Facilitating enforcement of security policies by and on behalf of a perimeter network security device by providing enhanced visibility into interior traffic flows
First Claim
1. A method comprising:
- receiving, by a network security appliance separating a private network from an external network and controlling external network traffic that is transmitted between the private network and the external network, internal network information collected by a plurality of Layer 2 or Layer 3 (Layer 2/3) network devices of the private network that communicatively couple a plurality of internal host devices of the private network and the network security appliance, wherein the plurality of Layer 2/3 network devices switch/route internal network traffic among the plurality of internal host devices without the internal network traffic passing through or being observed by the network security appliance and switch/route the external network traffic between the network security appliance and the plurality of internal host devices, wherein the internal network information includes one or more of (i) information regarding internal network flows and (ii) information extracted from forwarding or routing tables of one or more of the plurality of Layer 2/3 network devices;
deriving, by the network security appliance, a topology of the private network based on the internal network information; and
identifying, by the network security appliance, existence of potential malicious activity involving an internal host device of the plurality of internal host devices by evaluating the internal network information;
responsive to said identifying;
creating, by the network security appliance, a traffic policy to control transmission of network traffic originated by or directed to the internal host device; and
causing, by the network security appliance, the traffic policy to be enforced.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for managing network traffic by a perimeter network security device based on internal network traffic or configuration information are provided. According to one embodiment, a network security appliance of a private network receives internal network information collected by multiple Layer 2/3 network devices of the private network. The Layer 2/3 network devices switch/route internal network traffic among multiple internal host devices without the network traffic passing through the network security device and switch/route external network traffic between the network security appliance and the internal host devices. A topology of the private network is derived based on the internal network information. Existence of potential malicious activity involving an internal host device is identified by evaluating the internal network information. Responsive thereto (i) a traffic policy is created to control transmission of network traffic associated with the internal host device; and (ii) the traffic policy is enforced.
-
Citations
19 Claims
-
1. A method comprising:
-
receiving, by a network security appliance separating a private network from an external network and controlling external network traffic that is transmitted between the private network and the external network, internal network information collected by a plurality of Layer 2 or Layer 3 (Layer 2/3) network devices of the private network that communicatively couple a plurality of internal host devices of the private network and the network security appliance, wherein the plurality of Layer 2/3 network devices switch/route internal network traffic among the plurality of internal host devices without the internal network traffic passing through or being observed by the network security appliance and switch/route the external network traffic between the network security appliance and the plurality of internal host devices, wherein the internal network information includes one or more of (i) information regarding internal network flows and (ii) information extracted from forwarding or routing tables of one or more of the plurality of Layer 2/3 network devices; deriving, by the network security appliance, a topology of the private network based on the internal network information; and identifying, by the network security appliance, existence of potential malicious activity involving an internal host device of the plurality of internal host devices by evaluating the internal network information; responsive to said identifying; creating, by the network security appliance, a traffic policy to control transmission of network traffic originated by or directed to the internal host device; and causing, by the network security appliance, the traffic policy to be enforced. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A perimeter network security device comprising:
-
a non-transitory storage device having embodied therein one or more routines; and one or more processors coupled to the non-transitory storage device and operable to execute the one or more routines to perform a method comprising; receiving, internal network information collected by a plurality of Layer 2 or Layer 3 (Layer 2/3) network devices of a private network that communicatively couple a plurality of internal host devices of the private network and the perimeter network security device, wherein the internal network information includes one or more of (i) information regarding internal network flows and (ii) information extracted from forwarding or routing tables of one or more of the plurality of Layer 2/3 network devices; deriving a topology of the private network based on the internal network information; identifying existence of potential malicious activity involving an internal host device of the plurality of internal host devices by evaluating the internal network information; and responsive to said identifying; creating a traffic policy to control transmission of network traffic originated by or directed to the internal host device; and causing the traffic policy to be enforced. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
Specification