The use of telecommunications networks has increased dramatically over the past 20 years. The entire world is increasingly reliant on network accessibility for voice, data and video communication, now integral to personal, government, business, education, health and safety communications. Network security concerns regarding the security of personal and confidential information transmitted over communication networks are now foremost in the minds of network service customers, network administrators and network service providers.
Network security consists of the provisions made in an underlying computer network infrastructure, policies employed by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of the actual network performance.
A challenge occurs when interconnected networks, such as those of the Internet, have different levels of network security. For the purposes of description herein, the point where networks interface will be referred to as a Boundary Interface (BI), with the element of the interface, typically hardware, software or some combination of hardware and software, characterized as a Boundary Interface Element (BIE). It is at network BIEs where network security policies are enforced.
At a BIE, one network may wish to only transmit or receive information from another network without allowing the other network direct, two-way access to sensitive networks, sub-networks or network access devices on the network. Safeguards placed within sensitive networks can be used to provide a security boundary that prevents outside access to internal networks, and maintains a zone of integrity, where all information is known to be secure, sanitized and authentic. Such zones of integrity are sometimes referred to as demilitarized zones (DMZs).
In communication networks, information is typically transmitted in the form of data packets. Information present at a network or Website may be accessed by or transmitted to another network or Website by a command originated by either network. Therefore, confidential information needs appropriate safeguards against unauthorized access and/or transmission. Packet filtering is typically implemented by a network component known as a “firewall.” FIG. 1 is an exemplary prior art block diagram 100 of a network utilizing a firewall. A plurality of Network Access Devices (NADs) shown as NAD1 102, NAD2 104 and NAD3 106 communicate through a firewall 110 with a router 120, which is coupled to a network 130. The firewall's function is to inspect and filter data packets as specified by the policies specified by the network administrator. As is well known, those packets that pass the policy inspection are allowed to pass through the firewall, while those packets that fail the policy inspection are not allowed to pass through the firewall.
A service customer network administrator typically permits broad access on one side of the firewall, but blocks transmissions in the opposite direction that are not part of an active network session. For example, “inside” company employees could be permitted to have unrestricted access through the firewall to an “outside” network such as the Internet, but access from the Internet is blocked unless it has been specifically authorized. An example of this type of control is a firewall capable of “stateful inspection” of traffic flows. In addition to such a firewall at a corporate boundary or BI of a network, such as the Internet, firewalls can be utilized between networks, and can also be used within a network to protect sub-networks. In each case, security policies developed, implemented and enforced by the network administrator and appropriate hardware/software such as a firewall are typically involved.
At every boundary, interface, or border, the scenarios of (1) Provider and Customer interfaces, (2) Business to Business (B2B) interfaces between companies, and (3) Peer to peer and interfaces, there is typically an unbalanced level of authorized control over devices connected to both sides. Balanced control typically requires back-to-back firewalls, each protecting its interface and controlling access from the other. FIG. 2 is an exemplary prior art block diagram 200 of networks utilizing back-to-back firewalls. Network A 210 utilizes security policies implemented by a network administrator for network A that are enforced by its firewall A 220. Likewise, network B 240 utilizes security policies implemented by a network administrator for network B that are enforced by its firewall B 230. The networks interact and implement their respective network security policies at the coupling 250 of the respective BEs (Firewalls 220 and 230). With this configuration, each network administrator retains full and exclusive administrator control over their connection. Each network administrator has neither revealed their interface configuration, nor can see the interface configuration of the interface for the other network. Misaligned policies require both sets firewalls and network administrators to be available simultaneously to resolve a problem. This conventional solution, therefore, is expensive to implement and maintain, and can leave networks vulnerable to a security attack if not actively managed.
As customer's network security policies evolve, the network administrator or corporate Chief Security Officer responsible for a network should refuse to have vendors (e.g. WAN service providers, or other network-related service vendors) be given limitless access to their entire network without positive enforcement of their access. Such access may well come increasingly under scrutiny and could be interpreted as unauthorized access to the customer's network, particularly when managed devices are in many places within the service customer's network.
The challenge for service providers is that service customers are no longer satisfied to let a WAN service provider take the responsibility of making the network connections work, keep them private (not mix with networks that are not authorized to join or access their network), and watch for errors and performance. Not only are service customers getting more technically savvy, but they are coming under increasing regulatory pressures (Federal, state, and industry)—Sarbanes Oxley (SoX), Gramm-Leach-Bliley (GLBA), HIPAA, Payment Card Industry (PCI-DSS), and others, to validate that their financial and other systems are indeed protected and the security, integrity, and confidentiality of their financial and other sensitive data are actively under enforcement methods known to their end users. Service customers, as a result, require more and more access to devices owned and “managed” by the service provider, which reduces the level of control and reduces the confidentiality of the configuration and other security information about those devices. Some extreme interpretations have led service customers to request illogical and unsupportable arrangements such as “co-management”, where both service provider and service customer have administrative access to all the BEs and their interfaces. Dispersed authority as allowed under “co-management,” where more than one party can alter configurations, similarly disperses responsibility for proper configuration, and as a result reduces the overall security for all parties involved.
Service level agreements become quite untenable when both parties, service providers and service customers, have access to make changes affecting both parties, where either party may execute such a change prior to first seeking agreement and consent of the other party or just executing without telling the other party. This problem is resolved by implementing Independent Role Based Authorization (IRBA) in the boundary interface between the service provider and the service customer.
The challenge for service customers of services, such as WAN services, has been that historically the service provider has been trusted to provide “managed” WAN service. This has typically been comprised of “leased line” commercial communications services where there was no chance of “leakage” or “contamination” of the communications services, so the risk of unauthorized access to managed devices was low. Today, however, high performance and feature-rich communications in a “converged IP” environment may in a single service include private intranet, voice, video, internet, and business partner services. Managed multiprotocol label switching (MPLS) services provide Class Of Service (COS) with Service Level Agreements (SLA's) defining such things as availability (% up-time) and available bandwidth backed up by financial penalties. As a result of this, a service customer network which has outsource management of their WAN and “converged IP” services, has also given up control of BIEs and therefore network security. Although network service providers are (in the US and other countries) required by law to avoid observation of customer data entrusted to the service provider without intervention by law enforcement such as a court order, there is no technical enforcement of the access by associates who are employees of the service provider. Any service provider associate with authorization to log on to a service customer premises router could establish network connections inside the service customer's network. The risk of external access to the service customer's network remains even if the WAN services are down (not available) as an out of band management tool, such as a modem, may have been installed and is likely still active, even as the WAN is down. In this situation, the modem can still be used by an attacker to connect through the service customer's router, and obtain access to the service customer's network without the service provider's knowledge. Passwords and other authentication do have to be known to the attacker to do this, but these data are routinely known to the responsible technicians who work for the service provider.
Service customers should take every reasonable step to protect both their company data and the data of their end users (their customers) confidential. This should extend to equipment and services provided by vendors—including everything done by those vendors. This may be acceptable to the service provider if the service were an extension of the customer's network, but if the service provider's management servers are used to support many customers, it is not appropriate to yield control of the “managed devices.” Any device that is not “fully managed,”—i.e. with exclusive device administrative control by the service provider, is potentially at risk of attack and compromise by the service customer or anyone with access to the service customer's network, including visitors, business partners, vendors, outsource workers, consultants, etc. Each party, both service provider and service customer, need to be explicitly clear on what part of the system belongs to them, and to fully accept their responsibility to actively manage those BIEs.
It would therefore be desirable to develop a system, device and method to improve network security while providing network administrators with better visibility, control and auditing capability of network operations by establishing Independent Role Based Authorization (IRBA) of network Boundary Interface Elements (BIEs). To the inventors' knowledge, no such system or method currently exists.