This invention relates to network security and in particular to methods for determining access for dynamic servers, as herein understood, in network data communication. More particularly this invention relates to end-to-end network modeling extended to incorporate and properly model the capabilities for template-based generation of virtual servers in networked equipment. As herein used, “template-based provisioning” refers to the identification associated with meta-data about a dynamically provisioned endpoint of a network, beyond the conventional networking concept of a static endpoint address for a node.
By this application, the concepts of identifying users at dynamic endpoints by identifying users with user devices has been extended to dynamically provisioned virtual servers. Known Information Technology (IT) networks use Internet Protocol (IP) addressing to enable communication. Multiple devices make decisions about IP packet headers (and sometimes message content), including devices such as routers and firewalls. These devices interact in complex ways, making it difficult for IT staff to correctly predict or understand end-to-end effects. As an example, when access is blocked between two locations, the immediate issue is: Why is it blocked? Is it a deliberate decision of a security device (which is configured to prevent this access and others), or is it an unintentional failure of the intervening equipment? Alternately, if access is allowed, why is it allowed—what path does it follow? These issues may appear to be simple, but networks are explosively complex. Similar to the game of chess, the number of rules is modest, but the number of possible combinations is extremely large, which presents a formidable barrier to understanding.
Modern endpoint provisioning technologies, including cloud, private, and hybrid virtualized data centers, add significant additional complexity to the existing issues in understanding network access and control. This also presents a barrier to understanding. Neither the added technology nor existing selected technologies need to be particularly complex. By way of analogy, consider adding one more rules to chess. Since the game is already complex to play with a simple rule set, adding even a simple rule can make the game even more difficult to analyze.
In response to such increase in complexity, technologies have been developed to model complex networks in order to answer key questions for network designers, builders and operators. These technologies model the individual rules of multiple devices to see how they interact as an end to end system. Key to these products is the modeling of interaction. This modeling is not just how one rule or one device operates, but it is aimed at determining how a whole system behaves in aggregate. The chess analogy applies: It is easy to analyze the rules for how one chess piece is allowed to move, but it is difficult to analyze a whole chess match. Likewise, the subject techniques do not deal merely with individual devices, but rather with complex, interacting sets of devices. Herein, these products are referred to as “end to end network modeling” technologies. Examples of techniques of this category have been incorporated into commercial products offered by the assignee of the present invention, and they are marketed under the names Network Advisor and Vulnerability Advisor, but examples also include the products offered by Skybox Security, Athena Security, FireMon, and others. This active market space focuses particularly on security questions in “end to end modeling.” There are other, related spaces for technologies focused on green-field design, or operational availability questions. Examples of vendors of such products include OpNet Technologies, Netsys Technologies, and the Wide Area Network Design Laboratory.
One of the challenges in the field of end-to-end network modeling is the rapid pace of technological changes in the network components. Many new network capabilities are evolutions of existing methods, but others represent a concept shift in how end-to-end connectivity is created or controlled. One area of recent innovation (and which is not prior art to the present invention) has been the incorporation of “template-based provisioning,” as herein defined, for the purpose of dynamic provisioning of network endpoints (often, but not exclusively, servers residing in virtualized data centers). For example, administrators may be provided with tools to describe “new web servers in classXshould use template Y,” meaning that any future servers dynamically added to the network at a given endpoint will inherit properties from template Y. This template Y can in turn specify diverse properties of the server, including (but not limited to) network access policies, permitting or denying network flows. Of particular note here is the aspect that security rules—key to the end-to-end network modeling systems underlying this invention—are not associated with a pre-defined, known network endpoint. Rather, the template describes rules which will be associated later with one or many actual endpoints, as servers are added or removed using the template. Modeling this dynamic variation of the endpoint actually associated with the rules is the subject of the current invention.
The core behavior of an end-to-end network modeling technology is the computing of access between two endpoints across the network. However, the core challenge with “template-based provisioning” technologies, as herein defined, is that in a network they do not deal with endpoints, that is, in the course of a day, for example, a single template may be used to configure multiple different network endpoints, and so the set of endpoints associated with a template can fluctuate. Rules about the template are relatively statically allocated, but highly dynamic on the network itself, as the currently active set of servers using a given template changes.
Networking equipment products that deal with provisioning of endpoints from templates generally work in a specific local area. In other words, the products enforce policy locally, often endpoint by endpoint, including dynamic state that relates the relatively static templates to one or more endpoints. This mapping of a template to an endpoint or session is ephemeral: it is generally held as dynamic state in the controller of the virtualized instances. That is, there are associations of two main sorts: a first association of currently active network endpoints to templates, and a second association of security rules to those groups. The first form of association, mapping endpoints to groups, generally occurs on the virtual server control point. The second association, tying the group to a behavior or set of access rules, is typically configured on the server control point and is much less dynamic. Product literature and published art often refer to “dynamic policies” in this context, but the dynamism is in the first class of association—the mapping of endpoints to templates. The behavior for the group is typically more static, in that they are held in configured rules that are changed occasionally by operations staff.
Collecting live data on the current endpoints in a dynamic template-based provisioned environment involves substantial practical challenges and operational burdens, while the static rules are generally available to existing protocols and tools that are already capable of gathering non-template-based rules from similar equipment.
In previous end-to-end network modeling (that is not prior art to this invention), typical analysis results include the response to queries regarding what access is possible between one endpoint and another endpoint, or regarding the access means permitted across the network. This involves understanding the various interacting technologies between the two endpoints. This is a complicated technical process in itself, but it depends fundamentally on having endpoints or a set of endpoints in the model. Modern devices controlled by template-based provisioning systems, such as virtualized data centers, are extremely fast-moving, making it technically difficult and expensive to gather instant by instant telemetry on every endpoint as it is added or removed from the network, frustrating the ability of operations staff to benefit from the end-to-end modeling capabilities.
What is needed is a mechanism to increase the accuracy of identification as herein defined in such dynamic environments.