TECHNOLOGIES FOR SECURE PERSONALIZATION OF A SECURITY MONITORING VIRTUAL NETWORK FUNCTION

US 20160373474A1
Filed: 09/25/2015
Published: 12/22/2016
Est. Priority Date: 06/16/2015
Status: Active Grant

First Claim

Patent Images

1. A security monitoring virtual network function (VNF) for performing security monitoring in a network functions virtualization (NFV) architecture, the security monitoring VNF comprising:

one or more processors; and

one or more memory devices having stored therein a plurality of instructions that, when executed by the one or more processors, cause the security monitoring VNF to;

receive provisioning data from an NFV security services controller of the NFV architecture in network communication with the security monitoring VNF;

perform a mutually authenticated key exchange procedure with a VNF manager of the NFV architecture using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and the VNF manager;

receive personalization data from the VNF manager via the secure communication path, wherein the personalization data includes data usable to configure one or more security functions of the security monitoring VNF; and

perform a personalization operation to configure the security monitoring VNF based on the personalization data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for secure personalization of a security monitoring virtual network function (VNF) in a network functions virtualization (NFV) architecture include various security monitoring components, including a NFV security services controller, a VNF manager, and a security monitoring VNF. The security monitoring VNF is configured to receive provisioning data from the NFV security services controller and perform a mutually authenticated key exchange procedure using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and a VNF manager. The security monitoring VNF is further configured to receive personalization data from the VNF manager via the secure communication path and perform a personalization operation to configure one or more functions of the security monitoring VNF based on the personalization data. Other embodiments are described and claimed.

138 Citations

25 Claims

1. A security monitoring virtual network function (VNF) for performing security monitoring in a network functions virtualization (NFV) architecture, the security monitoring VNF comprising:
- one or more processors; and
  
  one or more memory devices having stored therein a plurality of instructions that, when executed by the one or more processors, cause the security monitoring VNF to;
  
  receive provisioning data from an NFV security services controller of the NFV architecture in network communication with the security monitoring VNF;
  
  perform a mutually authenticated key exchange procedure with a VNF manager of the NFV architecture using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and the VNF manager;
  
  receive personalization data from the VNF manager via the secure communication path, wherein the personalization data includes data usable to configure one or more security functions of the security monitoring VNF; and
  
  perform a personalization operation to configure the security monitoring VNF based on the personalization data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The security monitoring VNF of claim 1, wherein the plurality of instructions further cause the security monitoring VNF to:
    - receive policy information from the VNF manager via the secure communication path; and
      
      perform a policy update operation to update a security policy of the security monitoring VNF.
  - 3. The security monitoring VNF of claim 2, wherein the policy information includes at least one of a tenant specific security processing policy, a security traffic policy, a security group policy, and a network services processing policy.
  - 4. The security monitoring VNF of claim 1, wherein to receive the provisioning data comprises to receive the provisioning data using an out-of-band communication.
  - 5. The security monitoring VNF of claim 1, wherein the provisioning data includes a unique identifier of the security monitoring VNF, a unique identifier of a platform on which the security monitoring VNF is being run, and a security credential.
  - 6. The security monitoring VNF of claim 5, wherein to perform the mutually authenticated key exchange procedure comprises to perform the mutually authenticated key exchange procedure using the security credential.
  - 7. The security monitoring VNF of claim 1, wherein the plurality of instructions further cause the security monitoring VNF to transmit security monitoring information to the VNF manager via the secure communication path, wherein the security monitoring information includes at least one of logs, alerts, and statistics of the security monitoring VNF.
  - 8. The security monitoring VNF of claim 1, wherein the personalization data includes at least one of secure configuration data, an initial set of parameters of the security monitoring VNF, metadata of the NFV architecture, connection information about other VNFs, vendor-specific information, performance data, workload traffic engineering data, and quality of service (QoS) parameters and policies.
  - 9. The security monitoring VNF of claim 1, wherein the plurality of instructions further cause the security monitoring VNF to transmit a personalization operation status and a policy update operation status to the VNF manager, wherein the personalization operation status and the policy update operation status are usable by the NFV security services controller to determine whether to activate a network-wide security policy for network traffic monitored by the security monitoring VNF.

10. One or more computer-readable storage media comprising a plurality of instructions stored thereon that in response to being executed cause a source endpoint node to:
- receive provisioning data from an NFV security services controller of the NFV architecture in network communication with the security monitoring VNF;
  
  perform a mutually authenticated key exchange procedure with a VNF manager of the NFV architecture using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and the VNF manager;
  
  receive personalization data from the VNF manager via the secure communication path, wherein the personalization data includes data usable to configure one or more security functions of the security monitoring VNF; and
  
  perform a personalization operation to configure the security monitoring VNF based on the personalization data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The one or more computer-readable storage media of claim 10, further comprising a plurality of instructions that in response to being executed cause the security monitoring VNF to:
    - receive policy information from the VNF manager via the secure communication path; and
      
      perform a policy update operation to update a security policy of the security monitoring VNF.
  - 12. The one or more computer-readable storage media of claim 11, wherein the policy information includes at least one of a tenant specific security processing policy, a security traffic policy, a security group policy, and a network services processing policy.
  - 13. The one or more computer-readable storage media of claim 10, wherein to receive the provisioning data comprises to receive the provisioning data using an out-of-band communication.
  - 14. The one or more computer-readable storage media of claim 10, wherein the provisioning data includes a unique identifier of the security monitoring VNF, a unique identifier of a platform on which the security monitoring VNF is being run, and a security credential.
  - 15. The one or more computer-readable storage media of claim 14, wherein to perform the mutually authenticated key exchange procedure comprises to perform the mutually authenticated key exchange procedure using the security credential.
  - 16. The one or more computer-readable storage media of claim 10, further comprising a plurality of instructions that in response to being executed cause the security monitoring VNF to transmit security monitoring information to the VNF manager via the secure communication path, wherein the security monitoring information includes at least one of logs, alerts, and statistics of the security monitoring VNF.
  - 17. The one or more computer-readable storage media of claim 10, wherein the personalization data includes at least one of secure configuration data, an initial set of parameters of the security monitoring VNF, metadata of the NFV architecture, connection information about other VNFs, vendor-specific information, performance data, workload traffic engineering data, and quality of service (QoS) parameters and policies.
  - 18. The one or more computer-readable storage media of claim 10, further comprising a plurality of instructions that in response to being executed cause the security monitoring VNF to transmit a personalization operation status and a policy update operation status to the VNF manager, wherein the personalization operation status and the policy update operation status are usable by the NFV security services controller to determine whether to activate a network-wide security policy for network traffic monitored by the security monitoring VNF.

19. A method for secure personalization of a security monitoring virtual network function (VNF) in a network functions virtualization (NFV) architecture, the method comprising:
- receiving, by the security monitoring VNF, provisioning data from an NFV security services controller of the NFV architecture in network communication with the security monitoring VNF;
  
  performing, by the security monitoring VNF, a mutually authenticated key exchange procedure with a VNF manager of the NFV architecture using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and the VNF manager;
  
  receiving, by the security monitoring VNF, personalization data from the VNF manager via the secure communication path, wherein the personalization data includes data usable to configure one or more security functions of the security monitoring VNF; and
  
  performing, by the security monitoring VNF, a personalization operation to configure the security monitoring VNF based on the personalization data.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, further comprising:
    - receiving, by the security monitoring VNF, policy information from the VNF manager via the secure communication path; and
      
      performing, by the security monitoring VNF, a policy update operation to update a security policy of the security monitoring VNF.
  - 21. The method of claim 19, wherein receiving the provisioning data comprises receiving the provisioning data using an out-of-band communication.
  - 22. The method of claim 19, further comprising transmitting, by the security monitoring VNF, security monitoring information to the VNF manager via the secure communication path, wherein the security monitoring information includes at least one of logs, alerts, and statistics of the security monitoring VNF.
  - 23. The method of claim 19, further comprising transmitting, by the security monitoring VNF, a personalization operation status and a policy update operation status to the VNF manager, wherein the personalization operation status and the policy update operation status are usable by the NFV security services controller to determine whether to activate a network-wide security policy for network traffic monitored by the security monitoring VNF.

24. A security monitoring virtual network function (VNF) for performing security monitoring in a network functions virtualization (NFV) architecture, the security monitoring VNF comprising:
- provisioning management circuitry to receive provisioning data from an NFV security services controller of the NFV architecture in network communication with the security monitoring VNF;
  
  means for performing a mutually authenticated key exchange procedure with a VNF manager of the NFV architecture using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and the VNF manager;
  
  personalization management circuitry to receive personalization data from the VNF manager via the secure communication path, wherein the personalization data includes data usable to configure one or more security functions of the security monitoring VNF; and
  
  means for performing, by the security monitoring VNF, a personalization operation to configure the security monitoring VNF based on the personalization data.
- View Dependent Claims (25)
- - 25. The security monitoring VNF of claim 24, further comprising:
    - policy update management circuitry to receive policy information from the VNF manager via the secure communication path; and
      
      means for performing a policy update operation to update a security policy of the security monitoring VNF.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Sood, Kapil, Nedbal, Manuel

Granted Patent

US 9,742,790 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

H04L 41/28   Restricting access to netwo...

H04L 41/40   using virtualisation of net...

H04L 63/062   for key distribution, e.g. ...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/34   involving the movement of s...

H04L 67/61   taking into account QoS or ...

TECHNOLOGIES FOR SECURE PERSONALIZATION OF A SECURITY MONITORING VIRTUAL NETWORK FUNCTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

138 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNOLOGIES FOR SECURE PERSONALIZATION OF A SECURITY MONITORING VIRTUAL NETWORK FUNCTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links