Using the inter-networked system of devices known as the Internet as an example, typical connections to the Internet are made using Internet Protocol (IP) Addresses. The IP Addresses allow communication over the Internet to be directed from a specific source to an appropriate destination. Thus, in each packet of information sent over the Internet, you typically expect to find the IP address of both sender and destination. A full IP Address consists of the actual IP address location and a Port Number. The IP Address is in the format “nnn.nnn.nnn.nnn,” where n is between 0 and 255. There may be from one to three digits used between each decimal point in the address, for example 203.77.8.99.55. Most Internet users are familiar with Domain Names which are readable versions of IP address, such as “hamburger.com” or “answerit.net”. Port Numbers can be any number from 0 to 65535, with the first 1024 called “well known” Port Numbers which define specific tasks (e.g. web browsing occurs on the “well known” port number 80; file transfer protocols (FTP) use port 20 and port 21; simple mail transfer protocols (SMTP) use port 25).
The Again by example, a highly simplified breakdown of the contents of a data packet that carries a request for access to a web page from one device on the inter-networked system to a server device also on the system is presented. The packet contains various fields not all of which are discussed herein. The packet includes a beginning field universally recognizable by devices on the network as the start of a packet, and an ending field recognizable as the end of the packet. One field indicates the source of the data packet, by network address of the device sending the request. This field may contain IP and/or Media Access Control (MAC) addressing information. Necessarily, the destination address field provides the destination network address of a network device that is to receive the packet, and may also contain IP and/or MAC layer addressing information. Also included in the packet is a data field used to transport the data or payload of the packet from the browser software on the requesting device to the web server software operating on the receiving device.
Typically the requesting device and the receiving device on the inter-networked system will be separated by one or more network devices known as routers, which function, to facilitate the communications on the internet or to control access to various portions of the inter-networked system or to a proprietary Local Access Network connected to the internet. Due to the constantly growing size of the Internet and the need to control access, there will typically be several routers between devices. In particular systems to perform access control, packet information is compared against database information available to the router device using an application programming interface that allows the router device to compare any selected packet field, such as addresses and port information in all packets intended to pass through the router. The router device 100 can also detect TCP socket and/or session numbers or other unique identifiers within TCP/IP. The selection and ordering of unique identifiers used in comparison of packets to the database is not uniform in routers on the network, in as much as various manufacturers use different strategies and different formats to create the control interfaces. Thus, the router devices are considered to be non-homogenous.
Router devices typically include a plurality of interfaces which define how the router controls the flow of packets at or sent from the respective interface. The interfaces typically use an Access Control List (“ACL”). The formatting and selection of the fields or parameters for use in each entry in the ACL is again not uniform in the router devices due to variations in manufacturer. ACLs filter packets and can prevent certain packets from entering or exiting a network or portion of a network. Essentially, each ACL is a list of information that a router device may use to determine whether packets arriving at or sent from a particular interface may be communicated across the router. For example, the ACL may comprise a list of IP addresses and types of allowable protocols for that IP address. In another example, the ACL may comprise a list of IP addresses and port identifiers. In either example a specific entry in the ACL may control permission or denial of communication based on one or more fields in a packet. The specific format of any particular ACL used in any router device may be ascertained from the manufacturer's data sheets or other information, however, the present invention is needed because of the non-homogenous nature of the infrastructure of the inter-networked system. That is to say, currently a router from one manufacturer may have an ACL which utilizes a number of fields to selectively filter packets, while another router from a different manufacturer will have an ACL in a different format utilizing a different set of fields to selectively filter packets. In the environment present today an organization will likely have diverse locations on the inter-networked system using non-homogenous routers, thus there will not be an organizationally uniform ACL filtering due to the non-homogenous nature of the infrastructure. In certain situations, access control across an organization needs to be uniform to insure that each part of the organization is secure from outside intervention or attack by unauthorized entities. Accordingly, a need exists to provide uniform access security across non-homogenous networks.