Field
Embodiments of the present invention generally relate to the field of network security. More particularly, embodiments of the present invention relate to systems and methods for facilitating accurate implementation of device-oriented policy actions by a layer 3 network device by relaying information contained in Dynamic Host Configuration Protocol (DHCP) leases to the layer 3 network device.
Description of the Related Art
Conventional communication systems connect thousands of personal computers (PCs) and other network devices adapted to communicate using the open system interconnection (OSI) model. Often, a smaller number of computers are linked to form a local area network (LAN), or a wide area network (WAN). LANs, WANs, and other networks are generally referred to as sub-networks. One larger communication network is the Internet, which interconnects millions of computers, LANs, WANs and other sub-networks.
In a computer network, devices, such as firewalls, switches and routers, operating at layer 3 of the OSI model play an essential role in filtering/routing data packets to the right hosts/destination devices. For example, a firewall protects computing devices residing behind the firewall from suspicious network activities and analyzes/controls traffic flows when the computing devices that are protected by firewall attempt to communicate with devices external to the protected network. Typically, one or more firewalls are placed at the gateway of a local area network (LAN) through which all traffic originated external to the protected network must flow before reaching the internal computing devices. Firewalls are placed to protect individual computing devices, servers, data centers etc. of a private network or LAN from malicious content and/or network attacks when these protected devices within the private network connect to the Internet. A router, another example of a layer-3 device, is also typically placed between networks. Routers serve as intermediate destinations for network traffic. They receive and evaluate incoming packets to identify the source and destination address and then forward the packets onto an appropriate interface based on their routing tables to ensure the packets reach their intended destination.
Conventional Layer-3 devices analyze, filter and/or route data traffic based on predefined policy rules, which are largely based on layer-3 information (e.g., Internet Protocol (IP) addresses of the source and/or destination devices), wherein such IP addresses are read by the layer-3 devices from received data packets without affecting the integrity of packets, based on which one or more policy rules may be applied to block/allow and/or route the data packets toward the destination IP address. Most of such decisions are therefore taken by the devices based on layer-3 information that they can retrieve from the data packets. However, IP address based decisions may not always work in relation to implementation of persistent controls intended to be applied to a specific endpoint as the IP address assigned to a particular endpoint may change over time as a result of normal operation of DHCP.
In a private network or LAN, a DHCP server automatically and dynamically assigns IP addresses to computing devices, and maintains a database of IP addresses assigned to different computing devices. Every computing device has its own physical address, called the Media Access Control (MAC) address that is assigned to the computing device at the time of manufacturing in order to uniquely identify the computing device. The DHCP server maintains a database of IP addresses and corresponding MAC addresses of the computing devices to which it has dynamically assigned IP addresses. It is possible that at different times, a given IP address may be assigned to different computing devices using the DHCP protocol, and therefore it is not possible to permanently refer and uniquely identify a specific computing device based on its currently assigned IP address.
Existing network devices have limited layer-2 visibility into host devices that they protect and filter content for, especially in larger, routed environments. This results in inability for the network devices to adequately implement persistent controls on behalf of a specific endpoint protected by the devices. Controls that benefit from layer 2 visibility include network access control (NAC), quarantining of hosts violating policies and operating system and device type visibility in logging and reporting tools.
There is therefore a need for methods and systems that enable a layer-3 network device to have increased layer 2 visibility.