Browse Prior Art Database

Method for Orchestrated Deployment of Network Security in the Cloud Disclosure Number: IPCOM000246985D
Publication Date: 2016-Jul-20
Document File: 7 page(s) / 103K

Publishing Venue

The Prior Art Database


Disclosed is a method to leverage the Cloud Manager to create an orchestrator and agents, whose purpose is to provide security to virtual machines. In doing so, it provides a tightly integrated security solution that is locally managed, yet portable.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 24% of the total text.

Page 01 of 7

Method for Orchestrated Deployment of Network Security in the Cloud

Historically, Information Technology (IT) companies have left the internal network traffic unprotected, as long as the computing devices remained behind the firewall. Network traffic only had to be secured as it flowed over the Internet to the public edge of the network.

Cloud computing environments need better security. While many applications now utilize Transport Layer Security (TLS) to secure communication over the network, there are still a lot of applications that either communicate non-securely or require extensive configuration to enable security.

The Internet Protocol security (IPSEC) protocol is one method that can be used to protect network traffic in a generic way. One of the challenges to using IPSEC is the configuration and distribution of keys to participating nodes in the network. To make processes more difficult, cloud networks are generally not static because new virtual machines are created and destroyed as needed. Furthermore, misconfigurations of the IPSEC protocol result in an immediate impact to the flow of network traffic, causing undesirable outrages to critical applications.

In order for IPSEC to work well in a cloud environment:

 Security needs to be configured on each virtual machine before it communicates with other nodes

 As the number of nodes increases, the security configuration should dynamically be extended to the new nodes

 When virtual machines are re-imaged, the security configuration must be restored

 All security configuration must take place transparently without any outages or impacts to end users

The novel solution is a method to automatically and transparently secure network communications in a dynamic cloud environment using the IPSEC protocol. The method handles the scalability and management needs of a cloud environment without the adverse impacts. The new method dynamically configures IPSEC into a cloud environment, allowing all nodes to securely and transparently communicate over IPSEC without any outages or impacts to existing applications.

Figure 1 is a simplified example of a cloud deployment. It consists of a Web server, which terminates TLS connections from the Internet. The Web server, in turn, communicates with application servers, which communicate with database servers. By configuring IPSEC along the communication paths, the cloud environment is secured, even if the individual applications do not secure their network communications.

The method works by working with the Cloud Manager to deploy IPSEC in transport mode onto each virtual machine before the software components start running. As each virtual machine is provisioned by the Cloud Manager, IPSEC is configured and


Page 02 of 7

activated on that system, avoiding the need for the two-way cipher negotiation performed by Internet Key Exchange (IKE). As a result, all components communicate with each other over IPSEC, as shown in the figure.