DYNAMIC POLICY PROVISIONING WITHIN NETWORK SECURITY DEVICES

US 20090328219A1
Filed: 05/20/2009
Published: 12/31/2009
Est. Priority Date: 06/27/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with a network security device of a network, network traffic;

applying, with the network security device, a first policy to the network traffic to detect a first set of network attacks, wherein the first policy identifies a first set of attack patterns that correspond to the first set of network attacks;

monitoring, with the network security device, parameters corresponding to utilization of one or more internal resources of the network security device;

dynamically determining, with the network security device, when to apply a second policy to at least a portion of the network traffic based on the monitored parameters for the utilization of the one or more internal resources of the network security device;

applying, with the network security device, the second policy to at least the portion of the network traffic to detect a second set of network attacks based on the dynamic determination, wherein the second policy identifies a second set of attack patterns that correspond to the second set of network attacks, and wherein the first set of attack patterns and the second set of attack patterns identify at least one different attack pattern; and

forwarding, with the network security device, at least the portion of the network traffic based on the application of the second policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is directed to techniques for dynamic policy provisioning. A network security device may comprise a memory that stores a first policy that identifies a first set of patterns that correspond to a first set of network attacks and a second policy, and a control unit that applies the first policy to the network traffic to detect the first set of network attacks. The control unit, while applying the first policy, monitors parameters corresponding to one or more resources and dynamically determines whether to apply a second policy to the network traffic based on the parameters. The control unit, based on the dynamic determination, applies the second policy to the network traffic to detect a second set of network attacks and forwards the network traffic based on the application of the second policy. In this manner, the network security device may implement the dynamic policy provisioning techniques.

Citations

34 Claims

1. A method comprising:
- receiving, with a network security device of a network, network traffic;
  
  applying, with the network security device, a first policy to the network traffic to detect a first set of network attacks, wherein the first policy identifies a first set of attack patterns that correspond to the first set of network attacks;
  
  monitoring, with the network security device, parameters corresponding to utilization of one or more internal resources of the network security device;
  
  dynamically determining, with the network security device, when to apply a second policy to at least a portion of the network traffic based on the monitored parameters for the utilization of the one or more internal resources of the network security device;
  
  applying, with the network security device, the second policy to at least the portion of the network traffic to detect a second set of network attacks based on the dynamic determination, wherein the second policy identifies a second set of attack patterns that correspond to the second set of network attacks, and wherein the first set of attack patterns and the second set of attack patterns identify at least one different attack pattern; and
  
  forwarding, with the network security device, at least the portion of the network traffic based on the application of the second policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1,wherein the network security device internally comprises a first path for processing initial packets of new packet flow and a fast path for processing packets for existing packet flows,wherein the second policy specifies that the second set of attack patterns are to be applied to the initial packets of the fast path without application to the packets of the first path.
  - 3. The method of claim 1, further comprising:
    - configuring a threshold by which to determine when to dynamically apply the second policy,wherein dynamically determining whether to apply the second policy comprises;
      
      calculating, based on the parameters, an indicator that represents a condition of the network based on the monitored parameters for the utilization of the one or more internal resources of the network security device;
      
      comparing the indicator to the threshold; and
      
      dynamically selecting the second policy when the indicator equals or exceeds the threshold.
  - 4. The method of claim 3,wherein the first set of patterns include a full set of attack patterns,wherein the first set of network attacks include a full set of known network attacks,wherein the second set of network attacks include a subset of the full set of known attack patterns, andwherein the second policy identifies a subset of the full set of attack patterns that correspond to the subset of the full set of network attacks.
  - 5. The method of claim 1, wherein the first set of attack patterns include the second set of attack patterns and an additional set of attack patterns that correspond to the second set of network attacks and an additional set of network attacks.
  - 6. The method of claim 1,wherein dynamically determining whether to apply the second policy comprises:
    - calculating, based on the parameters, an indicator that represents a condition of the network; and
      
      executing a governance algorithm that determines whether to apply the second policy based on the indicator, andwherein applying the second policy comprises applying the second policy, based on the execution of the governance algorithm, to all of the network traffic.
  - 7. The method of claim 1, further comprising:
    - dynamically determining, with the network security device, whether to apply, based on the parameters, a third policy different from the first and second policies in that the third policy identifies at least one attack pattern different from the first and second sets of attack patterns;
      
      applying, with the network security device, the third policy to the network traffic based on the dynamic determination of whether to apply the third policy; and
      
      forwarding, with the network security device, the network traffic based on the application of the third policy.
  - 8. The method of claim 1, wherein applying the first policy to the network traffic includes:
    - classifying a packet of the network traffic by (i) extracting a five-tuple from the packet, (ii) retrieving, from a flow table that stores a plurality of flow entries, one of the plurality of flow entries that correspond to the extracted five-tuple and (iii) determining that the first policy is associated with the packet in the retrieved one of the plurality of flow entries;
      
      storing the packet to a queue of the network security device with a tag that identifies the first policy;
      
      retrieving the packet and the corresponding tag from the queue; and
      
      processing the packet by applying the first policy indicated by the tag to the packet.
  - 9. The method of claim 8, further comprising updating, with the network security device, the flow table in response to dynamically determining to apply the second policy such that one or more of the plurality of flow entries are updated to associate one or more corresponding flows with the second policy,wherein applying the second policy comprises:
    - classifying another packet of the network traffic by (i) extracting another five-tuple from the other packet, (ii) retrieving one of the plurality of updated flow entries that correspond to the other five-tuple and (iii) determining that the second policy is associated with the packet in the retrieved one of the plurality of updated flow entries;
      
      storing the other packet to a queue of the network security device with another tag that identifies the second policy;
      
      retrieving the other packet and the corresponding other tag from the queue; and
      
      processing the other packet by applying the second policy indicated by the other tag to the packet.
  - 10. The method of claim 1, wherein the network security device comprises one of an intrusion prevention device, an intrusion detection device, and an intrusion detection and prevention (IDP) device.
  - 11. The method of claim 1, further comprising receiving the first and second policies via either direct interaction between the network security device and an administrator or remotely from a network security management (NSM) device.
  - 12. The method of claim 1, wherein the parameters include a queue depth, a memory resource, a queue threshold, a processor utilization, a number of sessions, a timestamp, and a time of day.
  - 13. The method of claim 1, further comprising:
    - classifying the incoming network traffic to determine a first packet of the network traffic and a second packet of the network traffic, wherein the first packet has a first characteristic and the second packet has a second characteristic different from the first characteristic,wherein applying the second policy comprises applying the second policy by applying the first policy only to the first packet based on the dynamic determination, andwherein forwarding the portion of the network traffic comprises;
      
      forwarding the second packet without applying the first or second policies to the second packet; and
      
      forwarding the first packet based on the application of the first policy to the first packet.

14. A network security device of a network that receives network traffic comprising:
- a memory that stores a first policy and a second policy, wherein the first policy identifies a first set of attack patterns that correspond to a first set of network attacks, the second policy identifies a second set of attack patterns that correspond to the second set of network attacks, and the first set of attack patterns and the second set of attack patterns identify at least one different attack pattern; and
  
  a control unit that applies the first policy to the network traffic to detect the first set of network attacks, monitors parameters corresponding to utilization of one or more internal resources of the network security device, dynamically determines when to apply a second policy to at least a portion of the network traffic based on the monitored parameters for the utilization of the one or more internal resources of the network security device, applies the second policy to at least the portion of the network traffic to detect a second set of network attacks based on the dynamic determination, and forwards at least the portion of the network traffic based on the application of the second policy.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The network security device of claim 14,wherein the control unit comprises a first path for processing initial packets of new packet flow and a fast path for processing packets for existing packet flows,wherein the second policy specifies that the second set of attack patterns are to be applied to the initial packets of the fast path without application to the packets of the first path.
  - 16. The network security device of claim 14, wherein the control unit comprises a dynamic security manager module to dynamically determine when to apply the second policy to at least a portion of the network traffic by:
    - configuring a threshold by which to determine whether to dynamically apply the second policy,calculating, based on the parameters, an indicator that represents a condition of the network based on the monitored parameters for the utilization of the one or more internal resources of the network security device, andcomparing the indicator to the threshold; and
      
      dynamically selecting to apply the second policy when the indicator equals or exceeds the threshold.
  - 17. The network security device of claim 16,wherein the first set of patterns include a full set of attack patterns,wherein the first set of network attacks include a full set of known network attacks,wherein the second set of network attacks include a subset of the full set of known attack patterns, andwherein the second policy identifies a subset of the full set of attack patterns that correspond to the subset of the full set of network attacks.
  - 18. The network security device of claim 14, wherein the first set of attack patterns include the second set of attack patterns and an additional set of attack patterns that correspond to the second set of network attacks and an additional set of network attacks.
  - 19. The network security device of claim 14, wherein the control unit includes a dynamic security manager module that dynamically determining whether to apply the second policy by:
    - calculating, based on the parameters, an indicator that represents a condition of the network; and
      
      executing a governance algorithm that determines whether to apply the second policy based on the indicator.
  - 20. The network security device of claim 14, wherein the control unit further (i) dynamically determines whether to apply, based on the parameters, a third policy different from the first and second policies in that the third policy identifies at least one attack pattern different from the first and second sets of attack patterns, (ii) applies the third policy to the network traffic based on the dynamic determination of whether to apply the third policy and (iii) forwards the network traffic based on the application of the third policy.
  - 21. The network security device of claim 14,wherein the memory further includes a flow table that stores a plurality of flow entries, andwherein, to apply the first policy to the network traffic, the control unit includes:
    - a classifier module that classifies a packet of the network traffic by (i) extracting a five-tuple from the packet, (ii) retrieving, from the flow table, one of the plurality of flow entries that correspond to the extracted five-tuple and (iii) determining that the first policy is associated with the packet in the retrieved one of the plurality of flow entries, and stores the packet to a queue of the network security device with a tag that identifies the first policy; and
      
      a servicing engine that retrieves the packet and the corresponding tag from the queue and processes the packet by applying the first policy indicated by the tag to the packet.
  - 22. The network security device of claim 21, wherein the control unit further includes:
    - a dynamic security manager module that dynamically determines whether to apply the second policy based on the parameters; and
      
      a table management module that, in response to the dynamic security manager module dynamically determining to apply the second policy, updates the flow table such that one or more of the plurality of flow entries are updated to associate one or more corresponding flows with the second policy,wherein, to apply the second policy, the classifier module classifies another packet of the network traffic by (i) extracting another five-tuple from the other packet, (ii) retrieving one of the plurality of updated flow entries that correspond to the other five-tuple and (iii) determining that the second policy is associated with the packet in the retrieved one of the plurality of updated flow entries and stores the other packet to a queue of the network security device with another tag that identifies the second policy,wherein, to further apply the second policy, the servicing engine retrieves the other packet and the corresponding other tag from the queue and processes the other packet by applying the second policy indicated by the other tag to the packet.
  - 23. The network security device of claim 14, wherein the network security device comprises one of an intrusion prevention device, an intrusion detection device, and an intrusion detection and prevention (IDP) device.
  - 24. The network security device of claim 14, wherein the control unit further includes a user interface module that receives the first and second policies via either direct interaction with an administrator or remotely from a network security management (NSM) device.
  - 25. The network security device of claim 14, wherein the parameters include a queue depth, a memory resource, a queue threshold, a processor utilization, a number of sessions, a timestamp, and a time of day.
  - 26. The network security device of claim 14,wherein the control unit further classifies the incoming network traffic to determine a first packet of the network traffic and a second packet of the network traffic, wherein the first packet has a first characteristic and the second packet has a second characteristic different from the first characteristic,wherein the control unit includes a servicing engine that applies the second policy by applying the first policy only to the first packet based on the dynamic determination,wherein the control unit includes a classifier module that forwards the portion of the network traffic by forwarding the second packet without applying the first or second policies to the second packet,wherein the servicing engine forwards the first packet based on the application of the first policy to the first packet.

27. A network system comprising:
- a plurality of computing nodes of a network that transmit and receive network traffic;
  
  a plurality of network security devices of the network that process the network traffic; and
  
  a network security manager (NSM) device that distributes a plurality of policies to each of the plurality of network security devices,wherein each of the plurality of network security devices includes;
  
  a memory that stores a first one of the plurality of policies and a second one of the plurality of policies, wherein the first one of the plurality of policies identifies a first set of attack patterns that correspond to a first set of network attacks, the second one of the plurality of policies identifies a second set of attack patterns that correspond to the second set of network attacks, and the first set of attack patterns and the second set of attack patterns identify at least one different attack pattern; and
  
  a control unit that applies the first one of the plurality of policies to the network traffic to detect the first set of network attacks, monitors parameters corresponding to one or more internal resources of the network security device, dynamically determines when to apply a second one of the plurality of policies to at least a portion of the network traffic based on the monitored parameters for the utilization of the one or more internal resources of the network security device, applies the second one of the plurality of policies to at least the portion of the network traffic to detect a second set of network attacks based on the dynamic determination, and forwards at least the portion of the network traffic based on the application of the second one of the plurality of policies.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The network system of claim 27,wherein the network security device internally comprises a first path for processing initial packets of new packet flow and a fast path for processing packets for existing packet flows,wherein the second one of the plurality policies specifies that the second set of attack patterns are to be applied to the initial packets of the fast path without application to the packets of the first path.
  - 29. The network system of claim 27, wherein the control unit of each of the plurality of network security devices comprises a dynamic security manager module to dynamically determine when to apply the second one of the policies to at least a portion of the network traffic by:
    - configuring a threshold by which to determine whether to dynamically apply the second one of the policies,calculating, based on the monitored parameters for the utilization of the one or more internal resources of the network security device, an indicator that represents a condition of the network, andcomparing the indicator to the threshold; and
      
      dynamically selecting the second one of the policies when the indicator equals or exceeds the threshold.
  - 30. The network system of claim 29,wherein the first set of patterns include a full set of attack patterns,wherein the first set of network attacks include a full set of known network attacks,wherein the second set of network attacks include a subset of the full set of known attack patterns, andwherein the second one of the policies identifies a subset of the full set of attack patterns that correspond to the subset of the full set of network attacks.
  - 31. The network security device of claim 27, wherein NSM device distributes the first one and second one of the policies of a first one of the plurality of network security devices are different from the first one and second one of the plurality of policies of a second one of the plurality of network security devices.
  - 32. The network system of claim 27, wherein the control unit of each of the plurality of network security devices includes a dynamic security manager module that dynamically determining whether to apply the second policy by:
    - calculating, based on the parameters, an indicator that represents a condition of the network; and
      
      executing a governance algorithm that determines whether to apply the second policy based on the indicator.

33. A computer-readable storage medium comprising instructions for causing a programmable processor to:
- receive, with a network security device of a network, network traffic;
  
  apply, with the network security device, a first policy to the network traffic to detect a first set of network attacks, wherein the first policy identifies a first set of attack patterns that correspond to the first set of network attacks;
  
  monitor, with the network security device, parameters corresponding to utilization of one or more internal resources of the network security device;
  
  dynamically determine, with the network security device, when to apply a second policy to at least a portion of the network traffic based on the monitored parameters for the utilization of the one or more internal resources of the network security device;
  
  apply, with the network security device, the second policy to at least the portion of the network traffic to detect a second set of network attacks based on the dynamic determination, wherein the second policy identifies a second set of attack patterns that correspond to the second set of network attacks, and wherein the first set of attack patterns and the second set of attack patterns identify at least one different attack pattern; and
  
  forward, with the network security device, at least the portion of the network traffic based on the application of the second policy.

34. A method comprising:
- receiving, with a network security device of a network, network traffic, wherein the network security device internally comprises a first path for processing initial packets of new packet flows and a fast path for processing packets for existing packet flows;
  
  applying, with the network security device, a first policy to the network traffic to detect a first set of network attacks, wherein the first policy identifies a first set of attack patterns that correspond to the first set of network attacks;
  
  monitoring, with the network security device, parameters corresponding to utilization of one or more internal resources of the network security device;
  
  dynamically determining, with the network security device, when to apply a second policy to at least a portion of the network traffic based on the monitored parameters for the utilization of the one or more internal resources of the network security device;
  
  applying, with the network security device, the second policy based on the dynamic determination, wherein the second policy specifies that the first set of attack patterns are to be applied to all the packets of the fast path for the existing packet flows setup prior to the dynamic determination and without application to all the packets of the new flows that go through the first path after the dynamic determination; and
  
  forwarding, with the network security device, at least the portion of the network traffic based on the application of the second policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Narayanaswamy, Krishna

Granted Patent

US 8,856,926 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

DYNAMIC POLICY PROVISIONING WITHIN NETWORK SECURITY DEVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC POLICY PROVISIONING WITHIN NETWORK SECURITY DEVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links