Hierarchical application of security services within a computer network

US 8,955,107 B2
Filed: 09/12/2008
Issued: 02/10/2015
Est. Priority Date: 09/12/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with a network device, security classification information sent to the network device from a second network device, wherein the security classification information identifies at least one mapping between a security class and at least one computing device, wherein the security class identifies security capabilities of the at least one computing device;

after receiving the security classification information from the second network device, receiving, with the network device, network traffic associated with the at least one computing device;

applying, with the network device, a set of patterns defined by a policy associated with the security class to the network traffic to detect any of a corresponding set of network attacks; and

forwarding, with the network device, the network traffic based on the application of the set of patterns.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, techniques are described for hierarchical application of security services with a network device. In particular, the network device receives security classification information that maps a security class to one or more computing devices. The security class identifies security capabilities of the computing devices. The network device also receives network traffic associated with the computing device and applies a set of patterns defined by a policy associated with the security class to the network traffic to detect a set of network attacks. Based on the application of the set of patterns, the network device forwards the network traffic. As a result of receiving security classification information, the network device may become aware of the security capabilities of the computing device and only apply those patterns required to augment these detected security capabilities, thereby preventing application of overlapping security services through application of these services in a hierarchical manner.

200 Citations

41 Claims

1. A method comprising:
- receiving, with a network device, security classification information sent to the network device from a second network device, wherein the security classification information identifies at least one mapping between a security class and at least one computing device, wherein the security class identifies security capabilities of the at least one computing device;
  
  after receiving the security classification information from the second network device, receiving, with the network device, network traffic associated with the at least one computing device;
  
  applying, with the network device, a set of patterns defined by a policy associated with the security class to the network traffic to detect any of a corresponding set of network attacks; and
  
  forwarding, with the network device, the network traffic based on the application of the set of patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1,wherein receiving the security classification information comprises receiving first aggregated security classification information that identifies a first mapping between a first security class and a first set of computing devices and receiving second aggregated security classification information that identifies a second mapping between a second security class and a second set of computing devices,wherein receiving the network traffic comprises receiving a first portion of the network traffic associated with one or more computing devices of the first set of computing devices and receiving a second portion of the network traffic associated with one or more computing devices of the second set of computing devices,wherein applying the set of attack patterns comprises applying a first set of patterns defined by a first policy to the first portion of the network traffic to detect the first set of corresponding network attacks and applying a second set of patterns defined by a second policy to the second portion of the network traffic to detect the second set of corresponding network attacks, the first set of patterns and the second set of patterns differing by at least one pattern, andwherein forwarding the network traffic comprises forwarding the first portion and the second portion of the network traffic based on the application of the first and the second sets of patterns, respectively.
  - 3. The method of claim 1, further comprising:
    - after receiving the security classification information, determining the policy associated with the security class; and
      
      updating at least one flow entry of a flow table maintained by the network device to associate the determined policy with a packet flow associated with the at least one computing device,wherein applying the set of patterns comprises;
      
      parsing the network traffic to determine at least one network address associated with the at least one computing device;
      
      accessing the flow table using the at least one address to retrieve the flow entry; and
      
      applying the set of patterns defined by the policy identified by the retrieved flow entry to the network traffic associated with the at least one computing device to detect the corresponding set of network attacks.
  - 4. The method of claim 1, wherein receiving the security classification information comprises receiving aggregated security classification information that identifies a single aggregate mapping between an aggregated security class and a plurality of computing devices, and wherein the security class comprises one security class of a plurality of security classes, the method further comprising:
    - collecting security information from each of the plurality of computing devices, wherein the security information identifies the security capabilities of each computing device of the set, respectively;
      
      mapping the collected security information to a security class to output device-specific security classification information that identifies an association, for each of the set of computing devices, between one of the plurality of security classes and the one of the set of computing devices; and
      
      aggregating the device-specific security classification information to output the aggregate security classification information that identifies the single aggregate mapping between the aggregated security class and the set of computing devices.
  - 5. The method of claim 1, wherein receiving the security classification information comprises receiving Virtual Local Area Network (VLAN) security classification information that identifies an aggregate mapping between an aggregate security class and a VLAN representative of a logical grouping of a set of computing devices.
  - 6. The method of claim 1, further comprising:
    - determining a level of congestion;
      
      comparing the level of congestion to a threshold identified by the policy to determine whether to forward the network traffic without applying the set of patterns defined by the policy associated with the security class; and
      
      forwarding the network traffic without applying the set of patterns defined by the policy when the level of congestion exceeds the threshold identified by the policy.
  - 7. The method of claim 1, further comprising:
    - determining whether the network device includes each of the set of patterns defined by the policy associated with the security class mapped to the at least one network device; and
      
      forwarding the network traffic to a network security device without applying the set of patterns defined by the policy based on the determination that the network device does not include one or more of the set of patterns defined by the policy associated with the security class.
  - 8. The method of claim 1, further comprising:
    - determining whether to offload the network traffic associated with the at least one computing device to a network security device based on the security class mapped to the at least one computing device; and
      
      offloading the network traffic to the network security device associated with the at least one computing device based on the determination.
  - 9. The method of claim 1, further comprising:
    - collecting attack statistics that log the application of the set of patterns defined by the policy to the network traffic;
      
      reporting the security classification information and the attack statistics to a specialized network security device; and
      
      identifying network-wide network attacks based on the reported security classification information and attack statistics.
  - 10. The method of claim 1, wherein the security capabilities include security capabilities of one or more of an operating system currently executed by the at least one computing device, security software executing within the at least one computing device, and any patches both to the operating system and to the security software executed by the at least one computing device.
  - 11. The method of claim 1, wherein the set of patterns defined by the policy associated with the security class comprise a set of patterns that are not applied by the at least one computing device.
  - 12. The method of claim 1, wherein the set of patterns defined by the policy associated with the security class comprise a set of patterns that identify those attacks to which the at least one computing device is, based on the security capabilities, susceptible.
  - 13. The method of claim 1,wherein the at least one computing device comprises a first computing device and a second computing device,wherein receiving the security classification information comprises:
    - receiving first security classification information that identifies a first mapping between a first security class and the first computing device, the first security class identifying a first level of the security capabilities of the first computing device; and
      
      receiving second security classification information that identifies a second mapping between a second security class and the second computing device, the second security class identifying a second level of the security capabilities of the second computing device that is lower than the first level of the security capabilities of the first computing device, andwherein applying the set of patterns comprises applying a first set of patterns defined by a first policy associated with the first security class to network traffic associated with the first network device to detect any of a corresponding set of network attacks to which the first computing device is susceptible based on the first security capabilities, andwherein the method further comprises applying a second set of patterns defined by a second policy associated with the second security class to network traffic associated with the second computing device to detect any of a corresponding set of network attacks to which the second computing device is susceptible based on the second security capabilities, the second set of patterns including more patterns than the first set of patterns as a result of the second security class being lower than the first security class.
  - 14. The method of claim 1, wherein the second network device comprises an access device and the at least one computing device comprises an end-user computing device coupled to the access device and for which the access device provides network access.

15. A network device comprising:
- at least one network interface card to receive security classification information sent to the network device from a second network device, the security classification information mapping a security class to at least one computing device within the network, and the security class identifying security capabilities of the at least one computing devicewherein the at least one network interface card, after receiving the security classification information from the second network device, receives network traffic; and
  
  a control unit comprising a processor coupled to the network interface card;
  
  wherein the control unit further comprises a storage medium that stores the security classification information and a policy associated with the security class, andwherein the processor applies a set of patterns defined by the policy to the network traffic to detect any of a set of network attacks and forwards the network traffic based on the application of the set of patterns.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The network device of claim 15, the control unit further comprising:
    - a table management module that receives first aggregated security classification information that identifies a first mapping between a first security class and a first set of computing devices and a second aggregated security classification information that identifies a second mapping between a second security class different from the first security class and a second set of computing devices;
      
      a classifier module that receives a first portion of the network traffic associated with one or more computing devices of the first set of computing devices and receives a second portion of the network traffic associated with one or more computing devices of the second set of computing devices, anda servicing engine that applies a first set of patterns defined by a first policy to the first portion of the network traffic to detect the first set of network attacks and applyies a second set of patterns defined by a second policy to the second portion of the network traffic to detect the second set of network attacks,wherein the servicing engine forwards the first portion and the second portion of the network traffic based on the application of the first and the second set of patterns, respectively.
  - 17. The network device of claim 15, wherein the storage medium further stores a flow table that includes at least one flow entry for the at least one computing device,the control unit further comprising:
    - a table management module that determines the policy associated with the security class, and updates the at least one flow entry of the flow table to associate the determined policy with the at least one computing device;
      
      a classifier module that parses the network traffic to determine at least one address associated with the at least one computing device accesses the flow table using the at least one address to retrieve the flow entry, and determines the policy indicated by the retrieved flow entry; and
      
      a servicing engine that applies, to the network traffic associated with the at least one computing device, the set of patterns defined by the policy identified by the retrieved flow entry.
  - 18. The network device of claim 15, wherein the control unit further comprises a table management module that receives a Virtual Local Area Network (VLAN) security classification information identifying an aggregate mapping between an aggregate security class and a VLAN representative of a logical grouping of a set of computing devices.
  - 19. The network device of claim 15, wherein the control unit further includes a classifier module that determining a level of congestion, and compares the level of congestion to a threshold identified by the policy, determines whether to forward the network traffic without applying the set of patterns defined by the policy associated with the security class based on the comparison, and forwards the network traffic without applying the set of patterns defined by the policy when the level of congestion exceeds the threshold identified by the policy.
  - 20. The network device of claim 15, wherein the control unit includes a classifier module that determines whether the network device includes each of the set of patterns defined by the policy associated with the security class mapped to the at least one network device and forwards the network traffic to a network security device without applying the policy based on the determination that the network device does not include one or more of the patterns defined by the policy associated with the security class.
  - 21. The network device of claim 15, wherein the control unit includes a classifier module that determines whether to offload the network traffic associated with the at least one computing device to a network security device based on the security class mapped to the at least one computing device, and offloads the network traffic to the network security device associated with the at least one computing device based on the determination.
  - 22. The network device of claim 15, wherein the control unit comprises a reporting module that collects attack statistics that log the application of the set of patterns defined by the policy to the network traffic, and reports the security classification information and the attack statistics to a specialized network security device.
  - 23. The network device of claim 15, wherein the security capabilities include security capabilities of one or more of an operating system currently executed by the at least one computing device, security software executing within the at least one computing device, and any patches both to the operating system and to the security software executed by the at least one computing device.
  - 24. The network device of claim 15, wherein the network device comprises one or more of a router, a network security device, a specialized network security device, and an intrusion detection/prevention (IDP) device.

25. A network system comprising:
- a set of computing devices;
  
  an access device coupled to the set of computing devices;
  
  a network device coupled to the access device, wherein the network device includes;
  
  at least one network interface card to receive security classification information sent to the network device from a second network device, the security classification information mapping a security class to at least one computing device within the network, and the security class identifying security capabilities of the at least one computing device,wherein the at least one network interface card, after receiving the security classification information from the second network device, receives network traffic; and
  
  a control unit coupled to the network interface,wherein the control unit comprises a storage medium storing the security classification information mapping and a policy associated with the security class, andwherein the control unit applies a set of patterns defined by the policy to the network traffic to detect any of a set of network attacks and forwards the network traffic based on the application of the set of patterns.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 26. The network system of claim 25,wherein the set of computing devices comprises a first set of computing devices, andwherein the access device comprises a first access device,the network system further comprising:
    - a second set of computing devices; and
      
      a second access device coupled to the second set of computing devices, wherein the network device couples to both the first and second access devices.
  - 27. The network system of claim 26, wherein the control unit includes:
    - a table management module that receives first aggregated security classification information from the first access device that identifies a first mapping between a first security class and the first set of computing devices and receives second aggregated security classification information that identifies a second mapping between a second security class different from the first security class and the second set of computing devices;
      
      a classifier module that receives a first portion of the network traffic associated with one or more computing devices of the first set of computing devices and receives a second portion of the network traffic associated with one or more computing devices of the second set of computing devices; and
      
      a servicing engine that applies a first set of patterns defined by a first policy to the first portion of the network traffic to detect the first set of network attacks, and applies a second set of patterns defined by a second policy to the second portion of the network traffic to detect the second set of network attacks,wherein the servicing engine forwards the first portion and the second portion of the network traffic based on the application of the first and the second set of patterns, respectively.
  - 28. The network system of claim 25,wherein the network device further comprises a flow table that includes at least one flow entry for the set of computing devices,wherein the control unit comprises:
    - a table management module that receives the security classification information, determines the policy associated with the security class after receiving the security classification information, and updates the at least one flow entry of the flow table to associate the determined policy with the set of computing devices,a classifier module that parses the network traffic to determine an address associated with each of the set of computing devices, accesses the flow table using each of the addresses to retrieve at least one flow entry, and determines the policy indicated by the at least one retrieved flow entry; and
      
      a servicing engine that applies, to the network traffic associated with the at least one computing device, the set of patterns defined by the policy identified by the retrieved flow entry.
  - 29. The network system of claim 25,wherein the control unit includes a table management module that receives aggregated security classification information that identifies a single aggregate mapping between an aggregated security class and a set of computing devices, wherein the security class comprises one security class of a plurality of security classes,wherein the access device further (1) collects security information from each of the set of computing devices, wherein the security information identifies the security capabilities of each computing device of the set, respectively, (2) maps the collected security information to a security class to output device-specific security classification information that identifies an association, for each computing device of the set, between one of the plurality of security classes and the one of the set of computing devices, and (3) aggregates the device-specific security classification information to output the aggregate security classification information that identifies the single aggregate mapping between the aggregated security class and the set of computing devices.
  - 30. The network system of claim 29, wherein the access device collects the security information from each of the set of computing devices as each of the set of computing devices attempt to access a private network to which the access devices control access.
  - 31. The network system of claim 25, wherein the control unit comprises a table management module that receives Virtual Local Area Network (VLAN) security classification information that identifies an aggregate mapping between an aggregate security class and a VLAN representative of a logical grouping of the set of computing devices.
  - 32. The network system of claim 25, wherein the control unit includes a classifier module that determines a level of congestion, compares the level of congestion to a threshold identified by the policy, determines whether to forward the network traffic without applying the set of patterns defined by the policy associated with the security class based on the comparison, and forwards the network traffic without applying the set of patterns defined by the policy when the level of congestion exceeds the threshold identified by the policy.
  - 33. The network system of claim 25, wherein the control unit includes a classifier module that determines whether the network device includes each of the set of patterns defined by the policy associated with the security class mapped to the at least one network device and forwards the network traffic to a network security device without applying the patterns defined by the policy based on the determination that the network device does not include one or more of the set of patterns defined by the policy associated with the security class.
  - 34. The network system of claim 25, wherein the control unit includes a classifier module that determines whether to offload the network traffic associated with the at least one computing device to a network security device based on the security class mapped to the set of computing devices and offloads the network traffic to the network security device associated with the at least one computing device based on the determination.
  - 35. The network system of claim 25, further comprising a network security device coupled to the network device,wherein the control unit comprises a reporting module that collects attack statistics that log the application of the set of patterns defined by the policy to the network traffic, and reports the security classification information and the attack statistics to the network security device, andwherein the network security device detects a network-wide attack based on the reported security classification information and attack statistics.
  - 36. The network system of claim 25, wherein the security capabilities include security capabilities of one or more of an operating system currently executed by the at least one computing device, security software executing within the at least one computing device, and any patches both to the operating system and to the security software executed by the at least one computing device.
  - 37. The network system of claim 25,wherein the network device comprises one or more of a router, a network security device, a specialized network security device, and an intrusion detection I prevention (IDP) device,wherein the computing device comprises an end-user computing device with which a user interacts that are logically organized into a single Virtual Local Area Network (VLAN), andwherein the access device comprises one of a layer two access switch, a layer three access switch, and a multilayer access switch.
  - 38. The network system of claim 25, further comprising a policy server that installs the policy within the network device.

39. A non-transitory computer-readable storage medium comprising instructions for causing a programmable processor to:
- receive, with a network device, security classification information sent to the network device from a second network device, wherein the security classification information t identifies at least one mapping between a security class and at least one computing device, wherein the security class identifies security capabilities of the at least one computing device;
  
  after receiving the security classification information from the second network device, receive, with the network device, network traffic associated with the at least one computing device;
  
  apply, with the network device, a set of patterns defined by a policy associated with the security class to the network traffic to detect a corresponding set of network attacks; and
  
  forward, with the network device, the network traffic based on the application of the set of patterns.

40. A method comprising:
- receiving, with one or more layer two (L2) network access device, access requests from a plurality of computing devices;
  
  in response to the access requests, collecting security information from each of the plurality of computing devices by way of at least one communication directed to the network security device, wherein the security information identifies security capabilities of each of the plurality of computing devices;
  
  assigning a first set of the plurality of computing devices to a first security class and assigning a second set of the plurality of computing devices to a second security class based on the security capabilities of each of the computing devices;
  
  receiving, with a layer three (L3) network device, network traffic associated with the plurality of computing devices;
  
  applying, with the L3 network device, a first set of attack detection patterns only to a first portion of the network traffic associated with the first set of the computing devices to detect a corresponding first set of network attacks, wherein the first set of patterns is defined by a policy associated with the first security class;
  
  applying, with the L3 network device, a second set of attack detection patterns only to a second portion of the network traffic associated with the second set of the computing devices to detect a second corresponding set of network attacks, wherein the second set of patterns is defined by a policy associated with the second security class and differs from the first set of patterns by at least one pattern; and
  
  forwarding, with the L3 network device, the network traffic based on the application of the first set of patterns and the second set of patterns.
- View Dependent Claims (41)
- - 41. The method of claim 40, further comprising:
    - receiving, with the L2 network access devices, network traffic from the plurality of computing devices in the form on network packets;
      
      appending, with the L2 access devices, tags to the network packets to indicate whether each of the packets was received from one of the computing devices assigned to the first security class or the second security class; and
      
      communicating the network packets from the L2 network access devices to the L3 network device for application of the attack detection patterns.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Eyada, Hatem
Primary Examiner(s)
Gergiso, Techane

Application Number

US12/209,695
Publication Number

US 20100071024A1
Time in Patent Office

2,342 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/105   Multiple levels of security

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

Hierarchical application of security services within a computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

200 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical application of security services within a computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

200 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links