The notion of a “directory” in computer science can be conceptualized as a mapping between names and values, where the values can be looked up by name. In some situations, a directory can associate a particular name with multiple different values (i.e., pieces of information). These values may comprise many different types of data as is appropriate for a particular directory. Some examples of directories include a telephone directory in which a person's name is associated with values indicative of one or more telephone numbers, and a Domain Name System (“DNS”) in which domain names are stored in association with IP addresses.
The computer science concept of directory services is also well-known. Pursuant to such directory services, a computer software system is provided that stores, organizes, and provides access to information in a computer operating system's directory. In known computer systems, directory services provide access to a database linking names with values indicative of computer operating system resources. Thus, a directory service in a DNS context is software that manages the database of relationships between domain names and IP addresses, and enables other resources to search for IP addresses associated with a particular domain name.
One particular, well-known directory service is known as Active Directory (“AD”). AD was developed by Microsoft® for use in its Windows® environment, and was included with Microsoft's Windows Server® operating system for use by developers of applications running in that environment. AD performs many tasks in this environment, including assigning and enforcing security policies for all computers and installing or updating software on Windows Server® computers. For example, when a user logs in to a computer in a Windows® domain, the AD service is responsible for checking the user's password and determining the user's level of access (e.g., whether the user is an administrator).
AD is a combination of a database of directories and a set of executable code for servicing requests. Objects in the database correspond to either resources such as printers or security principals such as user accounts. The database is organized into partitions holding specific object types. For example, a “Domain” partition holds all objects associated with a particular domain. The use of AD to provide for certain security principals is thus known in the art.
A security protocol named Kerberos is a well-known computer network authentication protocol. It operates on the concept of “tickets,” whereby tickets are provided to nodes in a computer network to enable nodes to provide their identity to one another securely. One of the key concepts of the Kerberos protocol is the use of a “ticket-granting ticket” or TGT. TGTs are time stamped at a server node, contain the user's password, and are encrypted and provided to the workstation for storage. TGTs are provided relatively infrequently, and thus may only be renewed for example when a user logs in again. TGTs are used to facilitate communications with a client and a node in the network. At a high level, when a client wishes to access a node on the network, its TGT is sent to a ticket-granting service (TGS), which is a remote device from the client. The TGS verifies that the TGT is valid and that the user is permitted to access the requested service. If authorized, the TGS sends a ticket to the requested node for service, and the client can use the node as requested.
Despite the existence of these known services and protocols, a pressing need exists in the industry to provide security against unwanted or malicious access to computer resources on a network. The Kerberos protocol is helpful, but insufficient, to detect and prevent unwanted access to network resources. Prior attempts to remedy these deficiencies have involved placing firewalls either in-line (i.e., all network traffic passes through the firewall) or in a “sniffer” arrangement with (i.e., network traffic does not pass through the firewall, but certain traffic is analyzed passively) computer network elements. However, these efforts are also insufficient as they do not contain appropriate logic for determining when traffic is malicious or unwanted and reacting accordingly.
What is needed is a firewall solution that can operate in-line or in a sniffer arrangement that is capable of detecting malicious or unwanted network traffic with more reliability, and taking appropriate remedial action based on that traffic. The instant disclosure provides such a firewall solution and is referred to as an “Identity Centric Firewall” or “ICF”.