US20050132199A1 - Secure and differentiated delivery of network security information - Google Patents

Secure and differentiated delivery of network security information Download PDF

Info

Publication number
US20050132199A1
US20050132199A1 US10/876,257 US87625704A US2005132199A1 US 20050132199 A1 US20050132199 A1 US 20050132199A1 US 87625704 A US87625704 A US 87625704A US 2005132199 A1 US2005132199 A1 US 2005132199A1
Authority
US
United States
Prior art keywords
network security
security information
recipients
information
recipient
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/876,257
Inventor
Randall Boroughs
David Bonn
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US10/876,257 priority Critical patent/US20050132199A1/en
Publication of US20050132199A1 publication Critical patent/US20050132199A1/en
Assigned to SILICON VALLEY BANK reassignment SILICON VALLEY BANK SECURITY AGREEMENT Assignors: GLADIATOR CORPORATION, WATCHGUARD TECHNOLOGIES, INC.
Assigned to WATCHGUARD TECHNOLOGIES, INC., GLADIATOR CORPORATION reassignment WATCHGUARD TECHNOLOGIES, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: SILICON VALLEY BANK
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Definitions

  • the present invention is directed to the field of computer networking, and more particularly, to the fields of network security and information delivery.
  • FIG. 1 is a network diagram showing the connection of computer systems involved in the delivery of distributions by the facility.
  • FIG. 2 is a network diagram showing a typical secured network operated by a subscriber.
  • FIG. 3 is a high-level block diagram of the addressing computer system.
  • FIG. 4 is a high-level block diagram of a typical delivery computer system.
  • FIG. 5 is a high-level block diagram of a typical network security management workstation operated by a subscriber.
  • FIG. 6 is a flow diagram showing the steps preferably performed by the facility in the subscriber registration program.
  • FIG. 7 is a display diagram showing a web page for soliciting information about a new subscriber.
  • FIGS. 8A-8B are data structure diagrams showing typical contents of the subscriber information database.
  • FIG. 9 is a flow diagram showing the steps preferably performed by the facility in the addressing program.
  • FIG. 10 is a data structure diagram showing a distribution containing information.
  • FIG. 11 is a data structure diagram showing a distribution containing code.
  • FIG. 12 is a data structure diagram showing a distribution containing network security data.
  • FIG. 13 is a data structure diagram showing typical contents of the addressed distribution database.
  • FIG. 14 is a flow diagram showing the steps preferably performed by the facility in the subscriber request processing program.
  • FIG. 15 is a data structure diagram showing the contents of a polling request sent from the client at a subscriber to a delivery computer system.
  • FIG. 16 is a data structure diagram showing a response to a client request transmitted from the delivery computer system receiving the client request to the client transmitting the client request.
  • FIG. 17 is a flow diagram showing the steps preferably performed by the facility in the client program.
  • FIG. 18 is a display diagram showing the display of a visual alert.
  • FIG. 19 is a display diagram showing the display of a distribution containing information.
  • FIG. 20 is a display diagram showing the display of a software update distribution containing code.
  • FIGS. 21-23 are display diagrams showing the display of a threat response distribution.
  • FIG. 24 is a flow diagram showing the steps preferably performed by the facility in a secure subscriber email program preferably executing on an encrypted mail server among the distribution computer systems.
  • FIG. 25 is a data structure diagram showing an email distribution transmitted from the encrypted email server computer system to a network security management workstation at a client.
  • FIG. 26 is a flow diagram showing the steps preferably performed by the facility in an encrypted email version of the client program.
  • the present invention provides a software facility for the secure and differentiated delivery of network security information (“the facility”) to support a network security information service.
  • the facility selects addressees for a particular instance of network security information (a network security information “distribution”) based on security characteristics of subscribers to which the distribution relates, securely and reliably delivers the distribution to each selected addressee, and enables a user at the subscriber to promptly and conveniently review and act on the distribution.
  • Distributions are preferably prepared by a team of network security experts.
  • a distribution may contain information, such as textual information, for review by a network security administrator. For example, the distribution could contain information describing a newly-discovered form of network attack, and explain how network security equipment or software already being used by the subscriber protects the subscriber from such attacks.
  • a distribution may also contain software. Such software can include both software designed to execute once to ensure that the subscriber's network is protected from a certain type of attack, or new or updated network security software that executes continuously to ensure the security of the subscriber's network.
  • a distribution may also contain data used for network security purposes. For example, where a subscriber uses a particular network security device that operates based upon a set of security rules, a distribution to the subscriber may contain additional rules to be added to the set used by the network security device.
  • the facility preferably selects addressees for each distribution from the subscribers registered with the network security information service.
  • the facility preferably uses a subscriber information database that stores information about each subscriber registered with the network security information service.
  • the subscriber database may contain, for each subscriber, an indication of the types of network security equipment, network security software, and applications used by the subscriber.
  • the facility receives a new distribution, it preferably receives with it an addressing query designed to select addressees for the distribution. The facility performs the addressing query against the subscriber information database to select addressees of the distribution.
  • the facility maximizes the extent to which each registered subscriber receives the distributions that relate to it, and minimizes the extent to which each registered subscriber receives distributions that do not relate to it. Also, by directly controlling the set of addressees, the facility ensures that distributions are not delivered to parties other than subscribers.
  • the facility After the distribution is addressed to addressees among the registered subscribers, the facility attempts to deliver the distribution to each of the addressees to which the distribution is addressed.
  • the facility may preferably deliver distributions either by secure email sent from the network security information service to the addressees, or using a client polling procedure in which a client program at each subscriber periodically polls a server maintained by the network security information service for new distributions addressed to its subscriber.
  • the facility utilizes BackWeb Foundation software, available from BackWeb Technologies of San Jose, Calif.
  • a verified email address for the subscriber is preferably used.
  • polling requests from the client preferably include a secret unique identifier issued to the subscriber, encrypted using public key encryption. These measures help ensure that the distribution is delivered only to the subscribers to which it is addressed.
  • each distribution is preferably encrypted to prevent anyone intercepting the distribution from discerning its content.
  • Each distribution is preferably also signed in way that reliably indicates both (1) the source of the distribution, and (2) the contents of the distribution when the distribution left its source.
  • This signature is preferably used by a component of the facility executing at each subscriber to ascertain whether each distribution (1) is from the network security information service or another trusted source and (2) has not been altered since it left that source.
  • the subscriber component of the facility preferably only allows the subscriber to make use of distributions meeting both of these conditions.
  • the client program of the facility preferably also alerts a user at the subscriber as soon as a distribution is received, displays information about the distribution, and facilitates the application of the distribution to enhance the level of security of the subscriber's network.
  • FIG. 1 is a network diagram showing the connection of computer systems involved in the delivery of distributions by the facility.
  • Distributions are initially received in a network security information addressing computer system (“addressing computer system”) 110 operated by the network security information service.
  • the addressing computer system 110 determines a list of addressees for the distribution, and forwards this list of addressees along with the distribution to a number of network security information delivery computer systems (“delivery computer systems”) operated by the network security information service, such as delivery computer systems 121 - 123 .
  • the addressing computer system is preferably connected to the delivery computer systems by a secure network 111 , such as a physically secure network or a virtual private network.
  • the delivery computer systems are connected via the Internet 130 to a number of subscriber network security management workstations at subscriber sites, such as subscriber network security management workstations 141 - 144 .
  • the delivery computer systems deliver the distribution to each of the subscriber computer systems to which the distribution is addressed.
  • the delivery computer systems are preferably distributed geographically in accordance with the geographic distribution of subscribers.
  • FIG. 2 is a network diagram showing a typical secured network operated by a subscriber.
  • a secured network 260 is connected to the Internet 230 by a network security device 250 , such as a WatchGuard Firebox II network security device available from WatchGuard Technologies, Inc. of Seattle, Wash.
  • the network security device 250 protects computer systems of the subscriber by controlling the traffic that can flow between the Internet 230 and protected computer systems of the subscriber, such as protected computer systems 241 , 261 , 262 , and 263 .
  • protected computer systems is a network security management workstation computer system 241 .
  • the network security management workstation computer system 241 is designated to receive distributions delivered by the facility.
  • the network security device 250 also preferably provides partial protection to partially protected computer systems of the subscriber, such as computer systems 271 or 272 in a partially secured network 270 .
  • partially protected computer systems provide a service such as web serving that requires a less restricted connection to the Internet.
  • FIG. 3 is a high-level block diagram of the addressing computer system.
  • the addressing computer system 300 contains one or more central processing units (CPUs) 310 , input/output devices 320 , and a volatile computer memory/persistent storage device (memory) 330 .
  • CPUs central processing units
  • input/output devices is a network connection 321 , through which the addressing computer system 300 may communicate with other connected computer systems; and a computer-readable media drive 322 , which can be used to install software products, including portions of the facility, which are provided on a computer-readable medium, such as a CD-ROM.
  • the memory 330 preferably contains a subscriber information database 331 containing information about each registered subscriber.
  • this information includes security characteristics of the subscriber that are used to determine whether to deliver particular distributions to the subscriber.
  • the memory 330 preferably further contains a portion of the facility called the “addressing program” 332 , which receives distributions and uses the subscriber information database 331 to address the distributions to subscribers. It will be recognized by those skilled in the art that portions of the contents shown in memory 330 may be maintained in the volatile memory device, on a persistent storage device, or both, depending upon the state of the addressing computer system at any given time.
  • FIG. 4 is a high-level block diagram of a typical delivery computer system.
  • the delivery computer system 400 has CPUs 410 and input/output devices 420 similar to the addressing computer system.
  • the memory 430 of the delivery computer system contains a portion of the facility called the “subscriber registration program” 433 , which registers new subscribers with the network security information service.
  • the memory 430 further contains a database 434 of addressed distributions or use in delivering distributions.
  • the memory 430 also contains a portion of the facility called the “subscriber request processing program” 435 which delivers distributions addressed to a particular subscriber when a polling request is received from that subscriber.
  • FIG. 5 is a high-level block diagram of a typical network security management workstation operated by a subscriber.
  • the CPUs 510 of the network security management workstation 500 are similar to those of the addressing computer system.
  • the input/output devices 520 of the network security management workstation include a display device 523 for displaying visual information, such as a video monitor; a pointing device 524 for selecting positions within displayed information, such as a mouse; and an audio output device 525 for outputting audio information, such as a speaker.
  • the memory 530 of the network security management workstation includes a portion of the facility called the “client program” 536 , which polls for, receives, and processes distributions.
  • the memory 530 also contains a network security management program 537 that manages the security of the subscriber's network, preferably in conjunction with the network security device.
  • the memory 530 preferably further contains network security management data 538 , such as network security rules, used by the network security management program 537 .
  • While the facility is preferably implemented on computer systems configured as described above in conjunction with FIGS. 1-5 , those skilled in the art will recognize that it may also be implemented on computer systems having different configurations. Those skilled in the art will further recognize that various functionalities of the facility may be distributed across multiple computer systems in a manner different from that described above in conjunction with FIGS. 1-5 .
  • FIG. 6 is a flow diagram showing the steps preferably performed by the facility in the subscriber registration program.
  • the subscriber registration program is preferably executed on each of the delivery computer systems.
  • the facility serves a web page to the network security management workstation of a new subscriber that solicits information about the subscriber.
  • FIG. 7 is a display diagram showing such a web page.
  • the web page 710 which is displayed in a web browser window 700 , contains fields 720 that can be used by a user at the subscriber to provide information about the subscriber.
  • step 603 the facility downloads to the network security management workstation the latest version of the client program.
  • step 604 the facility forwards the subscriber information to the addressing computer system for storage in the subscriber information data base. After step 604 , these steps conclude.
  • FIGS. 8A and 8B are data structure diagrams showing typical contents of the subscriber information database.
  • the contents of the subscriber information database are used by the facility to address distributions to the appropriate subset of subscribers.
  • FIG. 8A shows a primary subscriber information database table in which subscriber information is stored.
  • the primary subscriber information database table 800 contains a number of rows, such as rows 811 - 813 , each representing a different subscriber. Each row is divided into columns relating to different types of information, such as column 801 containing a subscriber identifier uniquely identifying the subscriber, column 802 containing an indication of the type of primary network security device used by the subscriber, column 803 containing an indication of the version of the network security software used by the subscriber, column 804 indicating the contract type of the subscriber indicating the level of service to be provided to the subscriber, and column 805 contain the maximum permissible level of encryption that can be provided to the subscriber.
  • FIG. 8B shows a secondary subscriber information database table in which additional subscriber information is stored.
  • the secondary subscriber information database table includes subscriber information relating to supplemental attributes not represented in the primary subscriber information database table.
  • the secondary subscriber information database table 850 contains a number of rows, such as rows 861 , 862 , 863 , and 871 , each representing a different subscriber attribute.
  • Each row of the secondary subscriber information database table is divided into the following columns: a subscriber identifier 851 of a subscriber having a supplemental attribute; a subscriber attribute column 852 containing an indication of the supplemental attribute of the subscriber to which the row relates; and an attribute value column 853 containing the value of that attribute.
  • row 861 indicates that the subscriber having subscriber identifier 1516 has the value “MS Exchange” for the supplemental attribute “application,” or that this subscriber uses the MS Exchange application.
  • the subscriber information database is shown in this form in order to facilitate an appreciation for its contents, those skilled in the art will recognize that the subscriber information database may be organized in other, more efficient ways. Those skilled in the art will also recognize that additional types of information about each subscriber may be stored in the subscriber information database and used to address distributions.
  • FIG. 9 is a flow diagram showing the steps preferably performed by the facility in the addressing program.
  • the addressing program preferably executes on each of the addressing computer systems.
  • the facility receives a distribution, also known as an “instance of network security information.” With the distribution, the facility receives an addressing query reflecting the subset of subscribers to which the distribution is to be addressed.
  • FIGS. 10-12 are data structure diagrams showing sample distribution contents.
  • FIG. 10 is a data structure diagram showing a distribution 1000 containing information, such as textual information, informing subscribers of the distribution about network security issues. Such a distribution is called an “information alert” distribution.
  • FIG. 11 is a data structure diagram showing a distribution 1100 containing code that may be executed by the subscriber to provide enhanced network security. The code may be designed to be executed once upon receipt in order to test and/or modify the state of the security management work station and/or the network security device. Alternatively, the code may be designed for continuous execution on one or both of those computer systems. Such a distribution is called a “threat response” distribution if it addresses a particular newly-identified threat to network security.
  • FIG. 12 is a data structure diagram showing a distribution 1200 containing network security data.
  • distributions generally address particular threats, and therefore constitute a threat response.
  • step 902 the facility performs the addressing query against the subscriber information database to produce a list of a subscriber identifiers of subscribers whose subscriber information matches the addressing query. These subscribers are called “addressees” of the distribution.
  • step 903 the facility forwards to the delivery computer systems both the distribution and the list of subscriber identifiers produced in step 902 for storage in the addressed distribution database maintained by each delivery computer system. Where a portion of the subscribers identified by the produced subscriber identifiers have requested to receive distributions via encrypted email, the contents of the distribution and the subscriber identifiers of these subscribers are preferably instead transmitted to an encrypted mail server computer system among the delivery computer systems. After step 903 , these steps conclude.
  • FIG. 13 is a data structure diagram showing typical contents of the addressed distribution database.
  • the addressed distribution database is preferably stored on each delivery computer system.
  • the major rows such as major rows 1310 , 1320 , and 1330 , each correspond to a different distribution.
  • a major row contains the contents of a distribution, and one or more minor rows each corresponding to a different addressee of the distribution.
  • major row 1310 includes minor rows such as minor rows 1311 - 1313 .
  • Each minor row contains the subscriber identifier of one addressee of the distribution indication of the date and time at which the distribution was delivered to the addressee if the distribution has been delivered to the addressee.
  • the addressed distribution database is used by each delivery computer system to determine whether any distributions have been addressed to subscribers that have not yet been delivered. For example, if a delivery computer system received a polling request from the subscriber having subscriber identifier 2497 , the facility would use the address distribution database to determine that the distributions represented by major rows 1320 and 1330 have not yet been delivered to this subscriber, as minor rows 1321 and 1331 do not contain a delivery date.
  • the addressed distribution database may be organized in other, more efficient ways. For example, rather than directly containing the distribution contents, the addressed distribution database may contain references to the distribution contents stored in another location. Further, the addressed distribution database may be indexed by subscriber identifier to facilitate reference into the addressed distribution database for a particular subscriber. Additionally, the addressed distribution database could be organized in accordance with each subscriber identifier rather than in accordance with each distribution.
  • FIG. 14 is a flow diagram showing the steps preferably performed by the facility in the subscriber request processing program.
  • the facility receives a polling request from the program executing on the network security management workstation client at a subscriber.
  • the request contains the subscriber identifier of the subscriber and a new session encryption key generated by the client.
  • the subscriber identifier and the session key are preferably encrypted with the public key of the network security information service.
  • FIG. 15 is a data structure diagram showing the contents of a polling request sent from the client at a subscriber to a delivery computer system.
  • the client request 1500 contains the target address of the request—that is, the address of the delivery computer system.
  • the client request 1500 further contains a source address 1502 for the request—that is, the address of the network security management workstation upon which the client is executing.
  • the client request 1500 further contains a section 1505 in which the subscriber identifier 1503 of the subscriber and the session key 1504 generated by the client are encrypted with the public key of the network security information service.
  • the facility decrypts the subscriber identifier and session key using the private key of the network security information service.
  • the facility uses the addressed distribution database to identify distributions addressed to the subscriber but not yet delivered to the subscriber.
  • the facility loops through each distribution identified in step 1403 .
  • the facility computes a one-way function on the contents of the distribution. The result of this one-way function is a characterization of the contents of the distribution. In general, the one-way function produces different results for distributions having different contents.
  • the facility encrypts the result of the one-way function with the private key of the network security information service.
  • step 1407 the facility attaches the encrypted result of step 1406 to the contents of the distribution. Then, in step 1408 , the facility encrypts the distribution and encrypted one-way function result with the session key received from the client. In step 1409 , the facility transmits the encrypted distribution contents and one-way function result to the client.
  • FIG. 16 is a data structure diagram showing a response to a client request transmitted from the delivery computer system receiving the client request to the client transmitting the client request.
  • the response 1600 contains a target address 1601 —that is, the address of the network security management workstation on which the requesting client is executing.
  • the response 1600 further contains a source address 1602 —that is, the address of the delivery computer system.
  • the response 1600 also contains a portion 1607 , in which block 1606 is encrypted with the session key received from the client.
  • Block 1606 in turn contains the contents of a distribution addressed to the subscriber as well as encrypted block 1604 .
  • the one-way function result 1603 is encrypted with the private key of the network security information service.
  • FIG. 17 is a flow diagram showing the steps preferably performed by the facility in the client program.
  • the client program is preferably executed in the network security management workstation at each subscriber.
  • the facility preferably loops through steps 1701 - 1719 at regular intervals, such as every fifteen minutes.
  • the facility generates a new session key to use in communicating with the delivery computer system to which is it assigned.
  • the facility encrypts the subscriber identifier of the subscriber and the session key generated in step 1702 with the public key of the network security information service.
  • the facility transmits to the delivery computer system a polling request for new distributions addressed to the subscriber.
  • the request contains the encrypted subscriber identifier and session key generated in step 1703 .
  • the facility receives zero or more responses from the delivery computer system. Each received response constitutes the delivery of one distribution.
  • steps 1706 - 1718 the facility loops through each received response. If no response is received, the facility continues in step 1719 .
  • the facility decrypts the response using the session key generated in step 1702 .
  • the facility uses the public key of the network security information service to decrypt the one-way function result contained in the response.
  • the facility recomputes the one-way function on the distribution contents contained in the response.
  • the facility if the one-way function result generated in step 1709 matches the one-way function result contained in the response, then the facility continues in step 1711 to process the distribution, else the facility continues in step 1718 .
  • the facility alerts the user to the arrival of the distribution.
  • the facility may display a visual alert, output an audible alert, or both.
  • FIG. 18 is a display diagram showing the display of a visual alert. Visual alert 1800 is displayed when a valid distribution is received. In response, the user may press button 1801 to review the distribution, or may press button 1802 to dismiss the visual alert.
  • FIG. 19 is a display diagram showing the display of a distribution containing information.
  • Window 1900 shows the contents of an information alert distribution.
  • the information alert distribution has textual contents 1901 discussing a network security issue.
  • Window 1900 further contains button 1909 , which can be selected to close window 1900 .
  • FIG. 20 is a display diagram showing the display of a software update distribution containing code.
  • Window 2000 contains information 2001 about updated network security code that is to be installed on the network security management workstation computer system and/or the network security device.
  • Window 2010 contains the code 2011 that is to be installed, as well as a file 2012 containing additional information about the code.
  • Window 2000 directly contains a visual control that may be selected by the user to install the software update.
  • FIGS. 21-23 are display diagrams showing the display of a threat response distribution.
  • the client displays Window 2100 , which contains essential information 2101 , 2202 , 2303 about the threat and a proposed response.
  • Client also displays Window 2110 containing new network security rules 2111 and additional information 2113 to be used in responding to the threat.
  • Window 2100 contains a visual control that may be selected by the user in order to activate the distribution.
  • step 1713 if the distribution is activatable, then the facility continues in step 1714 , else the facility continues in step 1715 .
  • step 1714 the facility displays information about the distribution with controls for activating and dismissing the distribution.
  • step 1716 the facility displays information about the distribution with a control for dismissing the distribution.
  • step 1716 if an activation control is selected, then the facility continues in step 1717 to activate the distribution, else the dismiss control is selected and the facility continues in step 1718 .
  • step 1717 preferably involves storing the security data in a particular manner on the network security management workstation and/or on the network security device.
  • step 1717 preferably involves executing and/or installing the code on the network security workstation and/or on the network security device.
  • step 1718 the facility loops back to step 1706 to process the next received response.
  • step 1719 the facility waits until the next interval expires, then loops back to step 1701 in order to generate a new polling request.
  • the facility loops back to step 1701 to generate a new polling request before the expiration of the next interval.
  • FIGS. 24-26 illustrate the delivery of distributions via encrypted email.
  • FIG. 24 is a flow diagram showing the steps preferably performed by the facility in a secure subscriber email program preferably executing on an encrypted mail server among the distribution computer systems.
  • the facility receives from the addressing computer system the contents of a distribution and a list of subscriber identifiers for subscribers that are to receive the distribution via encrypted email.
  • the facility computers a one-way function on the contents of the distribution.
  • the facility encrypts the result of the one-way function with the private key of the network security information service.
  • the facility attaches the encrypted result of step 2403 to the contents of the distribution.
  • steps 2405 - 2408 the facility loops through each email addressee in the received list of email addressees.
  • the facility encrypts the results of step 2404 using the public key of the current email addressee.
  • the facility transmits an email to the current addressee containing the result of step 2406 .
  • step 2408 if additional email addressees remain, then the facility loops back to step 2405 to process the next email addressee. After step 2408 , these steps conclude.
  • FIG. 25 is a data structure diagram showing an email distribution transmitted from the encrypted email server computer system to a network security management workstation at a client.
  • the email distribution is preferably generated in accordance with steps 2402 , 2403 , 2404 , and 2406 discussed above.
  • the email distribution 2500 contains a one-way function result 2501 , which is encrypted with the private key of the network security information service to form encrypted block 2502 .
  • Encrypted block 2502 and the distribution 2503 are aggregated together in block 2504 .
  • Block 2504 is in turn encrypted with the public key of the addressee subscriber to constitute email distribution 2500 .
  • FIG. 26 is a flow diagram showing the steps preferably performed by the facility in an encrypted email version of the client program.
  • the encrypted email version of the client program preferably executes on a network management workstation at a subscriber.
  • the facility receives an encrypted email containing a new distribution plus an encrypted one-way function result.
  • the facility uses the private key of the subscriber to decrypt the email distribution 2500 to obtain block 2504 .
  • the facility decrypts the encrypted one-way function result 2502 using the public key of the network security information service to obtain the one-way function result 2501 .
  • the facility recomputes the one-way function on the contents of the distribution 2503 .
  • step 2605 if the one-way function result generated in step 2604 matches the one-way function result 2501 contained in the email, then the facility continues in step 2606 to process the distribution, else the facility continues in step 2601 to receive the next email.
  • step 2606 the facility alerts the user to the route of the distribution.
  • the facility may display a visual alert, output an audible word, or both.
  • step 2607 the facility receives user input to display information about the current distribution.
  • step 2608 if the distribution is activatable, then the facility continues in step 2609 , else the facility continues in step 2610 .
  • step 2609 the facility displays information about the distribution with controls for activating and dismissing the distribution.
  • step 2610 the facility displays information about the distribution with the control for dismissing the distribution.
  • step 2611 the facility displays information about the distribution with the control for dismissing the distribution.
  • step 2611 the facility continues in step 2611 .
  • step 2611 if an activation control is selected, the facility continues in step 2612 to activate the distribution, else the dismiss control is selected and the facility continues in step 2601 to receive the next email.
  • certain sensitive types of distribution contents are not enclosed directly in emailed distributions, but rather are enclosed by reference.
  • the emailed distribution contains a secure http link to a secure http server from which the sensitive contents may be retrieved.
  • the facility in step 2612 dereferences the secure http reference in order to retrieve the sensitive contents via a secure http from the secure http server.
  • step 2601 receive the next emailed distribution.

Abstract

The present invention is directed to a facility for distributing network security information. The facility receives network security information and recipient selection information specifying a characteristic of perspective recipients to be used in selecting recipients for the security information. The facility then compares the received recipient selection information to each of a plurality of perspective recipient profiles. Each perspective recipient profile corresponds to one or more perspective recipients and indicates one or more characteristics of the perspective recipients relating to the receipt of network security information. Based upon this comparison, the facility selects at least a portion of the plurality of perspective recipients as recipients of the network security information, and addresses the network security information to each of the selected recipients.

Description

    TECHNICAL FIELD
  • The present invention is directed to the field of computer networking, and more particularly, to the fields of network security and information delivery.
    • BACKGROUND OF THE INVENTION
  • As computer systems become more ubiquitous, it becomes increasingly common for computer systems to be connected together in computer networks, such as the Internet. Such increased connectivity between computer systems provides significant benefits by enabling the exchange of useful information between users of connected computer systems.
  • Unfortunately, increased connectivity between computer systems also creates significant hazards. Malicious or careless users can often negatively affect target computer systems to which their computer systems are connected by, for example: misappropriating, deleting, or modifying important and/or valuable data; misappropriating valuable services; or temporarily or permanently impairing the operation of the computer system. While the hardware and software comprising a computer system is generally designed to prevent these sorts of “attacks,” it is nonetheless often possible for outsiders to discover and exploit vulnerabilities in particular hardware, software, or both.
  • In order to secure their computer systems against such hazards, users and system administrators often seek one-on-one assistance from network security experts. Unfortunately, the scarcity of such experts and the significant costs of retaining them make them inaccessible to many users and system administrators. This is exacerbated by the ongoing discovery of new target computer system vulnerabilities and the development of increasingly sophisticated forms of attacks.
  • In view of the need by many users and system administrators for prompt and ongoing assistance in securing their computer systems, an automated system for securely distributing security-related information from network security experts to a substantial number of recipients automatically selected from a list of subscribers based upon their security characteristics would have significant utility.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a network diagram showing the connection of computer systems involved in the delivery of distributions by the facility.
  • FIG. 2 is a network diagram showing a typical secured network operated by a subscriber.
  • FIG. 3 is a high-level block diagram of the addressing computer system.
  • FIG. 4 is a high-level block diagram of a typical delivery computer system.
  • FIG. 5 is a high-level block diagram of a typical network security management workstation operated by a subscriber.
  • FIG. 6 is a flow diagram showing the steps preferably performed by the facility in the subscriber registration program.
  • FIG. 7 is a display diagram showing a web page for soliciting information about a new subscriber.
  • FIGS. 8A-8B are data structure diagrams showing typical contents of the subscriber information database.
  • FIG. 9 is a flow diagram showing the steps preferably performed by the facility in the addressing program.
  • FIG. 10 is a data structure diagram showing a distribution containing information.
  • FIG. 11 is a data structure diagram showing a distribution containing code.
  • FIG. 12 is a data structure diagram showing a distribution containing network security data.
  • FIG. 13 is a data structure diagram showing typical contents of the addressed distribution database.
  • FIG. 14 is a flow diagram showing the steps preferably performed by the facility in the subscriber request processing program.
  • FIG. 15 is a data structure diagram showing the contents of a polling request sent from the client at a subscriber to a delivery computer system.
  • FIG. 16 is a data structure diagram showing a response to a client request transmitted from the delivery computer system receiving the client request to the client transmitting the client request.
  • FIG. 17 is a flow diagram showing the steps preferably performed by the facility in the client program.
  • FIG. 18 is a display diagram showing the display of a visual alert.
  • FIG. 19 is a display diagram showing the display of a distribution containing information.
  • FIG. 20 is a display diagram showing the display of a software update distribution containing code.
  • FIGS. 21-23 are display diagrams showing the display of a threat response distribution.
  • FIG. 24 is a flow diagram showing the steps preferably performed by the facility in a secure subscriber email program preferably executing on an encrypted mail server among the distribution computer systems.
  • FIG. 25 is a data structure diagram showing an email distribution transmitted from the encrypted email server computer system to a network security management workstation at a client.
  • FIG. 26 is a flow diagram showing the steps preferably performed by the facility in an encrypted email version of the client program.
    • DETAILED DESCRIPTION OF THE INVENTION
  • The present invention provides a software facility for the secure and differentiated delivery of network security information (“the facility”) to support a network security information service. In a preferred embodiment, the facility selects addressees for a particular instance of network security information (a network security information “distribution”) based on security characteristics of subscribers to which the distribution relates, securely and reliably delivers the distribution to each selected addressee, and enables a user at the subscriber to promptly and conveniently review and act on the distribution.
  • Distributions are preferably prepared by a team of network security experts. A distribution may contain information, such as textual information, for review by a network security administrator. For example, the distribution could contain information describing a newly-discovered form of network attack, and explain how network security equipment or software already being used by the subscriber protects the subscriber from such attacks. A distribution may also contain software. Such software can include both software designed to execute once to ensure that the subscriber's network is protected from a certain type of attack, or new or updated network security software that executes continuously to ensure the security of the subscriber's network. A distribution may also contain data used for network security purposes. For example, where a subscriber uses a particular network security device that operates based upon a set of security rules, a distribution to the subscriber may contain additional rules to be added to the set used by the network security device.
  • Because some distributions are only useful to subscribers having certain security characteristics, such as those having a particular network security device, the facility preferably selects addressees for each distribution from the subscribers registered with the network security information service. In this regard, the facility preferably uses a subscriber information database that stores information about each subscriber registered with the network security information service. For example, the subscriber database may contain, for each subscriber, an indication of the types of network security equipment, network security software, and applications used by the subscriber. When the facility receives a new distribution, it preferably receives with it an addressing query designed to select addressees for the distribution. The facility performs the addressing query against the subscriber information database to select addressees of the distribution. By selecting addressees for a distribution (or “addressing” the distribution), the facility maximizes the extent to which each registered subscriber receives the distributions that relate to it, and minimizes the extent to which each registered subscriber receives distributions that do not relate to it. Also, by directly controlling the set of addressees, the facility ensures that distributions are not delivered to parties other than subscribers.
  • After the distribution is addressed to addressees among the registered subscribers, the facility attempts to deliver the distribution to each of the addressees to which the distribution is addressed. The facility may preferably deliver distributions either by secure email sent from the network security information service to the addressees, or using a client polling procedure in which a client program at each subscriber periodically polls a server maintained by the network security information service for new distributions addressed to its subscriber. In order to implement the client polling procedure, in certain embodiments, the facility utilizes BackWeb Foundation software, available from BackWeb Technologies of San Jose, Calif. For emailed distributions, a verified email address for the subscriber is preferably used. For distributions delivered by the client polling procedure, polling requests from the client preferably include a secret unique identifier issued to the subscriber, encrypted using public key encryption. These measures help ensure that the distribution is delivered only to the subscribers to which it is addressed.
  • During delivery, each distribution is preferably encrypted to prevent anyone intercepting the distribution from discerning its content. Each distribution is preferably also signed in way that reliably indicates both (1) the source of the distribution, and (2) the contents of the distribution when the distribution left its source. This signature is preferably used by a component of the facility executing at each subscriber to ascertain whether each distribution (1) is from the network security information service or another trusted source and (2) has not been altered since it left that source. The subscriber component of the facility preferably only allows the subscriber to make use of distributions meeting both of these conditions.
  • The client program of the facility preferably also alerts a user at the subscriber as soon as a distribution is received, displays information about the distribution, and facilitates the application of the distribution to enhance the level of security of the subscriber's network.
  • FIG. 1 is a network diagram showing the connection of computer systems involved in the delivery of distributions by the facility. Distributions are initially received in a network security information addressing computer system (“addressing computer system”) 110 operated by the network security information service. For each distribution, the addressing computer system 110 determines a list of addressees for the distribution, and forwards this list of addressees along with the distribution to a number of network security information delivery computer systems (“delivery computer systems”) operated by the network security information service, such as delivery computer systems 121-123. The addressing computer system is preferably connected to the delivery computer systems by a secure network 111, such as a physically secure network or a virtual private network. The delivery computer systems are connected via the Internet 130 to a number of subscriber network security management workstations at subscriber sites, such as subscriber network security management workstations 141-144. Using one of the approaches described below, the delivery computer systems deliver the distribution to each of the subscriber computer systems to which the distribution is addressed. The delivery computer systems are preferably distributed geographically in accordance with the geographic distribution of subscribers.
  • FIG. 2 is a network diagram showing a typical secured network operated by a subscriber. A secured network 260 is connected to the Internet 230 by a network security device 250, such as a WatchGuard Firebox II network security device available from WatchGuard Technologies, Inc. of Seattle, Wash. The network security device 250 protects computer systems of the subscriber by controlling the traffic that can flow between the Internet 230 and protected computer systems of the subscriber, such as protected computer systems 241, 261, 262, and 263. Among the protected computer systems is a network security management workstation computer system 241. The network security management workstation computer system 241 is designated to receive distributions delivered by the facility. The network security device 250 also preferably provides partial protection to partially protected computer systems of the subscriber, such as computer systems 271 or 272 in a partially secured network 270. Typically, partially protected computer systems provide a service such as web serving that requires a less restricted connection to the Internet.
  • FIG. 3 is a high-level block diagram of the addressing computer system. The addressing computer system 300 contains one or more central processing units (CPUs) 310, input/output devices 320, and a volatile computer memory/persistent storage device (memory) 330. Among the input/output devices is a network connection 321, through which the addressing computer system 300 may communicate with other connected computer systems; and a computer-readable media drive 322, which can be used to install software products, including portions of the facility, which are provided on a computer-readable medium, such as a CD-ROM. The memory 330 preferably contains a subscriber information database 331 containing information about each registered subscriber. As is discussed further below, this information includes security characteristics of the subscriber that are used to determine whether to deliver particular distributions to the subscriber. The memory 330 preferably further contains a portion of the facility called the “addressing program” 332, which receives distributions and uses the subscriber information database 331 to address the distributions to subscribers. It will be recognized by those skilled in the art that portions of the contents shown in memory 330 may be maintained in the volatile memory device, on a persistent storage device, or both, depending upon the state of the addressing computer system at any given time.
  • FIG. 4 is a high-level block diagram of a typical delivery computer system. The delivery computer system 400 has CPUs 410 and input/output devices 420 similar to the addressing computer system. The memory 430 of the delivery computer system contains a portion of the facility called the “subscriber registration program” 433, which registers new subscribers with the network security information service. The memory 430 further contains a database 434 of addressed distributions or use in delivering distributions. The memory 430 also contains a portion of the facility called the “subscriber request processing program” 435 which delivers distributions addressed to a particular subscriber when a polling request is received from that subscriber.
  • FIG. 5 is a high-level block diagram of a typical network security management workstation operated by a subscriber. The CPUs 510 of the network security management workstation 500 are similar to those of the addressing computer system. The input/output devices 520 of the network security management workstation, in addition to a network connection 521 and a computer-readable media drive 522, include a display device 523 for displaying visual information, such as a video monitor; a pointing device 524 for selecting positions within displayed information, such as a mouse; and an audio output device 525 for outputting audio information, such as a speaker. The memory 530 of the network security management workstation includes a portion of the facility called the “client program” 536, which polls for, receives, and processes distributions. The memory 530 also contains a network security management program 537 that manages the security of the subscriber's network, preferably in conjunction with the network security device. The memory 530 preferably further contains network security management data 538, such as network security rules, used by the network security management program 537.
  • While the facility is preferably implemented on computer systems configured as described above in conjunction with FIGS. 1-5, those skilled in the art will recognize that it may also be implemented on computer systems having different configurations. Those skilled in the art will further recognize that various functionalities of the facility may be distributed across multiple computer systems in a manner different from that described above in conjunction with FIGS. 1-5.
  • FIG. 6 is a flow diagram showing the steps preferably performed by the facility in the subscriber registration program. The subscriber registration program is preferably executed on each of the delivery computer systems. In step 601, the facility serves a web page to the network security management workstation of a new subscriber that solicits information about the subscriber. FIG. 7 is a display diagram showing such a web page. The web page 710, which is displayed in a web browser window 700, contains fields 720 that can be used by a user at the subscriber to provide information about the subscriber.
  • Returning to FIG. 6, in step 603, the facility downloads to the network security management workstation the latest version of the client program. In step 604, the facility forwards the subscriber information to the addressing computer system for storage in the subscriber information data base. After step 604, these steps conclude.
  • FIGS. 8A and 8B are data structure diagrams showing typical contents of the subscriber information database. The contents of the subscriber information database are used by the facility to address distributions to the appropriate subset of subscribers.
  • FIG. 8A shows a primary subscriber information database table in which subscriber information is stored. The primary subscriber information database table 800 contains a number of rows, such as rows 811-813, each representing a different subscriber. Each row is divided into columns relating to different types of information, such as column 801 containing a subscriber identifier uniquely identifying the subscriber, column 802 containing an indication of the type of primary network security device used by the subscriber, column 803 containing an indication of the version of the network security software used by the subscriber, column 804 indicating the contract type of the subscriber indicating the level of service to be provided to the subscriber, and column 805 contain the maximum permissible level of encryption that can be provided to the subscriber.
  • FIG. 8B shows a secondary subscriber information database table in which additional subscriber information is stored. In particular, the secondary subscriber information database table includes subscriber information relating to supplemental attributes not represented in the primary subscriber information database table. The secondary subscriber information database table 850 contains a number of rows, such as rows 861, 862, 863, and 871, each representing a different subscriber attribute. Each row of the secondary subscriber information database table is divided into the following columns: a subscriber identifier 851 of a subscriber having a supplemental attribute; a subscriber attribute column 852 containing an indication of the supplemental attribute of the subscriber to which the row relates; and an attribute value column 853 containing the value of that attribute. For example, row 861 indicates that the subscriber having subscriber identifier 1516 has the value “MS Exchange” for the supplemental attribute “application,” or that this subscriber uses the MS Exchange application. While the subscriber information database is shown in this form in order to facilitate an appreciation for its contents, those skilled in the art will recognize that the subscriber information database may be organized in other, more efficient ways. Those skilled in the art will also recognize that additional types of information about each subscriber may be stored in the subscriber information database and used to address distributions.
  • FIG. 9 is a flow diagram showing the steps preferably performed by the facility in the addressing program. The addressing program preferably executes on each of the addressing computer systems. In step 901, the facility receives a distribution, also known as an “instance of network security information.” With the distribution, the facility receives an addressing query reflecting the subset of subscribers to which the distribution is to be addressed.
  • FIGS. 10-12 are data structure diagrams showing sample distribution contents. FIG. 10 is a data structure diagram showing a distribution 1000 containing information, such as textual information, informing subscribers of the distribution about network security issues. Such a distribution is called an “information alert” distribution. FIG. 11 is a data structure diagram showing a distribution 1100 containing code that may be executed by the subscriber to provide enhanced network security. The code may be designed to be executed once upon receipt in order to test and/or modify the state of the security management work station and/or the network security device. Alternatively, the code may be designed for continuous execution on one or both of those computer systems. Such a distribution is called a “threat response” distribution if it addresses a particular newly-identified threat to network security. On the other hand, such a distribution is called a “software update” distribution if it replaces software that regularly executes on the security management workstation or network security device with a newer version. FIG. 12 is a data structure diagram showing a distribution 1200 containing network security data. In general, such distributions generally address particular threats, and therefore constitute a threat response.
  • Returning to FIG. 9, in step 902, the facility performs the addressing query against the subscriber information database to produce a list of a subscriber identifiers of subscribers whose subscriber information matches the addressing query. These subscribers are called “addressees” of the distribution. In step 903, the facility forwards to the delivery computer systems both the distribution and the list of subscriber identifiers produced in step 902 for storage in the addressed distribution database maintained by each delivery computer system. Where a portion of the subscribers identified by the produced subscriber identifiers have requested to receive distributions via encrypted email, the contents of the distribution and the subscriber identifiers of these subscribers are preferably instead transmitted to an encrypted mail server computer system among the delivery computer systems. After step 903, these steps conclude.
  • FIG. 13 is a data structure diagram showing typical contents of the addressed distribution database. The addressed distribution database is preferably stored on each delivery computer system. In the addressed distribution database 1300, the major rows, such as major rows 1310, 1320, and 1330, each correspond to a different distribution. A major row contains the contents of a distribution, and one or more minor rows each corresponding to a different addressee of the distribution. For example, major row 1310 includes minor rows such as minor rows 1311-1313. Each minor row contains the subscriber identifier of one addressee of the distribution indication of the date and time at which the distribution was delivered to the addressee if the distribution has been delivered to the addressee. The addressed distribution database is used by each delivery computer system to determine whether any distributions have been addressed to subscribers that have not yet been delivered. For example, if a delivery computer system received a polling request from the subscriber having subscriber identifier 2497, the facility would use the address distribution database to determine that the distributions represented by major rows 1320 and 1330 have not yet been delivered to this subscriber, as minor rows 1321 and 1331 do not contain a delivery date.
  • While the addressed distribution database is shown in this form in order to facilitate an appreciation for its contents, those skilled in the art will recognize that the addressed distribution database may be organized in other, more efficient ways. For example, rather than directly containing the distribution contents, the addressed distribution database may contain references to the distribution contents stored in another location. Further, the addressed distribution database may be indexed by subscriber identifier to facilitate reference into the addressed distribution database for a particular subscriber. Additionally, the addressed distribution database could be organized in accordance with each subscriber identifier rather than in accordance with each distribution.
  • FIG. 14 is a flow diagram showing the steps preferably performed by the facility in the subscriber request processing program. In step 1401, the facility receives a polling request from the program executing on the network security management workstation client at a subscriber. The request contains the subscriber identifier of the subscriber and a new session encryption key generated by the client. The subscriber identifier and the session key are preferably encrypted with the public key of the network security information service.
  • FIG. 15 is a data structure diagram showing the contents of a polling request sent from the client at a subscriber to a delivery computer system. The client request 1500 contains the target address of the request—that is, the address of the delivery computer system. The client request 1500 further contains a source address 1502 for the request—that is, the address of the network security management workstation upon which the client is executing. The client request 1500 further contains a section 1505 in which the subscriber identifier 1503 of the subscriber and the session key 1504 generated by the client are encrypted with the public key of the network security information service.
  • Returning to FIG. 14, in step 1402, the facility decrypts the subscriber identifier and session key using the private key of the network security information service. In step 1403, the facility uses the addressed distribution database to identify distributions addressed to the subscriber but not yet delivered to the subscriber. In steps 1404-1410, the facility loops through each distribution identified in step 1403. In step 1405, the facility computes a one-way function on the contents of the distribution. The result of this one-way function is a characterization of the contents of the distribution. In general, the one-way function produces different results for distributions having different contents. In step 1406, the facility encrypts the result of the one-way function with the private key of the network security information service. In step 1407, the facility attaches the encrypted result of step 1406 to the contents of the distribution. Then, in step 1408, the facility encrypts the distribution and encrypted one-way function result with the session key received from the client. In step 1409, the facility transmits the encrypted distribution contents and one-way function result to the client.
  • FIG. 16 is a data structure diagram showing a response to a client request transmitted from the delivery computer system receiving the client request to the client transmitting the client request. The response 1600 contains a target address 1601—that is, the address of the network security management workstation on which the requesting client is executing. The response 1600 further contains a source address 1602—that is, the address of the delivery computer system. The response 1600 also contains a portion 1607, in which block 1606 is encrypted with the session key received from the client. Block 1606 in turn contains the contents of a distribution addressed to the subscriber as well as encrypted block 1604. In encrypted block 1604, the one-way function result 1603 is encrypted with the private key of the network security information service. Returning to FIG. 14, in step 1410, if additional identified distributions remain to be processed, then the facility loops back to step 1404 to process the next identified distribution. After step 1410, the steps conclude.
  • FIG. 17 is a flow diagram showing the steps preferably performed by the facility in the client program. The client program is preferably executed in the network security management workstation at each subscriber. The facility preferably loops through steps 1701-1719 at regular intervals, such as every fifteen minutes. In step 1702, the facility generates a new session key to use in communicating with the delivery computer system to which is it assigned. In step 1703, the facility encrypts the subscriber identifier of the subscriber and the session key generated in step 1702 with the public key of the network security information service. In step 1704, the facility transmits to the delivery computer system a polling request for new distributions addressed to the subscriber. The request contains the encrypted subscriber identifier and session key generated in step 1703. In step 1705, the facility receives zero or more responses from the delivery computer system. Each received response constitutes the delivery of one distribution.
  • In steps 1706-1718, the facility loops through each received response. If no response is received, the facility continues in step 1719. In step 1707, the facility decrypts the response using the session key generated in step 1702. In step 1708, the facility uses the public key of the network security information service to decrypt the one-way function result contained in the response. In step 1709, the facility recomputes the one-way function on the distribution contents contained in the response. In step 1710, if the one-way function result generated in step 1709 matches the one-way function result contained in the response, then the facility continues in step 1711 to process the distribution, else the facility continues in step 1718. In step 1711, the facility alerts the user to the arrival of the distribution. In step 1711, the facility may display a visual alert, output an audible alert, or both. FIG. 18 is a display diagram showing the display of a visual alert. Visual alert 1800 is displayed when a valid distribution is received. In response, the user may press button 1801 to review the distribution, or may press button 1802 to dismiss the visual alert.
  • Returning to FIG. 17, in step 1712, the facility receives user input to display information about the current distribution. FIG. 19 is a display diagram showing the display of a distribution containing information. Window 1900 shows the contents of an information alert distribution. The information alert distribution has textual contents 1901 discussing a network security issue. Window 1900 further contains button 1909, which can be selected to close window 1900.
  • FIG. 20 is a display diagram showing the display of a software update distribution containing code. Window 2000 contains information 2001 about updated network security code that is to be installed on the network security management workstation computer system and/or the network security device. Window 2010 contains the code 2011 that is to be installed, as well as a file 2012 containing additional information about the code. In a further preferred embodiment, Window 2000 directly contains a visual control that may be selected by the user to install the software update.
  • FIGS. 21-23 are display diagrams showing the display of a threat response distribution. The client displays Window 2100, which contains essential information 2101, 2202, 2303 about the threat and a proposed response. Client also displays Window 2110 containing new network security rules 2111 and additional information 2113 to be used in responding to the threat. In a further preferred embodiment, Window 2100 contains a visual control that may be selected by the user in order to activate the distribution.
  • Returning to FIG. 17, in step 1713, if the distribution is activatable, then the facility continues in step 1714, else the facility continues in step 1715. In step 1714, the facility displays information about the distribution with controls for activating and dismissing the distribution. After step 1714, the facility continues in step 1716. In step 1715, the facility displays information about the distribution with a control for dismissing the distribution. After step 1715, the facility continues in step 1716. In step 1716, if an activation control is selected, then the facility continues in step 1717 to activate the distribution, else the dismiss control is selected and the facility continues in step 1718. For distributions containing network security data, step 1717 preferably involves storing the security data in a particular manner on the network security management workstation and/or on the network security device. For distributions containing code, step 1717 preferably involves executing and/or installing the code on the network security workstation and/or on the network security device. In step 1718, the facility loops back to step 1706 to process the next received response. In step 1719, the facility waits until the next interval expires, then loops back to step 1701 in order to generate a new polling request. In a further preferred embodiment, in response to a user command, the facility loops back to step 1701 to generate a new polling request before the expiration of the next interval.
  • FIGS. 24-26 illustrate the delivery of distributions via encrypted email. FIG. 24 is a flow diagram showing the steps preferably performed by the facility in a secure subscriber email program preferably executing on an encrypted mail server among the distribution computer systems. In step 2401, the facility receives from the addressing computer system the contents of a distribution and a list of subscriber identifiers for subscribers that are to receive the distribution via encrypted email. In step 2402, the facility computers a one-way function on the contents of the distribution. In step 2403, the facility encrypts the result of the one-way function with the private key of the network security information service. In step 2404, the facility attaches the encrypted result of step 2403 to the contents of the distribution. In steps 2405-2408, the facility loops through each email addressee in the received list of email addressees. In step 2406, the facility encrypts the results of step 2404 using the public key of the current email addressee. In step 2407, the facility transmits an email to the current addressee containing the result of step 2406. In step 2408, if additional email addressees remain, then the facility loops back to step 2405 to process the next email addressee. After step 2408, these steps conclude.
  • FIG. 25 is a data structure diagram showing an email distribution transmitted from the encrypted email server computer system to a network security management workstation at a client. The email distribution is preferably generated in accordance with steps 2402, 2403, 2404, and 2406 discussed above. The email distribution 2500 contains a one-way function result 2501, which is encrypted with the private key of the network security information service to form encrypted block 2502. Encrypted block 2502 and the distribution 2503 are aggregated together in block 2504. Block 2504 is in turn encrypted with the public key of the addressee subscriber to constitute email distribution 2500.
  • FIG. 26 is a flow diagram showing the steps preferably performed by the facility in an encrypted email version of the client program. The encrypted email version of the client program preferably executes on a network management workstation at a subscriber. In step 2601, the facility receives an encrypted email containing a new distribution plus an encrypted one-way function result. In step 2602, the facility uses the private key of the subscriber to decrypt the email distribution 2500 to obtain block 2504. In step 2603, the facility decrypts the encrypted one-way function result 2502 using the public key of the network security information service to obtain the one-way function result 2501. In step 2604, the facility recomputes the one-way function on the contents of the distribution 2503. In step 2605, if the one-way function result generated in step 2604 matches the one-way function result 2501 contained in the email, then the facility continues in step 2606 to process the distribution, else the facility continues in step 2601 to receive the next email. In step 2606, the facility alerts the user to the route of the distribution. In step 2606, the facility may display a visual alert, output an audible word, or both. In step 2607, the facility receives user input to display information about the current distribution. In step 2608, if the distribution is activatable, then the facility continues in step 2609, else the facility continues in step 2610. In step 2609, the facility displays information about the distribution with controls for activating and dismissing the distribution. After step 2609, the facility continues in step 2611. In step 2610, the facility displays information about the distribution with the control for dismissing the distribution. After step 2610, the facility continues in step 2611. In step 2611, if an activation control is selected, the facility continues in step 2612 to activate the distribution, else the dismiss control is selected and the facility continues in step 2601 to receive the next email. In some embodiments, certain sensitive types of distribution contents are not enclosed directly in emailed distributions, but rather are enclosed by reference. In particular, the emailed distribution contains a secure http link to a secure http server from which the sensitive contents may be retrieved. In such cases, the facility in step 2612 dereferences the secure http reference in order to retrieve the sensitive contents via a secure http from the secure http server. After step 2612, the facility continues in step 2601 to receive the next emailed distribution.
  • While this invention has been shown and described with reference to preferred embodiments, it will be understood by those skilled in the art that various changes or modifications in form and detail may be made without departing from the scope of the invention. For example, the facility may be implemented across arrangements of computer systems different than those discussed, and may use other types of encryption and certification than those discussed. Also, the facility could be used to distribute other types of related information.

Claims (48)

1. A method in a computer system for distributing network security information, comprising:
attaching to the network security information a signature that both reliably identifies the origin of the network security information and characterizes the contents of the network security information, the attached signature enabling recipients of the network security information to identify the origin of the network security information and determine whether the network security information has been altered since the signature was attached;
receiving a query identifying characteristics of potential network security information recipients that should receive the network security information;
from among the multiplicity of potential recipients, selecting a plurality of recipients for the network security information by performing the query against a recipient profiling data store containing information relating to characteristics of each of a multiplicity of potential network security information recipients; and
transmitting the signed network security information to each of the plurality of selected recipients.
2. The method of claim 1 wherein the network security information is transmitted to a recipient computer system, further comprising, in the recipient computer system:
receiving the signed network security information;
using the signature to identify the origin of the network security information;
using the signature to determine whether the network security information has been altered since the signature was attached; and
only if the origin of the network security information is an acceptable origin and it is determined that the network security information has not been altered since the signature was attached, utilizing the network security information.
3. The method of claim 2 wherein the network security information is utilized by displaying the network security information.
4. The method of claim 2 wherein the network security information contains a computer program, and wherein the network security information is utilized by executing the computer program contained by the network security information.
5. The method of claim 2 wherein the network security information contains data, and wherein the network security information is utilized by storing the data contained by the network security information in a local data structure.
6. The method of claim 2, further comprising, when the network security information is received, displaying an indication that the network security information has been received.
7. A computer-readable medium whose contents cause a computer system to distribute network security information by:
attaching to the network security information a signature that both reliably identifies the origin of the network security information and characterizes the contents of the network security information, the attached signature enabling recipients of the network security information to identify the origin of the network security information and determine whether the network security information has been altered since the signature was attached;
receiving a query identifying characteristics of potential network security information recipients that should receive the network security information;
from among the multiplicity of potential recipients, selecting a plurality of recipients for the network security information by performing the query against a recipient profiling data store containing information relating to characteristics of each of a multiplicity of potential network security information recipients; and p1 transmitting the signed network security information to each of the plurality of selected recipients.
8. A method in one or more computer systems for distributing network security information, comprising:
receiving network security information;
receiving recipient selection information specifying a characteristic of prospective recipients to be used in selecting recipients for the received network security information;
comparing the received recipient selection information to each of a plurality of prospective recipient profiles, each prospective recipient profile corresponding to one or more prospective recipients and indicating one or more characteristics of the prospective recipients relating to the receipt of network security information;
based upon the comparison, selecting at least a portion of the plurality of prospective recipients as recipients of the network security information; and
addressing the received network security information to each of the selected recipients.
9. The method of claim 8, further comprising delivering the network security information to one of the selected recipients to which it is addressed.
10. The method of claim 9 wherein the delivery is performed directly in response to addressing the network security information to the selected recipient.
11. The method of claim 9 wherein the delivery is performed directly in response to an inquiry from the selected recipient occurring at a time after the network security information is addressed to the selected recipient.
12. The method of claim 11 wherein the inquiry from the selected recipient includes information reliably identifying the selected recipient, and wherein the delivery is only performed if the selected recipient is determined to be among the selected recipients.
13. The method of claim 11 wherein the inquiry is one of a plurality of inquiries issued by the selected recipient at regular intervals.
14. The method of claim 9, further comprising, before the delivery of the network security information, attaching to the network security information a reliable indication of the origin of the network security information.
15. The method of claim 9, further comprising, before the delivery of the network security information, encrypting the network security information.
16. The method of claim 8 wherein the network security information and recipient selection information are received from one or more specialists engaged in analyzing network security threats.
17. The method of claim 8 wherein the network security information is addressed for delivery to a management computer system associated with each selected recipient.
18. The method of claim 8 wherein the network security information is addressed for delivery to a network security device associated with each selected recipient.
19. The method of claim 8 wherein the network security information contains a reference to related network security information on a secure web server.
20. The method of claim 8 wherein the network security information is a notification of a new network security issue.
21. The method of claim 8 wherein the network security information is usable by at least one of the selected recipients to modify the behavior of a network security device associated with the selected recipient.
22. The method of claim 21 wherein the network security information specifies the modification of software executing on the network security device associated with each selected recipient to provide network security services.
23. The method of claim 21 wherein the network security information specifies the modification of data used by the network security device associated with each selected recipient to provide network security services.
24. The method of claim 8 wherein the network security information is usable by at least one of the selected recipients to modify the behavior of a network security device associated with the selected recipient to better protect the selected recipients against a newly identified network security threat.
25-27. (canceled)
28. The method of claim 8, further comprising, in a recipient computer system:
receiving the network security information; and
directly in response to receiving the network security information, notifying a user of the recipient computer system of the receipt of the network security information.
29. The method of claim 28 wherein the user is notified by displaying a visual indication that network security information has been received.
30. The method of claim 28 wherein the user is notified by outputting an audible indication that network security information has been received.
31. A computer-readable medium whose contents cause one or more computer systems to distribute network security information by:
receiving network security information;
receiving recipient selection information specifying a characteristic of prospective recipients to be used in selecting recipients for the received network security information;
comparing the received recipient selection information to each of a plurality of prospective recipient profiles, each prospective recipient profile corresponding to one or more prospective recipients and indicating one or more characteristics of the prospective recipients relating to the receipt of network security information;
based upon the comparison, selecting at least a portion of the plurality of prospective recipients as recipients of the network security information; and
addressing the received network security information to each of the selected recipients.
32. The computer-readable medium of claim 31 wherein the contents of the computer-readable medium further cause the computer systems to deliver the network security information to one of the selected recipients to which it is addressed.
33. The computer-readable medium of claim 32 wherein the delivery is performed directly in response to addressing the network security information to the selected recipient.
34. The computer-readable medium of claim 32 wherein the delivery is performed directly in response to an inquiry from the selected recipient occurring at a time after the network security information is addressed to the selected recipient.
35. The computer-readable medium of claim 34 wherein the inquiry from the selected recipient includes information reliably identifying the selected recipient, and wherein the delivery is only performed if the selected recipient is determined to be among the selected recipients.
36. The computer-readable medium of claim 32 wherein the contents of the computer-readable medium further cause the computer systems to, before the delivery of the network security information, attach to the network security information a reliable indication of the origin of the network security information.
37. The computer-readable medium of claim 32 wherein the contents of the computer-readable medium further cause the computer systems to, before the delivery of the network security information, encrypt the network security information.
38. The computer-readable medium of claim 31 wherein the network security information contains a reference to related network security information on a secure web server.
39. The computer-readable medium of claim 31 wherein the network security information is a notification of a new network security issue.
40. The computer-readable medium of claim 31 wherein the network security information is usable by at least one of the selected recipients to modify the behavior of a network security device associated with the selected recipient.
41. The computer-readable medium of claim 40 wherein the network security information specifies the modification of software executing on the network security device associated with each selected recipient to provide network security services.
42. The computer-readable medium of claim 40 wherein the network security information specifies the modification of data used by the network security device associated with each selected recipient to provide network security services.
43. The computer-readable medium of claim 31 wherein the network security information is usable by at least one of the selected recipients to modify the behavior of a network security device associated with the selected recipient to better protect the selected recipients against a newly identified network security threat.
44. An apparatus for distributing network security information, comprising:
a receiver component adapted to receive network security information and recipient selection information specifying a characteristic of prospective recipients to be used in selecting recipients for the received network security information;
a recipient selection component adapted to compare the recipient selection information received by the receiver component to each of a plurality of prospective recipient profiles, each prospective recipient profile corresponding to one or more prospective recipients and indicating one or more characteristics of the prospective recipients relating to the receipt of network security information, and, based upon the comparison, select at least a portion of the plurality of prospective recipients as recipients of the network security information received by the receiver component; and
an addressing component adapted to address the received network security information to each of the recipients selected by the recipient selection component.
45. A method in a computer system for receiving network security information, comprising:
periodically transmitting a request to a network security information provider computer system for new network security information, the request containing a reliable identification of the computer system;
receiving from a network security information provider computer system a response to a transmitted request, the response containing network security information, the response further having a signature that both reliably identifies the source of the network security information and characterizes the contents of the network security information when the network security information left the source of the network security information;
using the signature to determine whether the source of the network security information is a trusted source;
using the signature to determine whether the network security information has been altered since the network security information left the source of the network security information; and
only if it is determined both (1) that the source of the network security information is a trusted source and (2) that the network security information has not been altered since the network security information left the source of the network security information, using the network security information in the computer system.
46. A computer-readable medium whose contents cause a computer system to receive network security information by:
periodically transmitting a request to a network security information provider computer system for new network security information, the request containing a reliable identification of the computer system;
receiving from a network security information provider computer system a response to a transmitted request, the response containing network security information, the response further having a signature that both reliably identifies the source of the network security information and characterizes the contents of the network security information when the network security information left the source of the network security information;
using the signature to determine whether the source of the network security information is a trusted source;
using the signature to determine whether the network security information has been altered since the network security information left the source of the network security information; and
only if it is determined both (1) that the source of the network security information is a trusted source and (2that the network security information has not been altered since the network security information left the source of the network security information, using the network security information in the computer system.
47. A computer system for receiving network security information, comprising:
a request transmitter adapted to periodically transmit a request to a network security information provider computer system for new network security information, the request containing a reliable identification of the computer system;
a receiver adapted to receive from a network security information provider computer system a response to a request transmitted by the request transmitter, the response containing network security information, the response further having a signature that both reliably identifies the source of the network security information and characterizes the contents of the network security information when the network security information left the source of the network security information;
an analyzer adapted to use the signature contained in the response received by the receiver to determine both (1) whether the source of the network security information is a trusted source and (2) whether the network security information has been altered since the network security information left the source of the network security information; and
a network security subsystem adapted to use the network security information in the computer system only if it is determined by the analyzer both (1) that the source of the network security information is a trusted source and (2) that the network security information has not been altered since the network security information left the source of the network security information.
48. A computer memory containing a network security information addressing data structure, comprising:
for each of a plurality of addressee candidates,
a unique identification of the addressee candidate; and
information about the addressee candidate relating to criteria for distributing network security information,
such that, for an instance of network security information specifying distribution criteria, the information about the addressee candidates relating to criteria for distributing network security information contained by the data structure may be used to identify addressee candidates having the distribution criteria specified for the instance of network security information, and such that the unique identifications of the addressee candidates contained by the data structure may be used to indicate the identification of each of the identified addressee candidates.
49. A computer memory containing a network security information data structure, comprising:
network security information usable to automatically modify the behavior of a network security device, the network security information having a source; and
a signature reliably indicating both the source of the network security information and the contents of the network security information when the network security information left the source,
such that the signature contained by the data structure may be used to determine whether to use the network security information contained by the data structure to automatically modify the behavior of a network security device.
50. A generated data signal conveying a network security information data structure, comprising:
network security information usable to modify the behavior of a network security device, the network security information having a source; and
a signature reliably indicating both the source of the network security information and the contents of the network security information when the network security information left the source,
such that the signature contained by the data structure may be used to determine whether to use the network security information contained by the data structure to modify the behavior of a network security device.
US10/876,257 1999-07-06 2004-06-23 Secure and differentiated delivery of network security information Abandoned US20050132199A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/876,257 US20050132199A1 (en) 1999-07-06 2004-06-23 Secure and differentiated delivery of network security information

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/347,387 US6834350B1 (en) 1999-07-06 1999-07-06 Secure and differentiated delivery of network security information
US10/876,257 US20050132199A1 (en) 1999-07-06 2004-06-23 Secure and differentiated delivery of network security information

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09/347,387 Continuation US6834350B1 (en) 1999-07-06 1999-07-06 Secure and differentiated delivery of network security information

Publications (1)

Publication Number Publication Date
US20050132199A1 true US20050132199A1 (en) 2005-06-16

Family

ID=33510252

Family Applications (2)

Application Number Title Priority Date Filing Date
US09/347,387 Expired - Lifetime US6834350B1 (en) 1999-07-06 1999-07-06 Secure and differentiated delivery of network security information
US10/876,257 Abandoned US20050132199A1 (en) 1999-07-06 2004-06-23 Secure and differentiated delivery of network security information

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US09/347,387 Expired - Lifetime US6834350B1 (en) 1999-07-06 1999-07-06 Secure and differentiated delivery of network security information

Country Status (1)

Country Link
US (2) US6834350B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075504A1 (en) * 2004-09-22 2006-04-06 Bing Liu Threat protection network
US20100332593A1 (en) * 2009-06-29 2010-12-30 Igor Barash Systems and methods for operating an anti-malware network on a cloud computing platform

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7315801B1 (en) * 2000-01-14 2008-01-01 Secure Computing Corporation Network security modeling system and method
GB2366640B (en) * 2000-03-30 2004-12-29 Ibm Distribution of activation information
US6968458B1 (en) * 2000-04-28 2005-11-22 Ian Ruddle Apparatus and method for providing secure communication on a network
US20020095572A1 (en) * 2001-01-12 2002-07-18 Frank Mitchell R. System and method for providing security profile information to a user of a computer system
US20050204032A1 (en) * 2003-07-17 2005-09-15 Attaullah Mirza-Baig Remote device management of software only solution
US8090698B2 (en) 2004-05-07 2012-01-03 Ebay Inc. Method and system to facilitate a search of an information resource
CN100364280C (en) * 2005-12-15 2008-01-23 杭州华三通信技术有限公司 Method for sending safety strategy
US8977746B2 (en) * 2013-03-20 2015-03-10 Watchguard Technologies, Inc. Systems and methods for scalable network monitoring

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5511122A (en) * 1994-06-03 1996-04-23 The United States Of America As Represented By The Secretary Of The Navy Intermediate network authentication
US5680461A (en) * 1995-10-26 1997-10-21 Sun Microsystems, Inc. Secure network protocol system and method
US5944794A (en) * 1994-09-30 1999-08-31 Kabushiki Kaisha Toshiba User identification data management scheme for networking computer systems using wide area network
US5991877A (en) * 1997-04-03 1999-11-23 Lockheed Martin Corporation Object-oriented trusted application framework
US6073242A (en) * 1998-03-19 2000-06-06 Agorics, Inc. Electronic authority server
US6415385B1 (en) * 1998-07-29 2002-07-02 Unisys Corporation Digital signaturing method and system for packaging specialized native files for open network transport and for burning onto CD-ROM
US6480963B1 (en) * 1998-06-17 2002-11-12 Fujitsu Limited Network system for transporting security-protected data

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5511122A (en) * 1994-06-03 1996-04-23 The United States Of America As Represented By The Secretary Of The Navy Intermediate network authentication
US5944794A (en) * 1994-09-30 1999-08-31 Kabushiki Kaisha Toshiba User identification data management scheme for networking computer systems using wide area network
US5680461A (en) * 1995-10-26 1997-10-21 Sun Microsystems, Inc. Secure network protocol system and method
US5991877A (en) * 1997-04-03 1999-11-23 Lockheed Martin Corporation Object-oriented trusted application framework
US6073242A (en) * 1998-03-19 2000-06-06 Agorics, Inc. Electronic authority server
US6480963B1 (en) * 1998-06-17 2002-11-12 Fujitsu Limited Network system for transporting security-protected data
US6415385B1 (en) * 1998-07-29 2002-07-02 Unisys Corporation Digital signaturing method and system for packaging specialized native files for open network transport and for burning onto CD-ROM

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075504A1 (en) * 2004-09-22 2006-04-06 Bing Liu Threat protection network
US7836506B2 (en) 2004-09-22 2010-11-16 Cyberdefender Corporation Threat protection network
US20110078795A1 (en) * 2004-09-22 2011-03-31 Bing Liu Threat protection network
US20100332593A1 (en) * 2009-06-29 2010-12-30 Igor Barash Systems and methods for operating an anti-malware network on a cloud computing platform

Also Published As

Publication number Publication date
US6834350B1 (en) 2004-12-21

Similar Documents

Publication Publication Date Title
US8572734B2 (en) Geographical intrusion response prioritization mapping through authentication and flight data correlation
US7841007B2 (en) Method and apparatus for real-time security verification of on-line services
US7310736B2 (en) Method and system for sharing storage space on a computer
US7698445B2 (en) Client agents for obtaining attributes from unavailable clients
US8631493B2 (en) Geographical intrusion mapping system using telecommunication billing and inventory systems
US10142291B2 (en) System for providing DNS-based policies for devices
US20040003081A1 (en) System and method for providing program credentials
US20030188194A1 (en) Method and apparatus for real-time security verification of on-line services
CN109729080B (en) Access attack protection method and system based on block chain domain name system
US20030084280A1 (en) Secure file transfer and secure file transfer protocol
US20080215667A1 (en) Method and system for sharing storage space on a computer
US20130138960A1 (en) Systems and Methods for Secure Communication Using a Communication Encryption Bios based Upon a Message Specific Identifier
WO2004031898A2 (en) Vulnerability management and tracking system (vmts)
US20090006592A1 (en) Network evaluation grid techniques
US6834350B1 (en) Secure and differentiated delivery of network security information
WO2017084456A1 (en) Wifi hotspot processing method, device and system
US8589974B2 (en) Electronic advertising using distributed demographics
US20050021950A1 (en) Method and system for sharing storage space on a computer
US8522031B2 (en) Method and apparatus for establishing a trusted and secure relationship between two parties connected to a network
US8091130B1 (en) Geographical intrusion response prioritization mapping system
US10586034B2 (en) Network communication method and network communication system
WO2020251587A1 (en) Modifying data items
US20080004805A1 (en) Method and systems for locating source of computer-originated attack based on GPS equipped computing device
US20040117656A1 (en) Enterprise access configuration
US7404108B2 (en) Notification method and apparatus in a data processing system

Legal Events

Date Code Title Description
AS Assignment

Owner name: SILICON VALLEY BANK, CALIFORNIA

Free format text: SECURITY AGREEMENT;ASSIGNORS:WATCHGUARD TECHNOLOGIES, INC.;GLADIATOR CORPORATION;REEL/FRAME:023098/0771

Effective date: 20090730

Owner name: SILICON VALLEY BANK,CALIFORNIA

Free format text: SECURITY AGREEMENT;ASSIGNORS:WATCHGUARD TECHNOLOGIES, INC.;GLADIATOR CORPORATION;REEL/FRAME:023098/0771

Effective date: 20090730

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: GLADIATOR CORPORATION, WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:SILICON VALLEY BANK;REEL/FRAME:028477/0268

Effective date: 20120628

Owner name: WATCHGUARD TECHNOLOGIES, INC., WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:SILICON VALLEY BANK;REEL/FRAME:028477/0268

Effective date: 20120628