The present invention relates generally to information processing on a computer network and, more particularly, to methods and systems for detecting and enforcing compliance with restricted subnet access requirements in a corporate wide area network.
In computer network communications, geographic and other limitations result in a need to create smaller networks called subnets to facilitate communications between locations. In a network containing many Microsoft Windows computing platforms. Active Directory is a network-based object store and directory service that locates and manages resources, and makes resources available to authorized users and groups. Each object has certain attributes and its own security access control list (ACL). Active Directory catalogs file objects with their attributes in a hierarchical arrangement and utilizes naming resolution services such as the Domain Name System (DNS). Active Directory has an important role in identifying security policies across the network.
The physical network structure of Active Directory is based on a unit known as a site. A site includes one or more Internet Protocol (IP) subnets. Many subnets can belong to a single site, but a single subnet cannot span multiple sites. A site can have multiple domains, and a domain can have a number of sites. Sites and domains do not need to maintain the same namespace. On Windows Server systems, a domain controller is the server that responds to security authentication requests within the Windows Server domain. A domain controller contains a copy of the Active Directory. All domain controllers are peers and maintain replicated versions of Active Directory for their domains.
A large enterprise will typically have a wide area network (WAN) with many thousands of workstations that are connected to various servers in the network. To protect data within departments, restrictions will need to be in place to secure and manage sometimes critical information. For example, in the electrical power industry, under certain Federal guidelines it is important to restrict the access of certain parts of an electrical power company from communicating with other parts of the same company. This restricted access also includes being able to bring a computer up on certain segments of the network identified as subnets. Thus, there is a need for a system that provides the ability to discover and control subnet compliance breaches as mandated by new Federal Regulatory Commission (FERC) requirements for gas and electric utilities which prohibit communications between specific parts of the utilities. There is also a need for a system that can audit restricted subnet access.