Enterprise data networks are vulnerable to numerous network attacks. Network firewalls or similar approaches are deployed as a common business practice to mitigate the risk of such attacks. Typically these security measures allow for unrestricted connectivity within the company or among a known collection of host devices, but they restrict access from public networks and other organizations or unknown devices. For example, the company may allow employees to access any web site on the public Internet, but prohibit access to confidential internal web sites by unknown users from public networks.
One commonly known device that performs network firewall functions is a router, which is a device that determines the next network point to which a packet of information is to be delivered. Before the packet is forwarded to another device, the router may use an access list that provides conditions or rules to determine whether the packet has access to the particular destination. In addition, these devices may provide functions such as user authentication. Also, application proxies, e.g., socks and caching web proxies, allow specific applications to be executed for network security and might also employ user authentication. Companies typically have network security policies that describe the type of access that should be permitted through firewall devices. This policy is achieved through the application of a combination of the network firewall devices described above.
Applicants U.S. Patent Applications U.S. 2001/0042213, U.S. 2002/0099823, U.S. 2002/0066030 and U.S. 2001/0037384, the contents of which are herein incorporated in their entirety by reference, describe various aspects of a partitioned network in which a security policy may be implemented by configuration of a plurality of network control points using replicated or at least matched sets of access control lists to provide a highly configurable set of security domains. This type of network will be referred to herein as implementing a Network Bubble Architecture.
In many of the embodiments envisaged by these patent applications, source and destination IP addresses are used to allow or restrict traffic passing through the network control points. Each bubble partition includes access lists describing inbound rules and outbound rules for hosts within it. A bubble registry manages the content and distribution of the network control point access lists to the network control points.
Whilst this approach is generally satisfactory, its implementation in existing networks having a pre-existing IP addressing plan can in practice lead to large access control list sizes because the bubble partitions may be defined by a set of disjoint IP address sub-ranges which each have to be separately specified in the access control lists. On the other hand, modifying the IP address plan so that contiguous address ranges map to the bubble partitions in a simpler manner may be an expensive exercise.
This invention is directed to mitigating the above drawbacks associated with the heretofore proposed approaches to implementing the Network Bubble Architecture and to facilitate its implementation in infrastructures having a preexisting IP address plan.