identifying network activity within the external network traffic and targeting the internal host device that violates one or more security policies of the private network.

11. A perimeter network security device comprising:
- a non-transitory storage device having embodied therein one or more routines; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the one or more routines to perform a method comprising;
  
  receiving, internal network information collected by a plurality of Layer 2 or Layer 3 (Layer 2/3) network devices of a private network that communicatively couple a plurality of internal host devices of the private network and the perimeter network security device, wherein the internal network information includes one or more of (i) information regarding internal network flows and (ii) information extracted from forwarding or routing tables of one or more of the plurality of Layer 2/3 network devices;
  
  deriving a topology of the private network based on the internal network information;
  
  identifying existence of potential malicious activity involving an internal host device of the plurality of internal host devices by evaluating the internal network information; and
  
  responsive to said identifying;
  
  creating a traffic policy to control transmission of network traffic originated by or directed to the internal host device; and
  
  causing the traffic policy to be enforced.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The perimeter network security device of claim 11, wherein the internal network information is associated with a control plane protocol.
  - 13. The perimeter network security device of claim 11, where in the control plane protocol comprises one or more of:
    - Address Resolution Protocol (ARP);
      
      Routing Information Protocol (RIP);
      
      Border Gateway Protocol (BGP);
      
      Dynamic Host Configuration Protocol (DHCP);
      
      Domain Name System (DNS); and
      
      Open Shortest Path First (OSPF).
  - 14. The perimeter network security device of claim 11, wherein the internal network information comprises traffic samples from the internal network traffic captured by one or more of the plurality of Layer 2/3 network devices using a flow export protocol.
  - 15. The perimeter network security device of claim 11, wherein said identifying existence of potential malicious activity involving an internal host device of the plurality of internal host devices comprises identifying network activity by the internal host device that violates one or more security policies of the private network.
  - 16. The perimeter network security device of claim 15, wherein the method further comprises determining a Layer 2/3 network device of the plurality of Layer 2/3 network devices to which the internal host device is connected based on the topology.
  - 17. The perimeter network security device of claim 16, wherein the traffic policy comprises an internal traffic policy and wherein said causing, the traffic policy to be enforced comprises causing the traffic policy to be enforced by the determined Layer 2/3 network device.
  - 18. The perimeter network security device of claim 17, wherein said causing the traffic policy to be enforced by the determined Layer 2/3 network device comprises configuring the determined Layer 2/3 network device to allow or block network traffic on a port of the determined Layer 2/3 network device to which the internal host device is connected to the determined Layer 2/3 network device by issuing configuration commands to the determined Layer 2/3 network device or by configuring the determined Layer 2/3 network device via an application programming interface (API) of the determined Layer 2/3 network device.
  - 19. The perimeter network security device of claim 11, wherein the method further comprises:
    - inspecting external network traffic between the plurality of internal host devices and an external network; and
      
      wherein said identifying existence of potential malicious activity involving an internal host device of the plurality of internal host devices comprises based on said inspecting, identifying network activity within the external network traffic and targeting the internal host device that violates one or more security policies of the private network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Mihelich, Joseph R., Srivastav, Amit
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/396,500
Publication Number

US 20180191681A1
Time in Patent Office

577 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Facilitating enforcement of security policies by and on behalf of a perimeter network security device by providing enhanced visibility into interior traffic flows

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating enforcement of security policies by and on behalf of a perimeter network security device by providing enhanced visibility into interior traffic flows

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links