TECHNOLOGIES FOR SCALABLE SECURITY ARCHITECTURE OF VIRTUALIZED NETWORKS

US 20160226913A1
Filed: 05/11/2015
Published: 08/04/2016
Est. Priority Date: 02/04/2015
Status: Active Grant

First Claim

Patent Images

1. A network functions virtualization (NFV) security services controller of an NFV security architecture for managing security monitoring services of the NFV security architecture, the NFV security controller comprising:

a security monitoring policy distribution module to transmit a security monitoring policy, via a secure communication channel, to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents; and

a security monitoring policy enforcement module to enforce the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for performing security monitoring services of a network functions virtualization (NFV) security architecture that includes an NVF security services controller and one or more NFV security services agents. The NFV security services controller is configured to transmit a security monitoring policy to the NFV security services agents and enforce the security monitoring policy at the NFV security services agents. The NFV security services agents are configured to monitor telemetry data and package at least a portion of the telemetry for transmission to an NFV security monitoring analytics system of the NFV security architecture for security threat analysis. Other embodiments are described and claimed.

115 Citations

30 Claims

1. A network functions virtualization (NFV) security services controller of an NFV security architecture for managing security monitoring services of the NFV security architecture, the NFV security controller comprising:
- a security monitoring policy distribution module to transmit a security monitoring policy, via a secure communication channel, to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents; and
  
  a security monitoring policy enforcement module to enforce the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The NFV security controller of claim 1, wherein to transmit the security monitoring policy via the secure communication channel comprises to transmit the security monitoring policy to the NVF security services provider via a secure communication channel dedicated to communication between the NFV security services controller and the NVF security services provider.
  - 3. The NFV security controller of claim 1, wherein to transmit the security monitoring policy via the secure communication channel comprises to establish a root of trust (RoT) to secure the communication channels using one or more secure keys.
  - 4. The NFV security controller of claim 1, wherein the security monitoring policy includes security monitoring component configuration information and telemetry data monitoring instructions, andwherein to enforce the security monitoring policy comprises to verify the one or more NFV security services agents are (i) configured as a function of the security monitoring component configuration information and (ii) monitoring the telemetry data as a function of the telemetry data monitoring instructions.
  - 5. The NFV security controller of claim 1, further comprising:
    - a secure communication module to receive configuration data from a plurality of service agents associated with a plurality of virtual network functions of a service function chain based on the security monitoring policy;
      
      a protected transmission control module to secure a communication path between each of the plurality of virtual network functions of the service function chain; and
      
      an NFV security services agent control module to verify a topology of the plurality of virtual network functions of the service function chain based on the received configuration data and the security monitoring policy.
  - 6. The NFV security controller of claim 5, wherein the NFV security services agent control module is further to (i) activate the plurality of virtual network functions of the service function chain, (ii) instantiate an NFV security agent of the one or more NFV security services agents on at least one of the virtual network functions, and (iii) activate the instantiated NFV security services agent on the at least one of the virtual network functions.
  - 7. The NFV security controller of claim 6, wherein the secure communication module is further configured to receive bootstrap information from the NFV security services agent, wherein the bootstrap information defines characteristics of the initialization of the NFV security services agent, and wherein to instantiate the NFV security services agent comprises to execute a bootstrap of a NFV security services agent to load the NFV security services agent on a computing node in network communication with the NFV security services controller.
  - 8. The NFV security controller of claim 6, wherein to enforce the security monitoring policy comprises to verify that the telemetry data being monitored at the activated NFV security services agent is being monitored in accordance with the monitoring rules of the security monitoring policy.
  - 9. The NFV security controller of claim 1, further comprising a security monitoring policy management module to update the security monitoring policy based on a remediation policy received by the secure communication module,wherein the remediation policy, received from an NFV security monitoring analytics system communicatively coupled to the NFV security services controller in response to a determination, by the NFV security monitoring analytics system, that at least a portion of telemetry data transmitted by one of the one or more NFV security services agents was identified as a security threat,wherein the security monitoring policy distribution module is further to transmit the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture, andwherein the security monitoring policy enforcement module is further to enforce the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
  - 10. The NFV security controller of claim 9, further comprising:
    - a security monitoring policy management module to update the security monitoring policy based on the remediation policy,wherein the security monitoring policy distribution module is further to transmit the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture, andwherein the security monitoring policy enforcement module is further to enforce the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
  - 11. The NFV security controller of claim 1, further comprising:
    - a telemetry data auditing module to audit telemetry data stored at an audit database in network communication with the NFV security services controller, wherein the telemetry data is timestamped by a secure clock corresponding to the NFV security services agent that transmitted the telemetry data to the audit database, and wherein to audit the telemetry data comprises to (i) verify the telemetry data and (ii) sequence the telemetry data.

12. One or more computer-readable storage media comprising a plurality of instructions stored thereon that in response to being executed cause a network functions virtualization (NFV) security services controller of the NFV security architecture to:
- transmit, via a secure communication channel, a security monitoring policy to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents; and
  
  enforce the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The one or more computer-readable storage media of claim 12, wherein to transmit the security monitoring policy via the secure communication channel comprises to establish a root of trust (RoT) to secure the communication channels using one or more secure keys.
  - 14. The one or more computer-readable storage media of claim 12, wherein the security monitoring policy includes security monitoring component configuration information and telemetry data monitoring instructions, andwherein to enforce the security monitoring policy comprises to verify the one or more NFV security services agents are (i) configured as a function of the security monitoring component configuration information and (ii) monitoring the telemetry data as a function of the telemetry data monitoring instructions.
  - 15. The one or more computer-readable storage media of claim 12, further comprising a plurality of instructions that in response to being executed cause the NFV security services controller to:
    - receive configuration data from a plurality of service agents associated with a plurality of virtual network functions of a service function chain based on the security monitoring policy;
      
      secure a communication path between each of the plurality of virtual network functions of the service function chain; and
      
      verify a topology of the plurality of virtual network functions of the service function chain based on the received configuration data and the security monitoring policy.
  - 16. The one or more computer-readable storage media of claim 15, further comprising a plurality of instructions that in response to being executed cause the NFV security services controller to:
    - activate the plurality of virtual network functions of the service function chain;
      
      instantiate an NFV security agent of the one or more NFV security services agents on at least one of the virtual network functions; and
      
      activate the instantiated NFV security services agent on the at least one of the virtual network functions.
  - 17. The one or more computer-readable storage media of claim 16, wherein to enforce the security monitoring policy comprises to verify the telemetry data being monitored at the activated NFV security services agent is being monitored in accordance with the monitoring rules of the security monitoring policy.
  - 18. The one or more computer-readable storage media of claim 12, further comprising a plurality of instructions that in response to being executed cause the NFV security services controller to:
    - receive a remediation policy from an NFV security monitoring analytics system communicatively coupled to the NFV security services controller in response to a determination, by the NFV security monitoring analytics system, that at least a portion of telemetry data transmitted by one of the one or more NFV security services agents was identified as a security threat;
      
      update the security monitoring policy based on the remediation policy;
      
      transmit the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture; and
      
      enforce the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
  - 19. The one or more computer-readable storage media of claim 12, further comprising a plurality of instructions that in response to being executed cause the NFV security services controller to:
    - audit telemetry data stored at an audit database in network communication with the NFV security services controller, wherein the telemetry data is timestamped by a secure clock corresponding to the NFV security services agent that transmitted the telemetry data to the audit database, and wherein auditing the telemetry data comprises (i) verifying the telemetry data and (ii) sequencing the telemetry data.

20. A method for managing security monitoring services of a network functions virtualization (NFV) security architecture, the method comprising:
- transmitting, by an NFV security services controller of the NFV security architecture via a secure communication channel, a security monitoring policy to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents; and
  
  enforcing, by the NFV security services controller, the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The method of claim 20, wherein transmitting the security monitoring policy via the secure communication channel comprises (i) securing the communication channels using one or more secure keys and (ii) transmitting the security monitoring policy to the NVF security services provider via a secure communication channel dedicated to communication between the NFV security services controller and the NVF security services provider.
  - 22. The method of claim 20, further comprising:
    - receiving, by the NFV security services controller, configuration data from a plurality of service agents associated with a plurality of virtual network functions of a service function chain based on the security monitoring policy;
      
      securing, by the NFV security services controller, a communication path between each of the plurality of virtual network functions of the service function chain;
      
      verifying, by the NFV security services controller, a topology of the plurality of virtual network functions of the service function chain based on the received configuration data and the security monitoring policy;
      
      activating, by the NFV security services controller, the plurality of virtual network functions of the service function chain;
      
      instantiating, by the NFV security services controller, an NFV security agent of the one or more NFV security services agents on at least one of the virtual network functions; and
      
      activating, by the NFV security services controller, the instantiated NFV security services agent on the at least one of the virtual network functions.
  - 23. The method of claim 22, wherein enforcing the security monitoring policy at the activated NFV security services agent comprises verifying the telemetry data being monitored at the activated NFV security services agent is being monitored in accordance with the monitoring rules of the security monitoring policy.
  - 24. The method of claim 20, further comprising:
    - receiving, by the NFV security services controller, a remediation policy from an NFV security monitoring analytics system communicatively coupled to the NFV security services controller in response to a determination, by the NFV security monitoring analytics system, that at least a portion of telemetry data transmitted by one of the one or more NFV security services agents was identified as a security threat;
      
      updating, by the NFV security services controller, the security monitoring policy based on the remediation policy;
      
      transmitting, by the NFV security services controller, the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture; and
      
      enforcing, by the NFV security services controller, the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
  - 25. The method of claim 20, further comprising:
    - auditing, by the NFV security services controller, telemetry data stored at an audit database in network communication with the NFV security services controller, wherein the telemetry data is timestamped by a secure clock corresponding to the NFV security services agent that transmitted the telemetry data to the audit database, and wherein auditing the telemetry data comprises (i) verifying the telemetry data and (ii) sequencing the telemetry data.

26. A network functions virtualization (NFV) security services controller of an NFV security architecture for managing security monitoring services of the NFV security architecture, the NFV security controller comprising:
- means for transmitting, via a secure communication channel, a security monitoring policy to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents; and
  
  means for enforcing the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The NFV security controller of claim 26, wherein the security monitoring policy includes security monitoring component configuration information and telemetry data monitoring instructions, andwherein the means for enforcing the security monitoring policy comprises means for verifying the one or more NFV security services agents are (i) configured as a function of the security monitoring component configuration information and (ii) monitoring the telemetry data as a function of the telemetry data monitoring instructions.
  - 28. The NFV security controller of claim 26, further comprising:
    - means for receiving configuration data from a plurality of service agents associated with a plurality of virtual network functions of a service function chain based on the security monitoring policy;
      
      means for securing a communication path between each of the plurality of virtual network functions of the service function chain; and
      
      means for verifying a topology of the plurality of virtual network functions of the service function chain based on the received configuration data and the security monitoring policy.
  - 29. The NFV security controller of claim 26, further comprising:
    - means for receiving a remediation policy from an NFV security monitoring analytics system communicatively coupled to the NFV security services controller in response to a determination, by the NFV security monitoring analytics system, that at least a portion of telemetry data transmitted by one of the one or more NFV security services agents was identified as a security threat;
      
      means for updating the security monitoring policy based on the remediation policy;
      
      means for transmitting the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture; and
      
      means for enforcing the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
  - 30. The NFV security controller of claim 26, further comprising:
    - means for auditing telemetry data stored at an audit database in network communication with the NFV security services controller, wherein the telemetry data is timestamped by a secure clock corresponding to the NFV security services agent that transmitted the telemetry data to the audit database, and wherein auditing the telemetry data comprises (i) verifying the telemetry data and (ii) sequencing the telemetry data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Sood, Kapil, Young, Valerie J., Venkatachalam, Muthaiah, Nedbal, Manuel

Granted Patent

US 9,560,078 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 47/25   with rate being modified by...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/10   in which an application is ...

H04Q 9/00   Arrangements in telecontrol...

TECHNOLOGIES FOR SCALABLE SECURITY ARCHITECTURE OF VIRTUALIZED NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

115 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

TECHNOLOGIES FOR SCALABLE SECURITY ARCHITECTURE OF VIRTUALIZED NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others