Technologies for scalable security architecture of virtualized networks

US 9,560,078 B2
Filed: 05/11/2015
Issued: 01/31/2017
Est. Priority Date: 02/04/2015
Status: Active Grant

First Claim

Patent Images

1. A network functions virtualization (NFV) security services controller of an NFV security architecture for managing security monitoring services of the NFV security architecture, the NFV security controller comprising:

one or more hardware processors; and

one or more data storage devices having stored therein a plurality of instructions that, when executed by the one or more hardware processors, cause the NFV security services controller to;

transmit a security monitoring policy, via a secure communication channel, to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents; and

enforce the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture; and

audit telemetry data stored at an audit database in network communication with the NFV security services controller, wherein the telemetry data is timestamped by a secure clock corresponding to the NFV security services agent that transmitted the telemetry data to the audit database, and wherein to audit the telemetry data comprises to (i) verify the telemetry data and (ii) sequence the telemetry data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for performing security monitoring services of a network functions virtualization (NFV) security architecture that includes an NVF security services controller and one or more NFV security services agents. The NFV security services controller is configured to transmit a security monitoring policy to the NFV security services agents and enforce the security monitoring policy at the NFV security services agents. The NFV security services agents are configured to monitor telemetry data and package at least a portion of the telemetry for transmission to an NFV security monitoring analytics system of the NFV security architecture for security threat analysis. Other embodiments are described and claimed.

32 Citations

View as Search Results

26 Claims

1. A network functions virtualization (NFV) security services controller of an NFV security architecture for managing security monitoring services of the NFV security architecture, the NFV security controller comprising:
- one or more hardware processors; and
  
  one or more data storage devices having stored therein a plurality of instructions that, when executed by the one or more hardware processors, cause the NFV security services controller to;
  
  transmit a security monitoring policy, via a secure communication channel, to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents; and
  
  enforce the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture; and
  
  audit telemetry data stored at an audit database in network communication with the NFV security services controller, wherein the telemetry data is timestamped by a secure clock corresponding to the NFV security services agent that transmitted the telemetry data to the audit database, and wherein to audit the telemetry data comprises to (i) verify the telemetry data and (ii) sequence the telemetry data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The NFV security controller of claim 1, wherein to transmit the security monitoring policy via the secure communication channel comprises to transmit the security monitoring policy to the NVF security services provider via a secure communication channel dedicated to communication between the NFV security services controller and the NVF security services provider.
  - 3. The NFV security controller of claim 1, wherein to transmit the security monitoring policy via the secure communication channel comprises to establish a root of trust (RoT) to secure the communication channels using one or more secure keys.
  - 4. The NFV security controller of claim 1, wherein the security monitoring policy includes security monitoring component configuration information and telemetry data monitoring instructions, andwherein to enforce the security monitoring policy comprises to verify the one or more NFV security services agents are (i) configured as a function of the security monitoring component configuration information and (ii) monitoring the telemetry data as a function of the telemetry data monitoring instructions.
  - 5. The NFV security controller of claim 1, wherein the plurality of instructions, when executed by the one or more hardware processors, further cause the NFV security services controller to:
    - receive configuration data from a plurality of service agents associated with a plurality of virtual network functions of a service function chain based on the security monitoring policy;
      
      secure a communication path between each of the plurality of virtual network functions of the service function chain; and
      
      verify a topology of the plurality of virtual network functions of the service function chain based on the received configuration data and the security monitoring policy.
  - 6. The NFV security controller of claim 5, wherein the plurality of instructions, when executed by the one or more hardware processors, further cause the NFV security services controller to (i) activate the plurality of virtual network functions of the service function chain, (ii) instantiate an NFV security agent of the one or more NFV security services agents on at least one of the virtual network functions, and (iii) activate the instantiated NFV security services agent on the at least one of the virtual network functions.
  - 7. The NFV security controller of claim 6, wherein the plurality of instructions, when executed by the one or more hardware processors, further cause the NFV security services controller to receive bootstrap information from the NFV security services agent, wherein the bootstrap information defines characteristics of the initialization of the NFV security services agent, and wherein to instantiate the NFV security services agent comprises to execute a bootstrap of a NFV security services agent to load the NFV security services agent on a computing node in network communication with the NFV security services controller.
  - 8. The NFV security controller of claim 6, wherein to enforce the security monitoring policy comprises to verify that the telemetry data being monitored at the activated NFV security services agent is being monitored in accordance with the monitoring rules of the security monitoring policy.
  - 9. The NFV security controller of claim 1, wherein the plurality of instructions, when executed by the one or more hardware processors, further cause the NFV security services controller to update the security monitoring policy based on a remediation policy received by the secure communication module,wherein the remediation policy, received from an NFV security monitoring analytics system communicatively coupled to the NFV security services controller in response to a determination, by the NFV security monitoring analytics system, that at least a portion of telemetry data transmitted by one of the one or more NFV security services agents was identified as a security threat,wherein the plurality of instructions, when executed by the one or more hardware processors, further cause the NFV security services controller to transmit the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture and enforce the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.
  - 10. The NFV security controller of claim 9, wherein the plurality of instructions, when executed by the one or more hardware processors, further cause the NFV security services controller to:
    - update the security monitoring policy based on the remediation policy,transmit the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture, andenforce the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.

11. One or more non-transitory, computer-readable storage media comprising a plurality of instructions stored thereon that in response to being executed cause a network functions virtualization (NFV) security services controller of the NFV security architecture to:
- transmit, via a secure communication channel, a security monitoring policy to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents;
  
  enforce the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture; and
  
  audit telemetry data stored at an audit database in network communication with the NFV security services controller, wherein the telemetry data is timestamped by a secure clock corresponding to the NFV security services agent that transmitted the telemetry data to the audit database, and wherein auditing the telemetry data comprises (i) verifying the telemetry data and (ii) sequencing the telemetry data.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The one or more non-transitory, computer-readable storage media of claim 11, wherein to transmit the security monitoring policy via the secure communication channel comprises to establish a root of trust (RoT) to secure the communication channels using one or more secure keys.
  - 13. The one or more non-transitory, computer-readable storage media of claim 11, wherein the security monitoring policy includes security monitoring component configuration information and telemetry data monitoring instructions, andwherein to enforce the security monitoring policy comprises to verify the one or more NFV security services agents are (i) configured as a function of the security monitoring component configuration information and (ii) monitoring the telemetry data as a function of the telemetry data monitoring instructions.
  - 14. The one or more non-transitory, computer-readable storage media of claim 11, further comprising a plurality of instructions that in response to being executed cause the NFV security services controller to:
    - receive configuration data from a plurality of service agents associated with a plurality of virtual network functions of a service function chain based on the security monitoring policy;
      
      secure a communication path between each of the plurality of virtual network functions of the service function chain; and
      
      verify a topology of the plurality of virtual network functions of the service function chain based on the received configuration data and the security monitoring policy.
  - 15. The one or more non-transitory, computer-readable storage media of claim 14, further comprising a plurality of instructions that in response to being executed cause the NFV security services controller to:
    - activate the plurality of virtual network functions of the service function chain;
      
      instantiate an NFV security agent of the one or more NFV security services agents on at least one of the virtual network functions; and
      
      activate the instantiated NFV security services agent on the at least one of the virtual network functions.
  - 16. The one or more non-transitory, computer-readable storage media of claim 15, wherein to enforce the security monitoring policy comprises to verify the telemetry data being monitored at the activated NFV security services agent is being monitored in accordance with the monitoring rules of the security monitoring policy.
  - 17. The one or more non-transitory, computer-readable storage media of claim 11, further comprising a plurality of instructions that in response to being executed cause the NFV security services controller to:
    - receive a remediation policy from an NFV security monitoring analytics system communicatively coupled to the NFV security services controller in response to a determination, by the NFV security monitoring analytics system, that at least a portion of telemetry data transmitted by one of the one or more NFV security services agents was identified as a security threat;
      
      update the security monitoring policy based on the remediation policy;
      
      transmit the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture; and
      
      enforce the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.

18. A method for managing security monitoring services of a network functions virtualization (NFV) security architecture, the method comprising:
- transmitting, by an NFV security services controller of the NFV security architecture via a secure communication channel, a security monitoring policy to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents;
  
  enforcing, by the NFV security services controller, the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture; and
  
  auditing, by the NFV security services controller, telemetry data stored at an audit database in network communication with the NFV security services controller, wherein the telemetry data is timestamped by a secure clock corresponding to the NFV security services agent that transmitted the telemetry data to the audit database, and wherein auditing the telemetry data comprises (i) verifying the telemetry data and (ii) sequencing the telemetry data.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18, wherein transmitting the security monitoring policy via the secure communication channel comprises (i) securing the communication channels using one or more secure keys and (ii) transmitting the security monitoring policy to the NVF security services provider via a secure communication channel dedicated to communication between the NFV security services controller and the NVF security services provider.
  - 20. The method of claim 18, further comprising:
    - receiving, by the NFV security services controller, configuration data from a plurality of service agents associated with a plurality of virtual network functions of a service function chain based on the security monitoring policy;
      
      securing, by the NFV security services controller, a communication path between each of the plurality of virtual network functions of the service function chain;
      
      verifying, by the NFV security services controller, a topology of the plurality of virtual network functions of the service function chain based on the received configuration data and the security monitoring policy;
      
      activating, by the NFV security services controller, the plurality of virtual network functions of the service function chain;
      
      instantiating, by the NFV security services controller, an NFV security agent of the one or more NFV security services agents on at least one of the virtual network functions; and
      
      activating, by the NFV security services controller, the instantiated NFV security services agent on the at least one of the virtual network functions.
  - 21. The method of claim 20, wherein enforcing the security monitoring policy at the activated NFV security services agent comprises verifying the telemetry data being monitored at the activated NFV security services agent is being monitored in accordance with the monitoring rules of the security monitoring policy.
  - 22. The method of claim 18, further comprising:
    - receiving, by the NFV security services controller, a remediation policy from an NFV security monitoring analytics system communicatively coupled to the NFV security services controller in response to a determination, by the NFV security monitoring analytics system, that at least a portion of telemetry data transmitted by one of the one or more NFV security services agents was identified as a security threat;
      
      updating, by the NFV security services controller, the security monitoring policy based on the remediation policy;
      
      transmitting, by the NFV security services controller, the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture; and
      
      enforcing, by the NFV security services controller, the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.

23. A network functions virtualization (NFV) security services controller of an NFV security architecture for managing security monitoring services of the NFV security architecture, the NFV security controller comprising:
- means for transmitting, via a secure communication channel, a security monitoring policy to one or more NFV security services agents distributed in a virtual network function (VNF) infrastructure of the NFV security architecture via an NFV security services provider of a virtual infrastructure manager (VIM) of the NFV security architecture, wherein the security monitoring policy comprises a set of monitoring rules usable by the NFV security services agents to monitor telemetry data of the NFV security architecture and adjust configuration settings of the NFV security services agents;
  
  means for enforcing the security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture; and
  
  means for auditing telemetry data stored at an audit database in network communication with the NFV security services controller, wherein the telemetry data is timestamped by a secure clock corresponding to the NFV security services agent that transmitted the telemetry data to the audit database, and wherein auditing the telemetry data comprises (i) verifying the telemetry data and (ii) sequencing the telemetry data.
- View Dependent Claims (24, 25, 26)
- - 24. The NFV security controller of claim 23, wherein the security monitoring policy includes security monitoring component configuration information and telemetry data monitoring instructions, andwherein the means for enforcing the security monitoring policy comprises means for verifying the one or more NFV security services agents are (i) configured as a function of the security monitoring component configuration information and (ii) monitoring the telemetry data as a function of the telemetry data monitoring instructions.
  - 25. The NFV security controller of claim 23, further comprising:
    - means for receiving configuration data from a plurality of service agents associated with a plurality of virtual network functions of a service function chain based on the security monitoring policy;
      
      means for securing a communication path between each of the plurality of virtual network functions of the service function chain; and
      
      means for verifying a topology of the plurality of virtual network functions of the service function chain based on the received configuration data and the security monitoring policy.
  - 26. The NFV security controller of claim 23, further comprising:
    - means for receiving a remediation policy from an NFV security monitoring analytics system communicatively coupled to the NFV security services controller in response to a determination, by the NFV security monitoring analytics system, that at least a portion of telemetry data transmitted by one of the one or more NFV security services agents was identified as a security threat;
      
      means for updating the security monitoring policy based on the remediation policy;
      
      means for transmitting the updated security monitoring policy to the one or more security monitoring components of the NFV security architecture; and
      
      means for enforcing the updated security monitoring policy transmitted to the one or more security monitoring components of the NFV security architecture.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Sood, Kapil, Young, Valerie J., Venkatachalam, Muthaiah, Nedbal, Manuel
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/709,168
Publication Number

US 20160226913A1
Time in Patent Office

631 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 47/25   with rate being modified by...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/10   in which an application is ...

H04Q 9/00   Arrangements in telecontrol...

Technologies for scalable security architecture of virtualized networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Technologies for scalable security architecture of virtualized networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links