The marketplace for many companies has expanded from a national to a world marketplace. Large international companies have expanded into global companies and smaller companies have become international competitors. This market expansion has been driven by technology that has made both voice and data communication easier.
Technological advances in recent years have allowed computer users to maintain access to their corporate or home informational networks, regardless of where they work or where they travel, through "remote offices", "mobile computing", and "telecommuting." Remote offices refers to parts of a company organization than are geographically spaced from the main or base office, and may include foreign manufacturing plants, regional sales offices, or vendor organizations. Mobile computing refers to the use of transportable self-contained computers, such as a laptop computer, including means for establishing a telecommunications link to a server or network of other computers. Telecommuting refers to the use of a telecommunications link, particularly through a computer, to enable a working individual to conduct his or her business from any desired location, rather than having to physically travel to a particular place of work.
FIG. 1, generally at 50, shows a prior art system that a remote user currently may use to communicate with a home network. The system 50 has remote users 52 and 54 that communicate through a wide-area network (WAN) to a company or home network 60. WAN 58 may include dedicated or non-dedicated network links. A typical dedicated network would include a frame relay network elements and a typical non-dedicated network would include a TCP/IP network elements.
Remote users can communicate with WAN 58 in a number of different ways. As shown in FIG. 1, user 52 connects to the WAN 58 through a modem 62, a public switched telephone network (PSTN) 64, and a server 66. User 52 can be a mobile or a stationary user. User 54, shown as a stationary user with a desktop computer, connects to WAN 58 through a router 56 and a dedicated local loop 59. Local loop 59 connections normally are provided by a local exchange carrier (LEC) such as Southwestern Bell or Bell Atlantic. WAN 58 could be a private company network of leased lines or frame relay connections, or it could be a public network, such as the Internet.
Home network 60 has a destination server 80 and firewall 82, and as shown in FIG. 1, a Local Area Network (LAN) 84 with a LAN server 86 and a number of workstations 88. There can be many LANs, servers, and other resources in the company or home network, including fax servers, printers, file servers, and database servers.
Firewall 82 is either a device or an application that controls the access between internal LAN 84 and external public entrusted networks such as the Internet or a PSTN. Firewall 82 tracks and controls communication, deciding where to pass, reject, encrypt, or log communications, and requires that these communications adhere to a defined security policy. Firewall 82 normally functions in four areas: access control; authentication; optional encryption/decryption; and routing. Firewalls manufactured by Check Point Software Technologies Ltd. and Raptor Systems, Inc. each have these capabilities.
Access control is the firewall mechanism to grant access to a class of users or to a class of users that use specific protocols, such as HTTP (the Internet access protocol). Access control is established by setting up user definitions, server and gateway definitions, and establishing protocols. Access control in a firewall is rule-based in that a security rule defines the relationship between the definitions.
Authentication is a mechanism to verify the authenticity of both the sender and the message. Broadly, authentication may encompass three types of technology: (1) password based; (2) token based; and (3) biometric. Authentication grants access privileges to specific users to access specific network resources and/or specific network applications.
Encryption/decryption is an optional mechanism to transform a message so that the encrypted message can only be read with the aid of same additional information (a key) known to the sender and the intended recipient alone. In secret key encryption, the same key is used to encrypt a message and then to decrypt it. In public key encryption, two mathematically related keys are used, one to encrypt the message and the other to decrypt the message.
Routing is a firewall mechanism to determine which network resource(s) should receive the message. In a typical firewall, a user, or user groups, can be routed to one or more destinations on the basis of certain rules. Because these rules require set-up and maintenance, the routing is typically controlled with broad rules for large groups of people systems.
Firewalls are installed to address the threats of hostile external network intrusion but have limited abilities to reduce or eliminate internal network vulnerabilities or social engineering attacks as discussed below. Firewalls are generally rules based products where a typical rule may be "Marketing users can get to the Internet Server only with HTTP".
Network Management
An enterprise network is a network for an enterprise, including multiple LANs, routers and servers, typically geographically separated. The networks of the Enterprise network can be connected together over a wide area network. Enterprise network management that has evolved from the mainframe environment is still centered mainly on the operating systems and is mostly manual and resource intensive. Numerous tools have been developed to aid in network management. Routers are normally configured and managed with a Telnet tool. Telnet also is used for remote control of routers, firewalls, and servers.
Simple Network Management Protocol (SNMP) is used to manage network nodes and to monitor operation. Servers are generally manually configured with users manually coded into a user control program. Other tools include capacity planning, fault management, network monitoring, and performance measurement.
A router or routing/switching device is used in enterprise networks to route user messages and files to and from internal LAN 60 and an external WAN 58. The routing device can recognize that the user workstation 86 has issued a destination address not located on LAN 60 for a message or for a file transfer and, therefore, that the message or file needs to be forwarded to external WAN 58. Similarly, the routing device can recognize a destination address on WAN 58 for a resources on its internal LAN 60, and therefore the device will forward that WAN 58 message or file to the internal network served by the router.
An analogy to this data network routing is the operation of the PSTN (Public Switched Telephone Network). When a seven-digit number is dialed, if the first three digits are a valid local exchange, the call will remain in the local exchange. Similarly, when the NetID of destination IP address is the same as the NetID of the local network the data packets will remain on the LAN. If a ten-digit number is dialed, if the first three digits are for a valid area code, the call will be routed to the long distance network. Similarly, when the NetID of a destination IP address is different from the NetID of the local network, the data packets will be forwarded to the WAN.
Routing devices generally use one or more methods for obtaining routing instructions. First, routers have static routing instructions that are manually coded into the routing instructions. This manual coding may be by user interaction with a router operating system, such as Cisco lOS, or by downloading the coding over the network through Telnet or SNMP. Second, the router may learn routing instructions through routing protocols such as RIP or IGRP. These protocols communicate with other routers on the network and share routing information.
Servers
Computers with network interfaces and special multi-user software are used as LAN and WAN servers. A LAN server 84 may often be called a file server. Examples of network servers are WINS (Windows Internet Naming Server), DNS (Domain Name Server) and DHCP (Dynamic Host Control Protocol) server, Internet server, and Intranet server.
Security
As enterprise-wide data networks have expanded, the need for network security has increased. Firewall and encryption technologies, as described in the prior art, have been developed to address some of the network security needs. However, the majority of network security problems is not being addressed by current technological solutions.
The largest reported losses in network security come from internal theft and sabotage. Internal networks are normally open so that many users have root level control, which allows operators to do everything on servers including copying files, planting viruses, and erasing all information. Disgruntled employees can take advantage of such an open network to perform illegal acts.
The next largest reported loss is referred to as "social engineering." Social engineering uses social interaction with inside employees to obtain network access information. Covert social engineering actives are typically undertaken when significant theft or espionage is planned, so it normally results in substantial losses.
The other area of reported losses is hostile external network intrusion. A firewall is useful for protecting a network in this area.
Directory Services
Directory services products are generally focused on either LAN or WAN environments. The largest installed base of directory services is Novell's NDS (Netware Directory Services) with over 10 million units installed. NDS is a product focused primarily at the LAN level and used to provide computer workstations 86 with access to shared resources such as files servers or printers in a LAN 60. The Novell product and other similar directory products, are proprietary from product manufacturers and are not under the management of any open standards body.
One enterprise level directory technology (X.500) has been used to integrate phone directory information, e-mail, and fax addressing across an enterprise. A directory is a standard database providing distributed, scalable, client/server-based repositories of data that are read much more frequently than modified (for example, user definitions, user profiles, and network resource definitions). Users applications can access these directories through directory access protocols (DAPs). In network environments, exemplary DAPs includes X.500 directory access protocols and Lightweight Directory Access Protocol (LDAP).
X.500 is a directory service defined by a set of international standards published jointly by the International Standards organization (ISO) and the International Telecommunications Union (ITC, formerly CCITT) standards bodies. Originally developed in 1988 to be a general e-mail directory, the standards have developed to envision a general global information service. Directory services have been applied, as the name implies, to provide users with a directory of available services.
Architectural View of Directories
FIG. 2 is a prior functional diagram showing the relationship between the X.500 directory services and the ISO network layers. The top ISO networking layer is an application, such as word processing, fax or e-mail. The bottom layer of the ISO model is the physical layer, such as a twisted-pair of wire or fiber optic cable. The current X.500 directory services is an application program that works to manage other application layer programs such as e-mail, phone directories and faxing.
FIG. 3 is a functional block diagram showing the protocol application at the ISO network layers. The protocol developed for the X.500 application to communicate with other applications, like e-mail, was DAP. Recently the LDAP protocol was defined at the network layer to allow communication between routers, firewalls and other network level devices.
For an application to have a unique operation at the lower layers, such as the network layer level, another application program is required to add the specific functionality at the lower layers. For example, to encrypt e-mail, one needs to obtain a product, such as ArmorMail from LJL Enterprises, Inc. of Huntsville, Ala. E-mail is an Application layer program and encryption occurs directly before the Link layer. The ArmorMail product creates the bridge between that e-mail application and the Link layer.
FIG. 2 shows the OSI (open system interconnect) reference model that describes a communications in the seven hierarchical layers that are shown. Each of these layers provides services to the layer above and invokes services from the layer below. Typically, end users of the communications system interconnect to the application layer, which may be referred to as a distributed operating system because it supports the interconnection and communication between end users that are distributor. The OSI model allows the hiding of the difference between locally connected and remotely connected end users, so the application layer appears as a global operating system. Normally, in a distributed operating system, the global supervisory control for all of the layers resides in the application layer.
Each of the layers contributes value to the communications system. The application layer uses the presentation layer, and is concerned with the differences that exist in the various processors and operating systems in which each of the distributed communications systems is implemented. The presentation service layer uses the session layer, and manages the dialogue between two communicating partners. The session layer assures that the information exchange conforms to the rules necessary to satisfy the end user needs. The session layer uses the transport layer, and creates a logical pipe between the session layer of its system and that of the other system. The transport layer uses the network layer to create a logical path between two systems. The transport layer is responsible for selecting the appropriate lower layer network to meet the service requirement of the session layer entities. This connection is generally though of as a point-to-point connection. The network layer uses the data link layer, and establishes a connection between the entities and this is based on a protocol for the connection. The data link layer uses the physical layer. The data link layer is responsible for building a point-to-point connection between two system nodes that share a common communication system. The data link layer is only aware of the neighboring nodes on a shared channel. Each new circuit connection requires a new link control. The physical layer is responsible for transporting the information frame into a form suitable for transmission onto a medium.