1. Common Problems
The ability to connect information technology infrastructure reliably, cost-effectively and securely is of high importance for today's global enterprises. To communicate with customers, clients, business partners, employees, etc., the Internet has proven to be more appropriate compared to private communication networks.
However, communication via the Internet, which typically uses TCP/IP (Transmission Control Protocol/Internet Protocol), also increases the requirements for data security. Network firewalls are one of the many examples of solutions for network security.
Enterprise Web Application Services build an important foundation for such client, customer, and employee communication. A very common configuration for hosting such enterprise web Application Services is shown in FIG. 1.
As shown in FIG. 1, an enterprise can offer web Application Services to various clients and there are several possibilities for clients to connect to the servers depending on the location of the client relative to the servers' location. The servers which provide the Application Services are typically located in the enterprise's data center 1016 and are accessible, directly or indirectly, via World-Wide-Web (WWW) servers 1012. Sometimes enterprises provide access to the Application Services by making the application servers directly accessible by putting those application servers into a Demilitarized Zone (DMZ) 1011.
A client 1003 may connect via a Local Area Network (LAN) through the enterprise's intranet 1013. Another client 1004 may connect through a Wireless LAN (WLAN) to the intranet 1013. Yet another client 1005 may be located inside the enterprise's campus network 1015, which connects to the enterprise's intranet 1013. An enterprise may have zero or more campuses 1014 and 1015. Yet another client 1001 may connect through the Internet 1000, or a client 1002 may have a mobile connection to the Internet 1000. In any case to prevent illegitimate access to the enterprise's web Application Services, the “inside” of the enterprise's network, the intranet 1013, is protected by having a network perimeter 1010, which may comprise firewalls, associated network interconnect, and additional resources “within” the perimeter network configured so as to be broadly accessible to users on the “outside” of the enterprise.
Behind the perimeter 1010, access is granted to legitimate client requests only, while illegitimate access is rejected. The fundamentals in determining whether an access request is legitimate or not are based on the network reference model from the International Organization for Standardization (ISO). This ISO network reference model classifies Network Services into seven layers.
Traditionally, ISO Layer-4 to ISO Layer-7 services have been developed either as server-hardware and -software based single-function (or even multi-function) network appliances or as service modules on ISO Layer-2 to ISO Layer-3 packet switches. The latter approach, though welcomed initially, has not gained momentum in the market place due to the inherent cost and complexity of managing stream-oriented ISO Layer-4 to ISO Layer-7 services in the same product that was originally designed for packet-oriented ISO Layer-2 to ISO Layer-3 switching/routing. In reality, ISO Layer-4 to ISO Layer-7 service modules never became integral parts of the packet switching architecture, because the needs and tradeoffs are quite different. The network appliance approach has been very successful in introducing new innovative functions into the data center, such as Application Front Ends, Application Firewalls, and Wide Area Network (WAN) Optimizations, in a very short period of time, albeit at a lower performance and scalability. However, this approach has also led to the proliferation of multiple single-function network appliances in the enterprise network, particularly for multi-service deployments. Multiple network appliances functioning in the path of a client-server-connection introduce high latency due to multiple transport protocol termination, and involve high management and deployment complexity as the network needs to be carefully designed, taking all failure scenarios into consideration. Customers have begun to experience the negative impact of deploying multiple single-function network appliances and are looking for alternatives. Also, as enterprise data centers migrate to higher bandwidth Ethernet and to converged interconnect fabric, the existing ISO Layer-4 to ISO Layer-7 solutions become ineffective. With this as the background, there is a need for next generation architectures to securely, efficiently and reliably deliver ISO Layer-4 to ISO Layer-7 services.
Traditional security products generally assume the existence of a trusted intranet locations where enterprises control their own LANs, switches and routers—which can be organized into or placed within some type of security perimeter, to protect its resources from the un-trusted Internet. However, in today's business environment, enterprises no longer enjoy the same level of trust and control of their intranets, as enterprises increasingly rely on contractors, partners, consultants, vendors, and visitors on-site for daily operation. As a result, enterprises are exposing internal resources to this wide set of clients whose roles are also frequently changing. Thus, the network trust boundary, delineating inside and outside clients, is disappearing—a phenomenon referred to as “de-perimeterization”. In such an environment, protection of an enterprise's resources—such as its intellectual property, as well as mission-critical and operational systems—becomes of critical importance. Also, most security exploits easily traverse perimeter security, as enterprises typically let through email, web and any encrypted network traffic, such as Secure Sockets Layer (SSL), Simple Mail Transfer Protocol (SMTP) with Transport Layer Security (TLS), and authenticated Virtual Private Network (VPN) traffic, for example via IP Security (IPSec). Traditional perimeter security approaches, for example firewalls, intrusion detection systems and intrusion prevention systems have little or no benefit at the perimeter in providing access control functions to the resources. They have become more attack mitigation mechanisms than access control mechanisms. Enterprises are coming to terms with the fact that a hardened perimeter strategy is un-sustainable.
Traditional firewall or router access control lists cannot protect application resources from unauthorized access because network parameters such as Internet Protocol (IP) addresses and IP port numbers no longer deterministically identify resources, nor identify users, clients, or applications accessing these resources. Network firewall technology was invented when enterprises had a limited set of applications such as Telnet, File Transfer Protocol (FTP), and Email, and its primary functions were to limit access to specific applications from the outside and to limit access by systems within the enterprise to specific applications outside the firewall. Network layer parameters such as source, destination IP address and TCP or UDP port numbers were sufficient to identify the client and the operations the clients intended to perform on a particular resource. However, with the proliferation of mobile devices and tunneled applications, the network layer parameters are no longer useful to identify the client, the resource accessed, and the operation. Firewalls have evolved over the time, embracing functions such as deep packet inspection and intrusion detection/prevention, to handle application-level attacks, but the core access control function remains the same.
In effect, de-perimeterization demands that access control functions are positioned close to application resources and that a micro-perimeter is established in the heart of the data center by placing an identity-based policy enforcement point in front of any application resource. Enterprise business drivers for such an enforcement point are the need for rich and uniform protection of resources, business agility via attribute-based, policy-driven provisioning, and regulatory compliance. Traditional server-centric authorization solutions providing role-based authorization often require custom code development, extensive cross-vendor testing whenever there is a version change (of the underlying operating system, agent or application), and are costly and difficult to maintain because of their proprietary nature. Also, traditional server-based network appliances—primarily focused on low-bandwidth ISO Layer-4 to ISO Layer-7 perimeter services—are unsuitable for data center deployment, both in functional richness and in ISO Layer-7 performance.
The present inventions provide, among other innovations, novel identity- and resource-aware network appliance platforms that provide network-centric, application-agnostic secure authorization services based on Triangulated Authorization (as described below). Such Triangulated Authorization can be instantiated in an enterprise network, for example, at a common nexus among the client, the application server, and other essential enterprise services such as a single-sign-on (SSO) server, an Identity Management server, and an authorization Policy Server.
1.1 Architecture Scalability for Network Appliances
In a typical network system such as in FIG. 1, the front-end segment between the client 1001 or client 1002 and, for example, a WWW application server just behind Perimeter 1010 in WWW server farm 1012 has a high round-trip delay time, low throughput and varying speeds, while the back-end connection between the WWW application server and application server 1017 in Data center 1016 has a low round-trip delay time and high throughput. This proxy-like setup requires flow control for the original client-to-server connection.
Load balancing is an important option for scaling a network appliance to meet increased network bandwidth demands. Load balancing requires multi-sided communication for load monitoring—typically performed by fast processors at each side—which is difficult to do in practice and has implications on the scalability as well as the reliability. One aspect of the invention disclosed is a novel system and method for reliable, scalable, high-performance load-balancing.
1.2 Centralized Transport Protocol Termination for Multiple Services in a Data Center
Providing multiple ISO Layer-4 to ISO Layer-7 services (such as SSL acceleration, application acceleration, or application firewall, etc.) degrades the performance to a large extent because, in today's approaches, multiple transport protocol terminations happen at each of the cascaded Network Service points. These multiple TCP or multiple SSL terminations, for example, add-up to the overall latency and make the entire setup hard to administer. This problem exists regardless of whether multiple server-based network appliances are chained (each providing a different ISO Layer-4 to ISO Layer-7 service), or whether a single network appliance using a packet based switch architecture with multiple modules (one for each different ISO Layer-4 to ISO Layer-7 service) is used.
This problem is highlighted in FIG. 3 where several services are cascaded. The connection between a client 1081 and a server 1085 is terminated at each stage and forwarded multiple times: First for service 1082 (which, for example, could be TCP), then for service 1083 (which, for example, could be TLS), then for service 1084 (which, for example, could be SMTP), and so on.
1.3 High-Availability and Zero-Click Fail-Over
Network system reliability and availability is very important for enterprise networks. High-availability for network systems has two aspects, to minimize downtime of the network system, and to remain functional in spite of failures. High-availability is typically implemented by adding redundancy to a system. Two or more peers will perform the functionality together.
Traditionally a fault may cause the protocol stack processing to fail, which results in disconnecting the client. The resuming peer then reconnects the client, it determines which packets got lost and the lost data is then retransmitted. For many applications it is not acceptable to disconnect clients. Therefore, a so-called zero-click fail-over is important.
Architectures commonly used in other approaches to solving these problems have shown several difficulties: A system processor is involved in performing the data structure replication in creating and forwarding the data packet down and up the network stack during transmit and receive, which severely degrades the system throughput. The system processors may incur substantial overhead from copying data in memory as part of Input/Output (I/O) operations. Copying is necessary in order to align data, place data contiguously in memory, or place data in specific buffers supplied by the application. A reliable protocol must be implemented between the peers to prevent packet loss.
FIG. 4 shows this inefficiency as it exists in today's approaches: All communication via a network connection 1029 goes into a Network Interface Card (NIC) 1024 and then gets copied by TCP processing 1025 running in kernel space. The data is then stored in a TCP buffer 1023, which is in the system memory 1021. The processor 1026 is then needed to execute a process which copies the data from the TCP buffer 1023 into the application buffer 1022 to make the data available for processing by the application. This approach is highly inefficient because it occupies the processor 1026 with many memory copy operations and loads the processor 1026 heavily especially for high-bandwidth communication. This also makes it much more difficult to scale a system for higher network bandwidth demands.
FIG. 4 also shows how current systems use the available network protocol stack within each system to monitor peer health status, to detect peer failure, to share critical data structures with peers, to maintain states of each other and to share configuration data. The basic method is to periodically do checkpointing, provide this checkpoint information to one or more peers, which in case of a failure allows a peer to reconstruct the interrupted process and to resume the failed peer's task.
The drawbacks of approaches know in the art include that the system processor, for example processor 1026 or processor 1036, perform compute extensive data structure replication which comprises creating and forwarding data packets down and up the network stack during each send/receive operation. This causes substantial compute overhead from data copy Input/Output (1/0) because data needs to be aligned and placed into specific data buffers.
1.4 Converged Data Center Fabric
Data Centers generally consists of a number of different types of networks—an Ethernet LAN for connecting web and application servers, a fibre channel storage area network (SAN) for connecting storage arrays and sometimes an InfiniBand (TB) or proprietary interconnect based High-Performance Computing network for clustering servers. The proliferation of multiple, disparate, interconnect technologies drives up overall total cost of ownership in the enterprise data center. In order to increase operational efficiency and reduce overall cost, next generation data center networks are likely to migrate to a single converged multi-protocol fabric technology to carry all three types of traffic, Ethernet, storage and Inter-Process Communication. This converged fabric can, for example, without limitation, be based on IB or Data Center Ethernet (DCE)—an extension of today's Ethernet. When the back-end data center starts to converge onto a single fabric, a network junction gets created in the data center between classic Ethernet networks and converged fabric networks, in front of the data center architecture. Typically, a gateway for protocol translation is used at any network junction between two different technologies, for example a gateway between fibre channel and Ethernet or a gateway between Ethernet and IB. This gateway functionality involves termination of one protocol and translation into the other protocol.
2.1 Lossless Low-Latency High-Bandwidth Interconnect Fabrics
Remote Direct Memory Access (RDMA) has been used as a lossless, low-latency, high-bandwidth, interconnect fabric for example in High-Performance Compute Clusters and in storage area networks (SAN). IB, which supports RDMA transfers, has shown great promise for implementing such a lossless low-latency high-bandwidth interconnect. Other interconnect technology that support RDMA is Data Center Ethernet (DCE) and Internet Wide Area RDMA Protocol (iWARP).
While various other approaches successfully have applied D3 and RDMA to high-performance computing and to storage networks they fail to teach how this technology can be made to work as a Lossless Data Transport Fabric (LDTF) for a high-availability, scalable, application layer network system with Centralized Transport Protocol Termination.
2.2 Authorization, Authentication and Access Control
Authorization or access control typically determines the allowed set of actions by a legitimate client, possibly intercepting every access of the client to a resource in the system. Authentication is used in conjunction with authorization—authentication determines and verifies the basic identity of, for example, a user or a client process. Then, based on determining the user's or client's identity, an authorization decision can be appropriately made. Of course, if a client's or user's identity can not be verified, the authorization decision is quite simple—deny access or authority to perform any action.
Typically, authentication is performed once every session, unlike authorization, which is performed for every client action. Granular authorization is achieved by leveraging details of the identity such as attribute values, group membership, role assignment etc. Typically, Information Technology (IT) infrastructure implements access control in many places and at different levels. The following key concepts are used in the art (and defined by Organization for the Advancement of Structured Information Standards (OASIS)) to describe access control or authorization; these definitions are not intended to be limiting on the inventions described herein, but merely to provide context for the disclosures below:
Subject—An active entity, generally in the form of a person, process or device that causes information to flow among Objects; a subject can, for example, be a client such as client 1001, or client 1002, or client 1003, or client 1004 from FIG. 1.
Object—An entity that contains or receives information. Access to an Object potentially implies access to the information it contains. Examples are a web page, a file, a directory, a process, a program, as well as a server, for example, such as a WWW application server in region 1012 of an enterprise network, or an application server 1017 in Data center 1017.
Operation—Action initiated by the Subject. For example, the GET or the POST action in a HTTP transaction, or querying or updating a given database.
Permission—An authorization to perform certain action on the Object. Permission refers to the combination of Object and Operation. An Operation performed on two different Objects represents two different Permissions; similarly, two different Operations performed on a single Object represent two different Permissions.
Traditionally, authentication and authorization is done inside the application, however because of the long cycle of development and deployment in the process, not all applications have the same level of support. Many applications have a basic form of authentication using user name and a secret password. Certain vendor-specific applications support role-based authorization which is often vendor proprietary and does not interoperate well with implementations in another applications—it creates multiple silos of applications within an enterprise network infrastructure. Role provisioning is often challenging; without careful planning, enterprises often end up with the number of roles greater than the number of users, which eviscerates any potential management efficiency gains. As a result, a large number of applications are left behind with no protection and with no support for authentication or authorization. With de-perimeterization, enterprises are seeing a need to protect these applications uniformly with network-centric solutions that do not mandate modifying the application.
There are two types of authorization decisions that are typically done in applications: One that does not depend on dynamic information such as the application's state of execution, and a second that depends on the current state of execution and often involves derived data from multiple applications. The latter type of authorization decision is best done in applications, as it is hard to externalize the authorization without interaction with the application. However, the former type of authorization decision can be externalized efficiently and can be performed efficiently outside the applications, as it depends on attributes which are visible in the network. In today's enterprise networks a large number of applications (approximately 70% to 80%) fall into the former category, hence can be addressed with a network-centric solution. In general, an authorization architecture consists of the following key components as shown in FIG. 5:                A Policy Administration Point (PAP) 4702 is the central management console to provide central administration, management and monitoring of policies. Policy editing or definition will include support for subject attributes, objects and operations that are being protected, as well as network and environment attributes.        A Policy Information Point (PIP) 4705 is the information store for different attributes and policies. For example an enterprise directory (LDAP, AD) keeps information regarding users and its associated identity attributes.        Policy Decision Points (PDP) 4701 and 4703 can be distributed and provide evaluation of authorization policies. PDPs are the core policy engines that evaluate the authorization rules written using different attributes.        A Policy Enforcement Point (PEP) 4704 enforces the policy decision that is made by a PDP.        
Sometimes, depending on the enterprise application architecture, applications have their application-specific PDP and PEP embedded as described in FIG. 6. A subject 4711 requests access to a resource 4714 which resides in an application server 4710. By analyzing user attributes 4712, the PDP 4715 computes a decision, which the PEP 4713 uses to grant or reject subject 4711 access to the resource 4714. Both PDP 4715 and PEP 4713 are embedded in the application server where the request gets processed.
In some other case, which are shown in FIG. 7, the PDP 4725 runs inside another server 4726 and thus is external to the application server 4720. When a subject 4721 requests access to a resource 4724 which is hosted by the application server 4720, the PEP 4723, which also resides inside application server 4720 queries the PDP 4725. The PDP 4725 uses the user attributes 4722 to make the access decision based on policies, which is then used by PEP 4723. This approach may suffer from high latency due to a network call from PEP 4723 to PDP 4725 in the authorization path. This often leads to poor application performance. Also, this may require a plug-in/agent on the application server 4720 for PEP 4723.
In a common scenario for enterprise web Application Services, which is shown in FIG. 41 both PDP 4745 and PEP 4743 are processed by a dedicated policy server 4740 and thus are external from the application server 4710 which hosts the resource 4714. In this configuration no plug-in in the application server 4710 is needed, and also no high-latency PEP/PDP interaction occurs because both PDP 4745 and PEP 4743 are co-located on policy server 4740. Externalizing both PEP and PDP helps enterprises to protect application resources uniformly, sitting in front of applications in the network. Therefore, this arrangement is often called network-centric authorization. However, to make full use of this network-centric authorization, the dedicated policy server 4740 has to analyze the protocol and content attributes 4742, which requires a very compute-intensive analysis of ISO Layer-7 application data. No approach is yet known that can efficiently perform such ISO Layer-7 application data analysis in a network environment.
While certain aspects of the system described herein can be applied to either case of policy frameworks the most beneficial use of this system is in combination with network-centric authorization architectures. Due to the enhanced visibility in the network, policies can be much richer, for example policies can include network and environmental attributes such as location, network address etc, which are typically not visible inside the application.
2.3 Policy and Policy Languages
Policy definition is a key component in the system. This is typically done by using policy languages. A policy language must be flexible enough to accommodate the policy definition for multiple ISO Layer-4 to ISO Layer-7 applications. The following aspects need to be considered when selecting a policy language: The language should be generic so that one can define policies for multiple applications using the same language. Using the same policy language for different applications makes policy administration much easier. The policy language should be extensible so that new requirements imposed by the newer applications can easily be supported. The policy language should provide enough mechanism to define different actions that may need to be performed while enforcing the policy. The policy language should be standardized, because standards are robust and have been reviewed by a large community of experts. Each application has specific requirements for a policy language.
Specifically, for access control, several additional aspects need to be considered while selecting a policy language: The selected policy language should allow the definition a policy with expressions having any of the subjects, resources, actions and environment attributes. The selected policy language also should be able to define the policy using multiple sub-policies; instead of having one single monolithic policy, different people or groups can manage sub-pieces of policies as appropriate to reduce policy administration costs. There should be a way to combine the results from these different sub-policies into one decision. In general there are several possibilities for policy languages known in the art, however, these are mere examples and should not be considered limiting.
A standard descriptive language such as Extensible Markup Language (XML) is used for defining policies. For access control functionality, there is an emerging standard policy language called eXtensible Access Control Markup Language (XACML), which is being increasingly adopted by the enterprise customers. An effort can be made to extend XACML to accommodate all the applications. The advantage of this approach is that if customers already have XACML policies, it is easy to import them and process the policies. The disadvantage of XACML is that integrating different kinds of applications in XACML policy framework may be difficult.
Scripting languages, such as the Tool Command Language (TCL), are sometimes used to define a custom policy language. This is, for example, used in the art by commercial policy infrastructure. The disadvantage of this approach is that existing customer policies based on a standard language such as XACML need to be redefined using the custom language, which requires a custom translator from a standard policy language such as XACML to the proprietary policy language.
Another option known in the art is to support cascaded two-stage policy definition and execution which use a proprietary scripting language in a first pre-processing stage and then use a standard policy language such as XACML in a second stage. The obvious advantage of this approach is that existing customer policies based on XACML can be reused. However, the disadvantage with this approach is that it might be difficult to define clear cut policies on what needs to be done in the first stage and the second stage because the scripting language also has the capabilities to define the rules defined in the second stage.
2.4 XACML
XACML is an Organization for the Advancement of Structured Information Standards (OASIS) standard that describes both a policy language and an access control decision request/response language (both encoded in XML). The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. The request/response language allows one to form a query to ask whether or not a given action should be allowed, and to interpret the result. The response always includes an answer about whether the request should be allowed using one of four values, for example, permit, deny, indeterminate (an error occurred or some required value was missing, so a decision cannot be made) or not applicable (the request can't be answered by this service). The request/response language helps to define a standard distributed architecture wherein multiple disparate external PEPs communicate with a centralized PDP for determining an access control decision.
At the root of all XACML policies is a policy or a policy-set. A policy-set is a container that can hold other policies or policy-sets, as well as references to policies found in remote locations. A policy represents a single access control policy, expressed through a set of rules. Each XACML policy document contains exactly one policy or policy-set root XML tag. A policy is a combination of sub-components: target, rules, rule-combining algorithm and obligations. Each of these sub-components is explained in the following however, these are mere examples and should not be considered limiting.
Targets: Part of what a XACML PDP does is to find policies that apply to a given request. To do this, XACML provides another feature called a target. The target helps in determining whether the policy is relevant for the request. The policy's relevance to the request determines whether the policy is to be evaluated for the request. This is achieved by defining attributes of three categories in the target—subject, resource, and action—along with their values. It is not mandatory to have attributes for all the three categories in a target. The values of these attributes are compared with the values of the same attributes in the request; if they match, then the policy is considered relevant to the request and is evaluated. In addition to being a way to check applicability, target information also provides a way to index policies, which is useful if you need to store many policies and then quickly sift through them to find which ones apply. For instance, a policy might contain a target that only applies to requests on a specific service. When a request to access that service arrives, the PDP will know where to look for policies that might apply to this request, because the policies are indexed based on their target constraints. Note that a target may also specify that it is universal, and thus applies to any request.
Rules: A policy can have any number of rules, which contain the core logic of an XACML policy. Each rule is composed of a condition, an effect and a target. Conditions are statements (Boolean functions) about attributes that upon evaluation return true, false, or indeterminate. Effect is the intended consequence of the satisfied rule. It can either take the value permit or deny. Target, as in the case of a policy, helps in determining whether or not a rule is relevant for a request. The mechanism for achieving this is also similar to how it is done in the case of a target for a policy. The final outcome of the rule depends on the condition evaluation. If the condition evaluates to true, then the rule's effect (permit or deny) is returned. If the condition evaluates to false, the condition doesn't apply (not-applicable). Evaluation of a condition can also result in an error (indeterminate). Conditions can be quite complex, built from an arbitrary nesting of functions and attributes branching from the top-level Boolean function.
Rule/Policy Combining Algorithms: Because a policy or policy-set may contain multiple rules or policies, each of which may evaluate to different access control decisions, XACML needs some way of reconciling the decisions each rule or policy makes. This is done through a collection of combining algorithms. Each algorithm represents a different way of combining multiple decisions into a single decision. There are policy combining algorithms (used by policy-Set) and rule combining algorithms (used by policy). An example of these is the deny overrides algorithm, which says that no matter what, if any evaluation returns deny, or no evaluation permits, then the final result is also deny. These combining algorithms are used to build up increasingly complex policies, and they are what allow XACML policies to be distributed and decentralized. While there are several standard algorithms, one can build one's own combining algorithm to suit specific needs.
Obligations: One of the objectives of XACML is to provide much finer-level access control than mere permit and deny decisions. Obligations are the mechanism for achieving this. Obligations are the actions that shall be performed by the PEP in conjunction with the enforcement of an authorization decision. After a policy has been evaluated, specific obligations are sent to the PEP along with the authorization decision. In addition to enforcing the authorization decision, the PEP is responsible for executing the operations specified as obligations. One example of the obligation is to send a log message to a specified log server whenever a request is denied.
Attributes, Attribute Values, and Functions: The currency that XACML deals in is attributes. Attributes are named values of known types. Specifically, attributes are characteristics of the subject, resource, action, or environment in which the access request is made. For example, a user's name, their group membership, a file they want to access, and the time of day are all attribute values. When a request is sent from a PEP to a PDP, that request is formed almost exclusively of attributes, and they will be compared to attribute values in a policy to make the access decisions. A policy resolves attribute values from a request or from some other source through two mechanisms: the AttributeDesignator and the AttributeSelector. An AttributeDesignator lets the policy specify an attribute with a given name and type, and optionally an issuer as well. The PDP looks for that value in the request, and failing that, can look in any other location (like an LDAP service). There are four kinds of designators, one for each of the types of attributes in a request: subject, resource, action, and environment. Subject attributes can be broken into different categories to support the notion of multiple subjects making a request (for example, the user, the user's workstation, the user's network, etc.), so SubjectAttributeDesignators can also specify a category to look in. AttributeSelectors allow a policy to look for attribute values through an XML Path Language (XPath) query. A data type and an XPath expression are provided, and these can be used to resolve some set of values either in the request document or elsewhere (just as AttributeDesignators do).
Both the AttributeDesignator and the AttributeSelector can return multiple values (since there might be multiple matches in a request or elsewhere), so XACML provides a special attribute type called a bag. Bags are unordered collections that allow duplicates, and are always what designators and selectors return, even if only one value was matched. In the case that no matches were made, an empty bag is returned, although a designator or selector may set a flag that causes an error instead in this case. Bags are never encoded in XML or included in a policy or request/response. Once some bags of attribute values are retrieved, the values need to be compared to the expected values to make access decisions are available. The comparison and retrieval is done through a powerful system of functions. Functions can work on any combination of attribute values, and can return any kind of attribute value supported in the system. Functions can also be nested, so you can have functions that operate on the output of other functions, and this hierarchy can be arbitrarily complex. Custom functions can be written to provide an even richer language for expressing access conditions. One thing to note when building these hierarchies of functions is that most of the standard functions are defined to work on specific types (like strings or integers) while designators and selectors always return bags of values. To handle this mismatch, XACML defines a collection of standard functions of the form [type]-one-and-only, which accept a bag of values of the specified type and return the single value if there is exactly one item in the bag, or an error if there are zero or multiple values in the bag. These are among the most common functions used in a condition.
2.5 Common Network Platforms
There are many hardware and software based approaches known in the art that provide authorization services to applications: Server-centric approaches provide authorization services in the server, typically from within the application, where access control is tightly integrated. Network-centric approaches such as firewalls use network-layer constructs (for example, MAC address, IP address, ISO Layer-4 port information, etc.) for access control. Most network-centric approaches are implemented as network appliances and operate in a similar fashion to a network proxy and/or network gateway.
For such authorization systems to work with ISO Layer-4 to ISO Layer-7 applications, it is essential to understand the semantics of the many different protocols, for example, Hypertext Transfer Protocol (HTTP), Common Internet File System (CIFS), SQLNet, etc., because, depending on a configured policy it may be necessary to change the payload of an application message. Therefore, to understand the protocol semantics and perform the actions specified in the policy, a protocol proxy may need to be implemented.
FIG. 9 shows such a protocol proxy as it is currently used in the art: The proxy 4032 sits in between a connection from a client 4031 to a server 4033. The proxy 403 services requests of its client 4031 by forwarding requests to one or more other servers 4033. A client 4031 connects to the proxy 4032, requesting some service, such as a file, connection, web page, or other resource, available from a server 4033. The proxy 4032 provides the resource by connecting to the specified server 4033 and requesting the service on behalf of the client 4031. A proxy 4032 may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server, for example when the proxy has already cached a copy of the expected reply from server 4033.
Building a proxy for a standard protocol such as HTTP is a well known in the art. However, in practice there exist specific custom protocols written on top of TCP. Thus, mechanisms should be provided for understanding the semantics of these custom protocols. Depending on the application, a protocol proxy may need to analyze the request, analyze the response or analyze both request and response. For example, network-based authorization decision may need to be made to analyze the request to determine whether the given transaction shall be allowed or not.
2.6 Virtualization
Virtualization in computing refers to the abstraction of computing resources. It can be used to hide the physical characteristics of computing resources from the way in which other systems, applications, or end users interact with those resources. For example, the electronic system 1061 from FIG. 10 is hidden by the Electronic System View 1060.
Virtualization includes making a single physical resource (such as a server, an operating system, an application, or storage device) appear to function as multiple logical resources. This is sometimes called partitioning and is described in FIG. 11: The Electronic System 1050 provides several resources, so-called contexts such as Context A 1051, Context B 1052, Context C 1053, Context D 1054.
Virtualization can also cluster multiple physical resources (such as storage devices or servers) to make them appear as a single logical resource, which is described in FIG. 12: Several Electronic Systems, Electronic System A 1041, Electronic System B 1042, Electronic System C 1043 and Electronic System D 1044, are clustered to form one Electronic System Cluster 1040.
In enterprise networking, virtualization can be used to achieve high availability, for example by clustering redundant physical resources, or can reduce the total cost of ownership by sharing one partitioned resource among different business units.
2.7 Virtual Directory Infrastructure
Many enterprises end up deploying and maintaining a variety of user identity stores in their environment. Multiple identity stores emerge for a number of reasons: Existing deployments of applications may require their own, dedicated user identity repositories. Or, different identity repositories may be deployed to support distinct client communities, for example, intranet versus Internet clients, or clients in different divisions of the same company. Also, different identity stores may be deployed to support a distinct community of applications such as Enterprise Resource Planning (ERP) systems, remote network access, collaboration, etc. In addition, merged or acquired companies may bring their own user identity stores into the enterprise.
There are no standard ways in the art to store identity information. For example, it could be managed in any of the following ways: In external directories such as LDAP, AD; using external databases, or using application-specific custom formats, or in any other way known to or contemplated by one of skill in the art.
With multiple identity stores, it is difficult to enforce and monitor compliance and maintain consistent corporate security policies. Without a single application-level view of the identity information, deployment of enterprise access services such as authorization or single sign-on becomes very difficult. The entity providing the service should be capable of supporting the many different protocols required by different identity repositories. In addition, different sources store identity information in different formats, and access to the data requires different interfaces.
Virtual Directory Infrastructure (Virtual Directory Infrastructure) simplifies this task by providing an abstraction layer to communicate with different identity stores. Virtual Directory Infrastructure is commercially available in either hardware or software products.
2.8 Traditional Multiple-Server-Based Appliances
Architectures known in the art for enterprise multi-server based network appliances are typically either Ethernet packet-switch based architectures implemented in multiple modules or X86 server-based in a single network appliance. The fundamental drawbacks of such architectures found in other approaches is the overhead of running a reliable protocol when communication needs to happen between modules, and problems with multiple transport protocol termination for multiple services (or sometimes even for single service if the implementation of the single service is split across multiple modules). One problem of multiple transport protocol terminations for multiple services is outlined in FIG. 3: It is clear that multiple transport protocol terminations add to the overall latency in the client-to-server (or server-to-server) communication.
Other drawbacks of Ethernet packet-switch based architectures are that they support only very primitive flow control or no flow control at all, which makes it hard to scale these architectures with increasing network bandwidth demand. Nor is there any hardware retry of corrupted packets, or memory level visibility within different processing elements to build a reliable solution for high availability.