1. Field of the Invention
The present invention relates to systems and methods for responding to conditions of network operation when connection to a policy server is lost. More particularly, the present invention relates to systems and methods for configuring one or more network devices to activate policy enforcement rules locally when such contact is lost.
2. Description of the Prior Art
Interconnected computing systems having some sort of commonality form the basis of a network. A network permits communication or signal exchange among computing systems of a common group in some selectable way. The interconnection of those computing systems, as well as the devices that regulate and facilitate the exchange among the systems, represent a network. Further, networks may be interconnected together to establish internetworks. For purposes of the description of the present invention, the devices and functions that establish the interconnection represent the network infrastructure. The users, computing devices and the like that use that network infrastructure to communicate are referred to herein as attached functions and will be further defined. The combination of the attached functions and the network infrastructure will be referred to as a network system.
Presently, access to applications, files, databases, programs, and other capabilities associated with the entirety of a discrete network is restricted primarily based on the identity of the user and/or the network attached function. For the purpose of the description of the present invention, a “user” is a human being who interfaces via a computing device with the services associated with a network. For further purposes of clarity, a “network attached function” or an “attached function” may be a user connected to the network through a computing device and a network interface device, an attached device connected to the network, a function using the services of or providing services to the network, or an application associated with an attached device. Upon authentication or other form of confirmation of the offered attached function identity, the attached function may access network services at the level permitted for that identification. For purposes of the present description, “network services” include, but are not limited to, access, Quality of Service (QoS), bandwidth, priority, computer programs, applications, databases, files, and network and server control systems that attached functions may use or manipulate for the purpose of conducting the business of the enterprise employing the network as an enterprise asset.
A network administrator grants particular permissions to particular attached functions by establishing policies which are enforced at various points in the network. A policy is an action (or nonaction) to be undertaken based on the existence or occurrence of a defined condition or event referred to herein as a trigger. Policies are generally directed to administration, management, and/or control of access to or usage of network services. A policy may also be a policy abstraction that is the translation of one or more policies to a different level of abstraction. For example, multiple policies may be bundled into a higher-level abstract policy for ease of handling and naming; a policy set is simply a policy composed of one or more policies. A policy enforcement rule (PER) is a set of instructions or steps to be performed to implement the specified action defined by a policy. Particular PERs are dependent upon the particular network infrastructure device and its programming. Some PERs are described in Internet Engineering Task Force (IETF) Request For Comments (RFC) 3198 and 3060.
A network session is the establishment of an association between an attached function and one or more network services through the network infrastructure. It is to be understood, however, that a network system may be embodied in the combination or interrelation between one or more attached functions and one or more network infrastructure devices. In general in the prior art, policies and PERs are established prior to the creation of a network session but not specifically implemented in advance on a network device. At the outset of a network session, often in relation to the authentication of the entity requesting the session, an association is created between the session and one or more network services, constrained by one or more policies enforced based on PERs carried out by one or more devices of the network infrastructure. Any later adjustment tends to occur manually in an effort to respond to an intrusion event or activity of some type.
Under RFC 3198, a network entity that “enforces” policies is called a Policy Enforcement Point (PEP). The PEP evaluates rule conditions and subsequently applies rule actions. For example, an email policy may contain rules to constrain the bandwidth (the amount of traffic forwarded within a given timeframe); the PEP enforces the rule by recognizing email traffic (i.e., evaluating the rule condition) and limiting the amount of traffic forwarded within the specified timeframe (i.e., executing the rule action).
Further under RFC 3198, policies are distributed to network entities by a Policy Decision Point (PDP), which utilizes administrator-defined rules to “decide” which policies should be distributed to which entities. The decision may be made to pre-configure policies in a PEP prior to processing events; this is called “provisioned policy.” The decision may be made dynamically in response to some network event, where the PEP detects the event and sends a “policy request” to the PDP to determine which policy should be applied; this is referred to as “outsourced policy.” Policies may be distributed to a PEP before the start of any network session, when a network session is started, or during a network session in response to various conditions, such as a change in business policy that leads to changes in network policies. Policies may be altered dynamically, prior to distribution, based on certain parameters, such as the IP address of an attached function or the authenticated identity of a user. It is to be understood that while reference is made herein to specific aspects of IETF RFC descriptions and definitions, the present invention encompasses such policy provisioning means as well as other means for regulating and protecting network functions. The terms PDP and PEP may be employed herein, however, generic reference to policy provisioning and enforcement may be made and deemed to include PDP and PEP functions. The PDP is generally embodied in a policy server device of the network system.
Events and activities do occur that may be harmful to the network system. For purposes of this description, harm to the network system includes, for example, denying access to the network, denying access to the service once permitted access to the network, intentionally tying up network computing resources, intentionally forcing bandwidth availability reduction, and restricting, denying or modifying network-related information. Intrusion Detection Systems (IDS) are used to monitor the traffic associated with network sessions in an effort to detect harmful activity. However, IDS functions normally only monitor traffic, they do not analyze the information gathered nor do they generate or enforce PERs. IDS systems with multiple embedded functions may provide more PERs services. They are designed to observe the packets, the state of the packets, and patterns of usage of the packets entering or within the network infrastructure for harmful behavior. However, until recently with the availability of the Distributed Intrusion Response System by Enterasys Networks of Andover, Mass., common owner of the invention described herein, the available IDSs do not prevent packet entry to the network infrastructure. Further, for the most part, they only alert a network administrator to the existence of potentially harmful behavior but do not provide an automated response to the detected occurrence. There is some limited capability to respond automatically to a detected intrusion. However, that capability is static in nature in that the response capability is ordinarily restricted to limited devices of the network infrastructure and the response is pre-defined and generated by the network administrator for implementation on specified network infrastructure devices. The IDS is of no help when the harm has occurred, other than to provide information for subsequent forensic investigation. That is, it cannot prevent the harm.
For the most part, existing IDSs report possible intrusions to a centralized application for further analysis. That is, all detected potentially harmful occurrences are transferred to a central processing function for analysis and, if applicable, alarm reporting. Upon receipt of an alarm, the network administrator can either do nothing, or implement a response function through adjustment of the operation of one or more network infrastructure devices. That adjustment is made based upon the analysis output and then forwarding by the PDP of instructions to carry out designated PERs, or forwarding of the PERs directly. Unfortunately, if contact between the PDP and the network infrastructure device tasked as the PEF device is lost, the policy changes desired may not be implemented and the network harm would remain. Therefore, what is needed is a function designed to enable one or more network infrastructure devices to provide policy enforcement functionality locally. That is, what is needed is a function that enables a local network infrastructure device to make necessary policy enforcement changes based upon the loss of contact with a PDP such as a policy server. The policy enforcement changes are preferably activated upon the change of contact condition.