Browse Prior Art Database

IN-LINE DISTRIBUTED AND STATEFUL SECURITY POLICIES FOR APPLICATIONS IN A NETWORK ENVIRONMENT

IP.com Disclosure Number: IPCOM000247202D
Publication Date: 2016-Aug-16

Publishing Venue

The IP.com Prior Art Database

Related People

Praveen Jain: AUTHOR [+4]

Abstract

A solution is presented herein that uses a combination of distributed flow state management and hardware assisted policy application to extend datacenter network security in very powerful way. Using this solution, an Application Centric Infrastructure is made more secure by containing the scope of the attacks. It also provides the flow based application visibility to the network and security administrators. This is important to provide rapid response times to changes in today's fast moving datacenter networks.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 15% of the total text.

Page 01 of 12

IN-LINE DISTRIBUTED AND STATEFUL SECURITY POLICIES FOR APPLICATIONS IN A NETWORK ENVIRONMENT

AUTHORS:

 Praveen Jain Munish Mehta Saurabh Jain Vijay Chander

CISCO SYSTEMS, INC.

ABSTRACT

    A solution is presented herein that uses a combination of distributed flow state management and hardware assisted policy application to extend datacenter network security in very powerful way. Using this solution, an Application Centric Infrastructure is made more secure by containing the scope of the attacks. It also provides the flow based application visibility to the network and security administrators. This is important to provide rapid response times to changes in today's fast moving datacenter networks.

DETAILED DESCRIPTION

     Networking architectures have grown increasingly complex in communication environments. Traditional hierarchical data center networks are built in layers that resemble a hierarchical tree. A hierarchical tree architecture typically has an access layer at the bottom of the tree, an aggregation layer in the middle of the tree, and a core layer at the top of the tree. More recently, data centers have been implementing leaf-spine hierarchical network architectures. In leaf-spine networks, a switching fabric provides an access layer comprising multiple leaf switches that are typically fully meshed to multiple spine switches. The leaf switches provide access to the switching fabric for endpoints at the bottom of the tree such as servers, virtual machines (clients and servers), firewalls, loadbalancers, appliances, routers (e.g., to other networks), etc. Each spine switch maintains routing information for all endpoints.

    Some systems provide for dynamic assignment of endpoints to endpoint groups based on a set of group selection rules and attribute data collected from the endpoints.

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 12

Policies can be configured in hardware (e.g., in leaf switches) to be applied per endpoint group.

    Currently, the policies defined between two endpoint groups are stateless and do not track the state of a flow. This makes the network vulnerable to various attacks, e.g. Transmission Control Protocol (TCP) SYN attack, TCP SYN+ACK attack, FIN attack etc.

    A fully populated switching fabric, however, may contain millions of endpoints. Thus, the ability to provide efficient and scalable leaf-spine hierarchical networks that implement policies for network flows can present significant challenges for network administrators and component manufacturers alike.

    In the case where the policies are maintained in central repository, the first packet in the flow is redirected to the security appliance for policy application. An inline security policy application does not require a traffic redirect and does not incur latency penalty. A distributed scheme reduces the load on a centralized security appliance and limits the scope of the attack to as close to the source as possible. But it requires the policies to be pushed...