This invention relates to network security and in particular to methods for determining identity, as herein understood, in network data communication. More particularly this invention relates to end-to-end network modeling extended to incorporate and properly model the identity capabilities in network equipment. As herein used, “identity” refers to the identification associated with meta-data about the user of a network, beyond the conventional networking concept of an endpoint address for a node.
Known Information Technology (IT) networks use Internet Protocol (IP) addressing to enable communication. Multiple devices make decisions about IP packet headers (and sometimes message content), including devices such as routers and firewalls. These devices interact in complex ways, making it difficult for IT staff to correctly predict or understand end-to-end effects. As an example, when access is blocked between two locations, the immediate issue is: Why is it blocked? Is it a deliberate decision of a security device (which is configured to prevent this access and others), or is it an unintentional failure of the intervening equipment? Alternately, if access is allowed, why is it allowed—what path does it follow? These issues may appear to be simple, but networks are explosively complex. Similar to the game of chess, the number of rules is modest, but the number of possible combinations is extremely large, which presents a formidable barrier to understanding.
In-line network technologies also grow more complex over time, allowing or denying access in a manner that increases with complexity. This also presents a barrier to understanding. Neither the added technology nor existing selected technologies need to be particularly complex. By way of analogy, consider adding one more rule to chess. Since the game is already complex to play with a simple rule set, adding even a simple rule can make the game even more difficult to analyze.
In response to such increase in complexity, technologies have been developed to model complex networks in order to answer key questions for network designers, builders and operators. These technologies model the individual rules of multiple devices to see how they interact as an end to end system. Key to these products is the modeling of interaction. This modeling is not just how one rule or one device operates, but it is aimed at determining how a whole system behaves in aggregate. The chess analogy applies: It is easy to analyze the rules for how one chess piece is allowed to move, but it is difficult to analyze a whole chess match. Likewise, the subject techniques do not deal merely with individual devices, but rather with complex, interacting sets of devices. Herein, these products are referred to as “end to end network modeling” technologies. Examples of techniques of this category have been incorporated into commercial products offered by the assignee of the present invention, and they are marketed under the names Network Advisor and Vulnerability Advisor, but examples also include the products offered by Skybox Security, Athena Security, FireMon, and others. This active market space focuses particularly on security questions in “end to end modeling.” There are other, related spaces for technologies focused on green-field design, or operational availability questions. Examples of vendors of such products include OpNet Technologies, Netsys Technologies, and the Wide Area Network Design Laboratory.
One of the challenges in the field of end-to-end network modeling is the rapid pace of technological changes in the network components. Many new network capabilities are evolutions of existing methods, but others represent a concept shift in how end-to-end connectivity is created or controlled. One recent area of innovation has been the incorporation of “identity,” as herein defined, into some classes of network devices. For example, users may be required to log in to some authentication scheme before being allowed access to certain network assets. The technologies to correlate network flows with notions of “identity” coming from “above” the network layer have been developing in recent years. Examples of this technology include various Network Access Control (NAC) products, including offerings from Cisco Systems, Juniper Networks, and others. These techniques broadly deal with the connection of the endpoint to the network, close to where the device in question physically connects. Other approaches include various devices primarily associated with mobile devices—an approach generally known as “Bring Your Own Device” (BYOD), in reference to employees purchasing network endpoints, and in reference to the additional security and infrastructure requirements needed to allow personal devices to operate safely and correctly in a corporate environment. Another related technology deals with mid-path “identity controls,” most often as a feature of a firewall or other mid-path device, which can enforce rules about low level network flows based on correlation with higher level models of end user identity. (This is distinct from conventional firewalling, which operates in an end-to-end network by enforcing policies written about the endpoint addressing or protocols in use, and which do not always correlate well with the user identities.)
The core behavior of an end-to-end network modeling technology is the computing of access between two endpoints across the network. However, the core challenge with “identity” technologies, as herein defined, is that in a network they do not deal with endpoints, that is, in the course of a day, for example, a single user may log in from a variety of devices, in different locations, or over more than one device with a different endpoint address at the same time. Identity is relatively statically allocated (generally belonging to a single network user), but highly dynamic on the network itself, as the user moves between devices and locations.
Networking equipment products that deal with identity generally work locally. In other words, the products enforce policy locally or for a zone, including dynamic state that relates identity to an endpoint or session. This mapping of a user identity to an endpoint or session is ephemeral: it is generally held as dynamic state in the memory of the network control point. However, there are rules of two main sorts: a first rule to allocate users to groups, and a second rule to enforce policies on those groups. The first form of rule, mapping users to groups, may occur on the network control point, or elsewhere. (For example, the users may be represented in another user identity store, such as Microsoft's Active Directory or other competitors, and the mapping to groups may occur in that separate system.) The second rule, tying the group to a behavior or set of access rules, is typically configured on the network control point and is much less dynamic. Product literature and published art often refer to “dynamic policies” in this context, but the dynamism is in the first class of rule—the mapping of identities to groups. The behavior for the group is typically more static, in that they are held in configured rules that are changed occasionally by operations staff.
Collecting live data on dynamic users involves substantial practical challenges and operational burdens, while the static rules are generally available to existing protocols and tools that are already capable of gathering non-identity-configured rules from similar equipment.
There is a distinction between endpoint controllers and session controllers. The distinction, as later explained, are material to the details of the invention.
In previous end-to-end network modeling, typical analysis results include the response to queries regarding what access is possible between one endpoint and another endpoint, or regarding the access means permitted across the network. This involves understanding the various interacting technologies between the two endpoints. This is a complicated technical process in itself, but it depends fundamentally on having endpoints or a set of endpoints in the model. Modern mobile devices are extremely fast-moving, making it technically difficult and expensive to gather instant by instant telemetry on every endpoint as it moves around, frustrating the ability of operations staff to benefit from the end-to-end modeling capabilities.
What is needed is a mechanism to increase the accuracy of identification as herein defined in such dynamic environments.