METHODS, CIRCUITS, APPARATUS, SYSTEMS AND ASSOCIATED SOFTWARE APPLICATIONS FOR PROVIDING SECURITY ON ONE OR MORE SERVERS, INCLUDING VIRTUAL SERVERS

- DOME 9 SECURITY LTD.

A method and system for secured access for a computing platform are provided. The method includes generating an on-the-fly access lease to the computing platform, wherein the on-the-fly access lease defines provisions for accessing at least one firewall port of the computing platform, wherein the provisions include at least a lease duration for accessing the at least one firewall port; and controlling access to resources of the computing platform through an opening of the at least one firewall port of the computing platform, wherein the access to resources of the computing platform is determined based on the generated on-the-fly access lease and the security settings.

Skip to: Description  ·  Claims  · Patent History  ·  Patent History
Description
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 13/106,153 filed on May 12, 2011, now allowed and which claims the benefit of U.S. Provisional Application No. 61/445,089 filed on Feb. 22, 2011, the contents of which are hereby incorporated by reference.

TECHNICAL FIELD

Some embodiments relate generally to the field of computer network security and, more particularly, to methods, circuits, apparatus, systems and associated software applications for providing security on one or more servers, including virtual servers.

BACKGROUND

Computer networks, run by a server or a group of servers, are being used to manage the data for homes and businesses of all types and sizes. A computer network enables the sharing of files and printer resources, enabling easier communication between computers. Productivity is increased with a computer network due to the ease of syncing email, calendars and tasks enabling easier collaboration between employees and personnel. Large data storage systems attached to computer servers are used to backup and protect important data for the entire network.

A feature of computer networks that is becoming more widespread is remote on-demand access to the resources of the network. With the Internet becoming increasingly popular, more network users are able to connect to a remote server through any device with an internet connection. Users are able to connect to networks from home computers, laptops, tablets, smart phones, e-book readers, and any other mobile Internet device.

A computer network open to internet traffic can be a great safety risk. A connection through the internet can come from anyone and from anywhere in the world. Security systems, including firewalls, are needed to protect such a vulnerable connection. A firewall can filter incoming Internet data packets though its system, analyze the data and determine whether the data is secure and from a trustworthy source. A firewall can behave like a proxy server to forward received data while masking the network information of the attached computer network.

A typical computer network server firewall includes an administrator account for controlling the policies and settings of the server. The administrator account is accessed using some login method. Generally, this login method includes inputting to the server a typically straightforward administrator user name (e.g. Administrator or Admin) and some password. Since the password of the administrator account is the only level of security in place to protecting full access to the server, the security of the server is only as good as the administrator password.

There is thus a need in the field of computer network security for improved methods, circuits, apparatus, systems and associated software applications for providing security on one or more servers, including virtual servers.

SUMMARY

Some embodiments disclosed herein include a method for secured access for a computing platform. The method comprises generating an on-the-fly access lease to the computing platform, wherein the on-the-fly access lease defines provisions for accessing at least one firewall port of the computing platform, wherein the provisions include at least a lease duration for accessing the at least one firewall port; and controlling access to resources of the computing platform through an opening of the at least one firewall port of the computing platform, wherein the access to resources of the computing platform is determined based on the generated on-the-fly access lease and the security settings.

Some embodiments disclosed herein include system for secured access for a computing platform. The system comprises at least one computing platform comprising at least one resource and at least one firewall port; a policy server configured to control port access security and connectivity settings for the at least one computing platform; and a communication link communicatively connecting between the at least one computing platform and the policy server, the communication link is configured to serve a secure tunnel communication there through; wherein the secure tunnel communication is intermittently established over the at least one communication link; wherein an on-the-fly access lease to the at least one port of the at least one computing platform defining provisions for access the at least one firewall port of the computing platform is acquired, wherein the provisions include at least a lease a duration for accessing the at least one firewall port; and wherein the policy server is configured to send instructions to open the at least one firewall port of the at least one computing platform during a communication over the secure tunnel communication respective of the acquired on-the-fly access lease and the security settings.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features, and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanying drawings in which:

FIG. 1 shows a general system level diagram showing all constituent computer network elements (including the firewalls in the server OS) as well as a basic communication flow from a remote administrator access to a computing platform firewall, according to some embodiments of the present invention;

FIG. 2 is a flow chart including the steps of a basic communication flow from a remote administrator access to a computing platform firewall, according to some embodiments of the present invention;

FIG. 3A shows a functional level diagram of PorTender inside of a Server/computing platform, according to some embodiments of the present invention;

FIG. 3B shows a flowchart including the steps performed by the PorTender, according to some embodiments of the present invention;

FIG. 4A shows a functional level diagram of a policy server, according to some embodiments of the present invention; and

FIG. 4B shows a flowchart including the steps performed by the policy server, according to some embodiments of the present invention.

It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements.

DETAILED DESCRIPTION

In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of some embodiments. However, it will be understood by persons of ordinary skill in the art that some embodiments may be practiced without these specific details. In other instances, well-known methods, procedures, components, units and/or circuits have not been described in detail so as not to obscure the discussion.

Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as “processing”, “computing”, “calculating”, “determining”, or the like, refer to the action and/or processes of a computer or computing system, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing system's registers and/or memories into other data similarly represented as physical quantities within the computing system's memories, registers or other such information storage, transmission or display devices. In addition, the term “plurality” may be used throughout the specification to describe two or more components, devices, elements, parameters and the like.

It should be understood that some embodiments may be used in a variety of applications. Although embodiments of the invention are not limited in this respect, one or more of the methods, devices and/or systems disclosed herein may be used in many applications, e.g., civil applications, military applications, medical applications, commercial applications, or any other suitable application. In some demonstrative embodiments the methods, devices and/or systems disclosed herein may be used in the field of consumer electronics, for example, as part of any suitable television, video Accessories, Digital-Versatile-Disc (DVD), multimedia projectors, Audio and/or Video (A/V) receivers/transmitters, gaming consoles, video cameras, video recorders, portable media players, cell phones, mobile devices, and/or automobile A/V accessories. In some demonstrative embodiments the methods, devices and/or systems disclosed herein may be used in the field of Personal Computers (PC), for example, as part of any suitable desktop PC, notebook PC, monitor, and/or PC accessories.

According to some embodiments of the present invention, there may be a policy server adapted to secure a functionally associated computing platform. According to further embodiments of the present invention, the policy server may comprise a direct secured tunnel administrator access to the computing platform, a configuration manager adapted to manage security settings and forward the settings along the tunnel, a secure internet-based graphical user interface (GUI) including security controls adapted to control the configuration manager, a dynamic access lease manager including security controls adapted to generate an on-the-fly access lease to the computing platform, and a secure internet-based GUI including security controls adapted to control the dynamic access lease manager. According to further embodiments of the present invention, the dynamic access lease manager may be further adapted to terminate the on-the-fly access lease. According to further embodiments of the present invention, the dynamic access lease manager may be further adapted to terminate the on-the-fly access lease according to a schedule.

According to some embodiments of the present invention, the tunnel may connect to a port-tending agent (PorTender) adapted to monitor and regulate port access to resources of the computing platform. The policy server may be further adapted to transmit administrator settings for port access to the PorTender. According to further embodiments of the present invention, transmitting administrator settings for port access may occur periodically according to a predetermined schedule. According to further embodiments of the present invention, transmitting administrator settings for port access may occur after a one-time request from the PorTender.

According to some embodiments of the present invention, there may be a port-tending agent (PorTender) adapted to monitor and regulate port access to resources of a functionally associated or integral computing platform. The PorTender may be further adapted to receive administrator settings for port access from a functionally associated policy server. According to further embodiments of the present invention, receiving administrator settings for port access may occur periodically according to a predetermined schedule. According to further embodiments of the present invention, receiving administrator settings for port access may occur after a one-time request of the policy server.

According to some embodiments of the present invention, the PorTender may be further adapted to simultaneously monitor and regulate a group of computing platforms connected to a network According to further embodiments of the present invention, the PorTender may be further adapted to be installed into an operating system of the computing platform.

According to some embodiments of the present invention, there may be a system for providing security on a computing platform comprising: a port-tending agent (PorTender) adapted to monitor and regulate port access to resources on the computing platform; a policy server functionally associated with the PorTender, wherein the policy server is adapted to control port access security and connectivity settings; a dynamic access lease manager associated with the policy server, wherein the dynamic access lease manager is adapted to generate an on-the-fly access lease to the computing platform; and a secure internet-based policy server user interface including controls adapted to adjust the policy server remotely.

According to some embodiments of the present invention, the dynamic access lease manager may be further adapted to terminate the on-the-fly access lease. According to further embodiments of the present invention, the dynamic access lease manager may be further adapted to terminate the on-the-fly access lease according to a schedule.

According to some embodiments of the present invention, the policy server may be further adapted to transmit administrator settings for port access to the PorTender. According to further embodiments of the present invention, receiving administrator settings for port access may occur periodically according to a predetermined schedule. According to further embodiments of the present invention, receiving administrator settings for port access may occurs after a one-time request from the PorTender.

According to some embodiments of the present invention, the PorTender may be further adapted to be installed into an operating system of the computing platform.

Now turning to FIG. 1, there is shown a general system level diagram (100) showing all constituent computer network elements (including the firewalls in the server OS) as well as a basic communication flow from a remote administrator access to a computing platform firewall, according to some embodiments of the present invention. System 100 may be described in view of FIG. 2 showing a flow chart (200) including the steps of a basic communication flow from a remote administrator access to a computing platform firewall, according to some embodiments of the present invention.

According to some embodiments of the present invention, system 100 may comprise a device for user Internet access (e.g. client machine 110) which may be any device from the group consisting of: computer terminal, desktop computer, laptop computer, nettop, netbook, tablet, mobile internet device, smartphone etc. System 100 may further comprise a secure web access administrator client (i.e. cloud service 120), providing a front-end for a policy server. System 100 may further comprise a secure server (130) and/or a group of secure servers (140) accessible from cloud service 120 and adapted with a port tending agent (PorTender).

According to some embodiments of the present invention, an administrator may login (205) to secure web access administrator client 120 (i.e. policy server) using a password and/or any other predetermined verification technique. According to further embodiments of the present invention, the administrator may adjust (210) port-access and security settings for secure server 130 and/or group of secure servers 140. The adjusted settings may be saved (220) to the policy server.

According to some embodiments of the present invention, the administrator may setup (215) an access lease for a limited access lease to secure server 130 and/or group of secure servers 140. The access lease settings may be saved (230) to the policy server. According to further embodiments of the present invention, the access lease information may be sent to a preferred user via an optional combination of secure email, SMS, and/or any other direct or otherwise secure messaging system.

According to some embodiments of the present invention, the policy server may send (240) port-access, security and access lease settings to Port tending agent (PorTender) using integral or functionally associated communications controller. According to further embodiments of the present invention, the PorTender may adjust (250) security and port settings on secure server 130 and/or group of secure servers 140. The preferred user may then use received access lease information to login and access secure server 130 and/or group of secure servers 140.

Now turning to FIG. 3A, there is shown a functional level diagram (300A) of PorTender inside of a Server/computing platform, according to some embodiments of the present invention. System 300A may be described in view of FIG. 3B, showing a flowchart (300B) including the steps performed by the PorTender, according to some embodiments of the present invention.

According to some embodiments of the present invention, a server or any computing platform (300A) may comprise some processing logic, circuit, device, system and/or associated software for executing processing functions for the sever (e.g. Platform operating memory/space 305A). Platform operating memory/space (e.g. kernel) 305A may comprise firewall module 310A, adapted to control and secure functionally associated networking hardware 315A integral to or functionally associated with server 300A. Platform operating memory/space (e.g. kernel) 305A may further comprise Data storage drivers and interface module 330A, adapted to control functionally associated storage devices (e.g. main memory, mass storage device(s), removable media/medium 335A) integral to or functionally associated with server 300A. Platform operating memory/space (e.g. kernel) 305A may further comprise CPU drivers and interface module (320A), adapted to control functionally associated CPU(s) 325A functionally associated with or integral to server 300A.

According to some embodiments of the present invention, server/computing platform 300A may be adapted to communicate to a network (e.g. LAN, WAN, VPN, etc.) via functionally associated networking hardware 315A integral to or functionally associated with server 300A. Platform operating memory/space (e.g. kernel) 305A may include firewall 310A to control server/computing platform 300A port access.

According to some embodiments of the present invention, server/computing platform 300A may include user space 350A for running integral or functionally associated applications. User space 350A may further include a port-tending agent (PorTender 355A) adapted to provide direct access to firewall module 310A and control security and/or port access settings. PorTender 355A may communicate with functionally associated policy server 340A, through firewall module 310A and via networking hardware 315A, to receive updated security policy and/or port access settings.

According to some embodiments of the present invention, PorTender 355A may initiate (310B) a secure communication session with policy server 340A or may wait for a next expected communication request from policy server 340A. The connection between PorTender 355A and policy server 340A may be a substantially real-time open connection. According to further embodiments of the present invention when policy server 340A is unavailable (320B), PorTender 355A may adjust (325B) security settings of firewall 310A and port settings of server 300A based on a preconfigured emergency policy. A preconfigured emergency mode timeout setting may determine the length of unavailability that triggers the emergency policy.

According to some embodiments of the present invention when policy server 340A is available (320B), PorTender 355A may receive (330B) port-access, security and access lease settings from policy server 340A. According to further embodiments of the present invention, PorTender 355A may adjust (340B) security settings of firewall 310A and port settings of server 300A based on the received policy.

Now turning to FIG. 4A, there is shown a functional level diagram (400A) of a policy server, according to some embodiments of the present invention. System 400A may be described in view of FIG. 4B, showing a flowchart (400B) including the steps performed by the policy server, according to some embodiments of the present invention.

According to some embodiments of the present invention, web-based user interface 420A (i.e. a cloud service) may provide security policy controls 422A and access lease controls (424A) for functionally associated policy server 410A. Policy server 410A may comprise security policy storage 412A and access lease scheduler 414A. According to some embodiments of the present invention, policy server 410A may further comprise communications controller/logic 416A to transmit and receive information with security policy distributor 450A and access lease distributor 440A.

According to some embodiments of the present invention, policy server 410A may open (410B) a secure web access administrator session upon receiving a valid password and/or some other verification (e.g. IP address). According to further embodiments of the present invention, policy server may receive (430B) access lease settings for a limited access lease to a server or group of servers for a preferred user and save the settings to access lease scheduler 414A. According to further embodiments of the present invention, the access lease information (i.e. a unique IP address invitation) may be sent (435B) to the preferred user via access lease distributor 440A. The preferred access lease user may activate (436B) the unique access IP address access lease (e.g. by clicking a hyperlink trigger).

According to some embodiments of the present invention, policy server 410A may receive (420B) input port-access and security policy settings for a server or group of servers and save the settings in security policy storage 412A. According to further embodiments of the present invention, security policy distributor 450A may communicate with Port Tending agent (PorTender—430A) using a scheduled communication module, protocol and/or service (e.g. a polling module and/or a port-knocking module). According to further embodiments of the present invention, security policy distributor 450A may communicate with PorTender—430A using a substantially real-time communication module, protocol and/or service (e.g. a push module and/or Extensible messaging and presence protocol—XMPP). Policy server 410A may send (440B) port-access, security and access lease settings to PorTender 430A via security policy distributor (450A).

Some embodiments of the invention, for example, may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment including both hardware and software elements. Some embodiments may be implemented in software, which includes but is not limited to firmware, resident software, microcode, or the like.

Furthermore, some embodiments of the invention may take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For example, a computer-usable or computer-readable medium may be or may include any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.

In some embodiments, the medium may be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Some demonstrative examples of a computer-readable medium may include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk, and an optical disk. Some demonstrative examples of optical disks include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W), and DVD.

In some embodiments, a data processing system suitable for storing and/or executing program code may include at least one processor coupled directly or indirectly to memory elements, for example, through a system bus. The memory elements may include, for example, local memory employed during actual execution of the program code, bulk storage, and cache memories which may provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.

In some embodiments, input/output or I/O devices (including but not limited to keyboards, displays, pointing devices, etc.) may be coupled to the system either directly or through intervening I/O controllers. In some embodiments, network adapters may be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices, for example, through intervening private or public networks. In some embodiments, modems, cable modems and Ethernet cards are demonstrative examples of types of network adapters. Other suitable components may be used.

Functions, operations, components and/or features described herein with reference to one or more embodiments, may be combined with, or may be utilized in combination with, one or more other functions, operations, components and/or features described herein with reference to one or more other embodiments, or vice versa.

While certain features of the invention have been illustrated and described herein, many modifications, substitutions, changes, and equivalents will now occur to those skilled in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.

Claims

1. A method for secured access for a computing platform comprising:

generating an on-the-fly access lease to the computing platform, wherein the on-the-fly access lease defines provisions for accessing at least one firewall port of the computing platform, wherein the provisions include at least a lease duration for accessing the at least one firewall port; and
controlling access to resources of the computing platform through an opening of the at least one firewall port of the computing platform, wherein the access to resources of the computing platform is determined based on the generated on-the-fly access lease and the security settings.

2. The method of claim 1, wherein the access to resources of the computing platform is triggered by passing an instruction to the computing platform during a secure tunnel communication requested by the computing platform.

3. The method of claim 2, further comprising:

monitoring the port access to the resources of the computing platform by a port-tending agent (PorTender) connected to the secure tunnel.

4. The method of claim 2, further comprising:

regulating the port access to the resources of the computing platform by a port-tending agent (PorTender) connected to the secure tunnel.

5. The method of claim 2, further comprising:

establishing a secure tunnel communication with the computing platform responsive to an intermittent connection request from the computing platform.

6. The method of claim 5, further comprising:

managing security settings of the computing platform; and
forwarding the security settings along the secure tunnel.

7. The method of claim 1, further comprising:

terminating the on-the-fly access lease according to a schedule.

8. The method of claim 1, further comprising:

transmitting administrator settings for port access of the one or more firewalls ports to a port-tending agent (PorTender) connected to the secure tunnel.

9. The method of claim 8, wherein the transmitting administrator settings occurs periodically according to a predetermined schedule.

10. The method of claim 8, wherein the transmitting administrator settings for port access occurs after a one-time request from the PorTender.

11. A system for secured access for a computing platform comprising:

at least one computing platform comprising at least one resource and at least one firewall port;
a policy server configured to control port access security and connectivity settings for the at least one computing platform; and
a communication link communicatively connecting between the at least one computing platform and the policy server, the communication link is configured to serve a secure tunnel communication there through, wherein the secure tunnel communication is intermittently established over the communication link;
wherein an on-the-fly access lease to the at least one port of the at least one computing platform defining provisions for access the at least one firewall port of the computing platform is acquired, wherein the provisions include at least a lease duration for accessing the at least one firewall port; and
wherein the policy server is configured to send instructions to open the at least one firewall port of the at least one computing platform during a communication using the secure tunnel communication respective of the acquired on-the-fly access lease and the security settings.

12. The system of claim 11, wherein the on-the-fly access lease is performed by a dynamic access lease manager of the system.

13. The system of claim 12, wherein the dynamic access lease manager is configured to terminate the on-the-fly access lease.

14. The system of claim 13, wherein the dynamic access lease manager is further configured to terminate the on-the-fly access lease according to a schedule.

15. The system of claim 11, wherein access to the at least one resource is monitored and regulated by a port-tending agent (PorTender).

16. The system of claim 15, wherein the PorTender intermittently triggers the secure tunnel communication. 17, The system of claim 15, wherein the policy server is configured to transmit administrator settings for port access to said PorTender.

18. The system of claim 17, wherein receiving administrator settings for access to the at least one port occurs periodically according to a predetermined schedule.

19. The system of claim 17, wherein receiving administrator settings to access the at least one firewall port occurs after a one-time request from the PorTender.

20. The system of claim 15, wherein the PorTender is installed into an operating system of the computing platform.

21. A non-transitory computer readable medium having stored thereon instructions for causing one or more processors to execute a process comprising:

generating an on-the-fly access lease to the computing platform, wherein the on-the-fly access lease defines provisions for accessing at least one firewall port of the computing platform, wherein the provisions include at least a lease duration for accessing the at least one firewall port; and
controlling access to resources of the computing platform through an opening of the at least one firewall port of the computing platform, wherein the access to resources of the computing platform is determined based on the generated on-the-fly access lease and the security settings.
Patent History
Publication number: 20170163691
Type: Application
Filed: Dec 14, 2016
Publication Date: Jun 8, 2017
Applicant: DOME 9 SECURITY LTD. (Tel Aviv)
Inventors: Zohar ALON (Tel Aviv), Roy FEINTUCH (San Francisco, CA)
Application Number: 15/378,331
Classifications
International Classification: H04L 29/06 (20060101);