Browse Prior Art Database

Method and System for Providing a Self-Cleaning Configuring Network Infrastructure

IP.com Disclosure Number: IPCOM000241018D
Publication Date: 2015-Mar-19
Document File: 3 page(s) / 45K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method and system is disclosed for providing a self-cleaning configuring network infrastructure without sacrificing security review provided by knowledgeable network personnel.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 36% of the total text.

Page 01 of 3

Method and System for Providing a Self -

-Cleaning Configuring Network Infrastructure

Cleaning Configuring Network Infrastructure

In computer network management, processes of configuring allowed communication flows, network address translation, load balancing, and caching proxy configuration are often manual processes. A network administrator manually enables each flow, translation, load balancer entry, or caching proxy entry after ensuring that a proper change control process is followed. In many organizations, network administrators often cause bottleneck situations because of volume of changes made . In most organizations, decommissioning process for services does not automatically remove changes from network infrastructure without frequent manual validation of rules to purge old rules.

Disclosed is a method and system for providing a self-cleaning configuring network infrastructure without sacrificing security review provided by knowledgeable network personnel. The method and system ensures that changes made to the network infrastructure are authorized.

In accordance with the method and system, most network devices contain one or more secure sides and one or more insecure sides. The network devices accept connections from application systems on interfaces classified as secure . In addition, network administrators may manually make changes to network devices. A network device only accepts a change if a requesting system presents a valid token . In order to create tokens, the network infrastructure contains keys that work like private keys used to sign SSL certificates.

A network administrator creates a master key which is used to make any configuration change in the network infrastructure. Thereafter, the network administrator is able to sign requests with the master key. In larger installations, the network administrator issues subkeys that can sign a subset of requests. For example, in an organization that designates separate teams for firewalls, load balancers, and caching proxies, separate keys possessing an ability to modify that feature are generated for each team . The teams then create subkeys for each individual team member . All subkeys possess authorization limits, for instance, one firewall team member is only authorized to open the firewall for web traffic (tcp/80 and tcp/443).

The keys are used to cryptographically sign tokens. Each token is assigned to a network device such as, but not limited to, a web server, that needs the features enabled by the token, such as a firewall rule or a load balancer rule. The functioning of the network device may be similar to that of an Enterprise Universal Plug -n-Play (uPNP). The token contains other restrictions, such as "only applicable to certain security zones" or "only applicable at certain days/times", to ensure that the tokens are not accidentally or purposefully misused.

In an embodiment, a web crawler or vulnerability testing system is configured to only allow outboun...