1. Technical Field
The present invention relates to security zone maintenance and, more particularly to systems and methods for automatically discovering security zone information in enterprise networks.
2. Description of the Related Art
A security zone is a defined area encompassed by boundary firewalls. Each security zone belongs to a classification. A classification is associated with security requirements. Security requirements may include, e.g., permitted communications of hosts residing in a zone with a particular classification, requirements on secure storage, etc. The requirements for all classifications are typically defined in enterprise security policy, which varies from enterprise to enterprise.
A common classification consists of three network environments:
Intranet: The intranet is a trusted network environment for storing confidential data and for hosting systems and services internal to the enterprise.
Extranet: The extranet is a buffer zone between systems and services internal to the enterprise and those that are external to the enterprise.
Opennet: The opennet is an untrusted network environment (e.g., the Internet) that includes all systems external to the enterprise.
While most enterprises only have a handful of classifications there may be a large number of security zones for each classification. The reason is that security zones are not created solely for security purposes. Organizational, geographical, and functional factors also drive the creation of security zones. Geographically distinct areas are usually placed in different security zones. Even within the same location, different organizational divisions may create and govern their own security zones. Within the same division, different business applications may be placed within their own zones. Further, the development version of a business application and the production version would be placed in separate zones. As a result, many enterprises have a sprawl of security zones.
Obtaining an inventory of security zones in an enterprise involves obtaining information about what security zones exist in the network, what their classification is, and which hosts belong to them. Such an inventory is needed in many situations. E.g., in server consolidation and virtualization activities, servers have to be migrated from a source environment to a target environment, and communication controls between servers belonging to different zones have to be reproduced in the target environment.
When migrating a storage system from a development zone to a production zone, information about security zones is needed to estimate costs involving firewall reconfiguration. Storage systems in the same security zone classification can be consolidated without extra effort in security configuration. The network infrastructure of an enterprise may need to be rearranged to optimize performance or reduce maintenance costs. During this process, an inventory of security zones is needed to avoid disruption of security compliance of the whole system. Information about security zones is also needed to analyze the end-to-end data flow across the enterprise network, to deter mine whether the right controls and filters are in place, and for compliance and audit purposes.
An inventory is simply absent in many enterprises, let alone having an up-to-date one. Typically, when there is a need for such information, it is obtained by contacting network administrators who are in charge of maintaining individual zones and network devices. This way of collecting information is very unreliable and the obtained information is often outdated. It is not uncommon that for some zones, no one has this information (e.g., the original administrator may have moved on to a different role or a company). Hence, there is a clear need to obtain up-to-date security zone information in an automated way.