1. Field of the Invention
The present invention relates particularly to systems and methods for providing host and network security and, more particularly to systems and methods for implementing a bubble policy to achieve host and network security.
2. Description of the Related Art
Company networks are vulnerable to numerous network attacks. Network firewalls or similar approaches are typically utilized by companies to mitigate the risk of such attacks. Several types of devices have been developed that perform network firewall functions. One commonly known device is a router, which is a device that determines the next network point to which a packet of information is to be delivered. Before the packet is forwarded to another device, the router may use an access list that provides conditions or rules to determine whether the packet has access to the particular destination. For most network firewalls, the rules typically consist of a test criteria and an action. The network firewall determines whether the test criteria matches and then the corresponding action is performed, whether it is a permit or a deny. In addition, these devices may provide functions such as user authentication. Also, application proxies, e.g., socks and caching web proxies, allow specific applications to be executed for network security and might also employ user authentication.
Constructing an access list is a complex task. There are specific access control rules that are associated with an address range and other protocol fields and session states. It is also common for the rules to follow an order of precedence. A common order of precedence is that the action performed will be the one specified by the first rule that matches the packet. Therefore, the ordering of access list rules must be performed carefully.
Companies typically have a network security policy that describes the type of access that should be permitted through firewall devices. This policy is achieved through the application of a combination of the network firewall devices described above. One common network security model implemented by many companies is the concept of dividing the networks into three categories: internal, external, and De-Militarized Zone (DMZ). This type of network security policy is defined by the access permitted between these network categories. That is, the network firewall is made up of devices that provide the interconnections between these network categories. The network firewall is located at a network control point, which is located between the internal network and the external network, e.g., the public Internet, and at any direct links to other companies. End-user hosts and internal servers are part of the internal network. The public Internet and other company networks are part of the external network. Web servers, email servers and other application servers that require general connectivity with the external network are part of the DMZ.
A common network security policy may be that internal systems are permitted to create connections to the external networks, but connections from the external network to the internal network are not permitted, unless they are accompanied by user authentication. In addition, the DMZ hosts are permitted to have connectivity to the external networks and the internal networks independently, but are not permitted to have “pass-through” connectivity from the external networks to the internal networks. An exception to the common network security policy might be configured into the network firewall when, for example, a DMZ or external network may have a particular user or host that must be permitted access to a particular host in the internal network.
Protecting information resources involves a complex array of technologies such as application security, host security, network security, physical security, data network transport path security, data confidentiality rating and user classification groups. In large companies, the effort to protect information resources is uncoordinated resulting in many employees independently working on different security technologies. For example, there are two categories of hosts that are most aware of network security. First, a bastion host has one interface facing the external networks and one interface facing the internal networks. A bastion host does not require any network protection on the external interface so it does not rely on the company network firewall. Second, a DMZ host, which resides in the DMZ, has a greater risk of attacks and therefore also does not rely on the company network firewall. For example, a DMZ host may have insufficient host security and may allow attacks to other hosts in the same network. These attacks may be allowed because the enterprise network firewall assumes that a stronger level of host security exists on all DMZ hosts.
Another drawback of trying to balance host security and network security is that it is an all or nothing approach. This is because hosts are either internal or external to the network. If the hosts are external to the network, the cost of providing external servers increases because host administration must be maintained. In addition, the security risks increase because the external hosts are often not well managed. If the hosts are internal to the network, the internal hosts assume that they are protected by the network firewall even though they are still susceptible to internal attacks. Some internal hosts, on the other hand, have rigorous administrative processes but are commonly restricted by the network firewall, despite having strong host security.
Configuring information security policies is also difficult using these systems. For example, if a security policy is changed, all the design and implementations that were made for the previous applications and hosts of the enterprise network are invalidated and must be reconfigured. Also, if a new company is acquired by the enterprise, significant security policy changes must be implemented before the new applications and hosts can be brought into the internal network.
The internal, external, and DMZ architecture has many additional drawbacks. For example, if the company network has multiple external connections to the public Internet that are in different geographic locations, wide-area asymmetric routing to the public Internet is likely. That is, inbound and outbound data for a given connection will not pass through the same firewall device and therefore firewall policies that rely on inspection of the protocol state will fail, because the protocol state will reside in two different firewall devices. In Internet Protocol (IP) networks, technologies such as Network Address Translation (NAT) may be used to work around this problem, but these technologies do not address the underlying issue and often introduce problems in large or complex networks. Currently, no technology is generally available for synchronizing the protocol state between firewall devices in separate geographic locations.
In addition, this architecture is limited to having only one internal network, which exposes the company to great risks if an unauthorized user gains access to the internal network. This architecture also does not allow the company the option of segmenting risk. Hence, a risk taken by one host in the internal network is a risk taken indirectly by all the other hosts in the internal network. This becomes apparent when considering the above exception to the common network security policy. The risk to all the internal hosts is greatly increased for every host in the external network that is permitted access to the internal network via the network firewall or DMZ.
This architecture is further limited due to its difficulty in maintaining a uniform firewall policy for firewall devices that are across geographic locations and company units. Each firewall device has a combination of a number of diverse and complex rules that reflect the overall security policy and the specific exception cases required at that specific network control point. Each of these network control points represents a risk to the entire company. If there is a simple misconfiguration on any firewall device, the entire internal network is exposed to an unintended security breach or unwanted behavior. As the number of network control points increase, the likelihood of security exposure increases dramatically.
These limitations described above for the various network security architectures apply to networks of any size, but become more severe when considering large or highly distributed networks. A Network Service Provider (NSP), Internet Service Provider (ISP), Application Service Provider (ASP), E-Service Provider (ESP), or a large enterprise may have over 100 network control points around the world where a network security policy must be administered. Using the network architectures described above, it is almost impossible to ensure that the policies are consistent and error-free at each of the network control points.
Another drawback for large enterprises or service providers with firewalls at the network control points is that the network security policy governing any given hosts must be configured consistently at all the O(n) firewalls, where n is the number of network control points for the enterprise. This creates a lot of redundant work and greatly increases the likelihood of error in configuration. Also, this can lead to a lack of direct accountability for the network security policy. To determine the network security policy for any given host, the network security policy must be examined at every network control point across the enterprise. The network security policy implemented at network control points that are topologically distant from the host have an equal role in determining the enterprise network security policy for that host.
Therefore, it should be appreciated that there is a need for systems and methods that overcome the above drawbacks and limitations. The present invention fulfills this need as well as others.