1. Field of the Invention
Embodiments of the present invention generally relate to the field of network security, and more particularly, to detecting and tracking the presence of end host machines in a layer 2 Ethernet network.
2. Description of the Related Art
One goal of network security is to prevent network access by unauthorized end host machines. To meet this goal, network access devices (NADs)—such as switches, routers, and wireless access points—dynamically grant access privileges to end user hosts upon request and revoke the hosts' access rights almost immediately should they get disconnected or become inactive. This security measure helps to prevent a malicious host from using the access privileges granted to an authorized host who is no longer connected to the network.
In order to monitor the existence of authorized hosts on a regular basis during their session lifetime, some type of host tracking mechanism is required that can be used by security applications operating on the NADs. However, switches and other types of layer 2 devices according to the Open Systems Interconnection Reference Model (OSI Model) are somewhat limited in their ability to track all types of hosts. For instance, one idea for switches has been to have this type of NAD constantly monitor the switched data traffic from the connected hosts. Because the data traffic is switched in hardware and may therefore not be seen by the control plane processor where the admission control security applications reside and operate, this idea is not feasible in all cases.
A second idea has been to have the authorized end hosts periodically send some keep alive messages to the NAD using a dedicated software application operating on layer 4 to layer 7 of the supplicants to assert their continued connection. This type of communication may require layer 3 Internet Protocol (IP) connectivity between the end hosts and the NAD, which is generally not available on a pure layer 2 NAD. Furthermore, it may not be feasible from an administrative point of view to install and configure all of the end hosts in a large scale network with such application specific client software for this purpose. Besides the sheer size of the network, the end host devices may range from managed IP hosts (which may be easily configurable by an administrator) to unmanaged IP hosts, guest personal computers (PCs), IP phones, and printers (where installing client specific application software may not be desirable, practical, or even possible on a given device). In addition, conventional supplicant application software oftentimes has reassessment/re-authentication timeouts configured to such a large value that they are rendered useless for tracking host liveliness.
Accordingly, what is needed is a platform independent method to detect the presence of any type of connected IP endpoint hosts by a layer 2 network access device and use this knowledge to enforce and revoke admission control privileges at layer 2.