System and method for address block enhanced dynamic network policy management

Information Change triggers Policies
Address Block Change in address Admin preset
User ID Time Outs Intemet Access Only
Device type Link Changes, up/down, speed IEEE 802.1X Authentication Required
Device Location User Changes Disable Unused Ports

Access Location Device Additions Specific Application Access Only
Port Type and Speed Network Service Changes Priority Access
Users Per Port Access Device Changes Application Bandwidth Limits
Time Of Access Application Access Request Multi-step authentication
Application Priority Protocol Change Log All Traffic
Port Security Additional Wireless User Set Group Characteristic Rules
Ethemet Protocol Bandwidth Changes Flow Logging
Level of Trust Routing Link Cost Changes Limit Port Setting (speed, priority, ACL)
Virus Scan level RMON or Other Monitored Events Phone Access Only

1 SYSTEM AND METHOD FOR ADDRESS BLOCK ENHANCED DYNAMIC NETWORK POLICY MANAGEMENT

RELATED APPLICATIONS

This application claims the priority of U.S. Provisional Application Ser. No. 60/599,626, entitled “System and Method for Address Block Enhanced Dynamic Network Policy Management”, and filed 6 Aug. 2004; which is herein incorporated by reference.

This application is a continuation-in-part of U.S. patent application Ser. No. 11/066,622, filed 25 Feb. 2005, and entitled “DYNAMIC NETWORK DETECTION SYSTEM AND METHOD”; which is herein incorporated by reference.

TECHNICAL FIELD

The present embodiment relates to comprehensive and continuous control of usage of network services. More particularly, the present embodiment relates to static and dynamic policy allocation for network service provisioning based on address block techniques. Specifically the use of the IEEE 802 Organization Unique Identifiers (OUI), Individual Address Block (IAB) assigmnents of the MAC addresses provided by the IEEE 802 organization or the local address administration as an input into the decision process in policy, authorization, network admission and network service attribute assigmnent.

BACKGROUND

Computing systems are useful tools for the exchange of information among individuals. The information may include, but is not limited to, data, voice, graphics, and video. The exchange is established through intercomrections lir1king the computing systems together in a way that permits the transfer of electronic signals that represent the infonnation. The intercomrections may be either cable or wireless. Cable comrections include, for example, metal and optical fiber elements. Wireless connections include, for example infrared, acoustic, and radio wave transmissions.

Intercomrected computing systems having some sort of commonality are represented as a network. For example, individuals associated with a college campus may each have a computing device. In addition, there may be shared printers and remotely located application servers distributed throughout the campus. There is commonality among the individuals in that they all are associated with the college in some way. The same can be said for individuals and their computing arrangements in other enviromnents including, for example, healthcare facilities, manufacturing sites and Internet access users. A network pennits communication or signal exchange among the various computing systems of the common group in some selectable way. The interconnection of those computing systems, as well as the devices that regulate and facilitate the exchange among the systems, represent a network. Further, networks may be intercomrected together to establish internetworks. For pmposes of the description of the present embodiment, the devices and functions that establish the interconnection represent the network infrastructure. The users, computing devices and the like that use that network infrastructure to communicate are referred to herein as attached functions and will be further defined. The combination of the attached functions and the network infrastructure will be referred to as a network system.

2

The process by which the various computing systems of a network or intemetwork communicate is generally regulated by agreed-upon signal exchange standards and protocols embodied in network interface cards or circuitry and software, firmware and microcoded algoritlnns. Such standards and protocols were borne out of the need and desire to provide interoperability among the array of computing systems available from a plurality of suppliers. Two organizations that have been responsible for signal exchange standardization are the Institute of Electrical and Electronic Engineers (IEEE) and the Internet Engineering Task Force (IETF). In particular, the IEEE standards for internetwork operability have been established, or are in the process of being established, under the purview of the IEEE 802 committee on Local Area Networks (LANs) and Metropolitan Area Networks (MANs). The IEEE 802 also provide a service in the assigmnent of OUI and IAB values to define unique address space which may be assigned to individual organizations.

The identified organizations generally focus on the mechanics of network and intemetwork operation, less so on rules and restrictions on access to, and the provisioning of services associated with, the network. Presently, access to applications, files, databases, programs, and other capabilities associated with the entirety of a discrete network is restricted primarily based on the identity of the user and/ or the network attached function. For the purpose of the description of the present embodiment, a “user” is a human being who interfaces via a computing device with the services associated with a network. For further pmposes of clarity, a “network attached function” or an “attached function” may be a user connected to the network through a computing device and a network interface device, an attached device connected to the network, a function using the services of or providing services to the network, or an application associated with an attached device. Upon authentication of the offered attached function identity, that attached function may access network services at the level pennitted for that identification. For pmposes of the present description, “network services” include, but are not limited to, access, Quality of Service (QoS), bandwidth, priority, computer programs, applications, databases, files, and network and server control systems that attached functions may use or manipulate for the purpose of conducting the business of the enterprise employing the network as an enterprise asset. The basis upon which the network administrator grants particular permissions to particular attached functions in combination with the pennissions is an established network usage policy. For example, one policy may be that any user (one type of attached function) with an employee identification number is granted access to the enterprise’s electronic mail system at a specified bandwidth and QoS level.

Presently, the network administrator establishes policies. The policies are defined in and regulated through a policy server controlled by the administrator. The established policies are transmitted to the network interface devices of the network infrastructure at the connection point or port. As part of the authentication process, a particular set of policies are established by the administrator for that attached function. That is, the port at which that attached function is attached to the network infrastructure is configured to effect those policies. For example, QoS, bandwidth, and priority levels may be set at certain values for one identified attached function and at different levels for another attached function. Once that set of policies has been established for that attached function, there is typically no coordinated mechanism to revise the set of policies during network connection based on a change of circumstances.

3

Unfortunately, events and activities do occur that may be harmful to the network system. For purposes of this description, harm to the network system includes, for example, access denial, intentionally tying up network computing resources, intentionally forcing bandwidth availability reduction, and restricting, denying or modifying network-related information. There are currently two generally available forms of network protection designed to minimize such types of network harm. Firewalls are designed to prevent the passage of packets to the network based on certain limited specific conditions associated with the packets. Firewalls do not enable assigned policy modifications. Intrusion Detection Systems (IDS) are designed to observe packets, the state of packets, and patterns of usage of packets entering or within the network infrastructure for harmful behavior. However, the available IDS only report the existence of potentially harmful anomalies and do not enable responsive policy modification. Any adjustment to the state of permitted attached function network usage typically occurs manually after evaluation of the detected anomalies. There is presently little comprehensive capability available for continuous network system monitoring and network-forced adjustment or change of assigned network usage permissions based upon the detection of one or more conditions that would trigger such a change.

In certain limited instances, network usage (meaning first entry to the network system for the pmpose of accessing the network services and the subsequent use of such services) may be restricted for reasons other than user authentication. For example, an attached function seeking usage of a discrete network system through dial -up or virtual private networking may be isolated from certain network services simply because private network entry is made through a public portal, i.e., the internet. It is also understood that in certain academic settings offering wireless connectivity, network usage may be limited upon detection of attached function attempts to seek unauthorized access to specified restricted network services. Further, the use of dynamic policy assignment has been defined and extended in co-pending U.S. patent application Ser. No. 10/629,331 entitled “System and Method for Dynamic Network Policy Management” of John Roese et al. and assigned to a common assignee. Even this work, however, leaves cases of insufficient information available to make proper Acceptable Use Policy (AUP) assignments or other dynamic policy decisions. Thus the network system is unable to provide proper services and unable to limit the traffic to and from an attached device sufficiently to: (a) protect the network from an unknown device; and (b) protect the device from attack by the network or from devices/ attackers through the network infrastructure. This failure or inability to protect devices such as process or manufacturing control devices from attack by or through the network interface is the exact reason so few systems may be networked beyond the locked doors and Well controlled physical access. Despite the benefit of data collection, software updates, and closed loop operation capabilities, the fear and reality of the device vulnerabilities limit the network extent and scale granted to these devices. Often these and other devices lack the security or software and features to interact in a secure network enviromnent. Authentication capabilities may be non-existent; no human user may ever be associated with the device or device may have no interface for authentication, such as WiFi phones.

SUMMARY OF THE DISCLOSURE

According to one implementation, a method includes acquiring address block information for an attached function

4

that initiates network access on a distributed computing network. Additional policy information in acquired concerning the attached function. One or more access policies are set based, at least in part, on the address block information and the additional policy information.

One or more of the following features may also be included. The address block information may be obtained from an OUI field of a MAC address. Acquiring additional policy information may include obtaining stored policy information, or querying the attached function for policy information. The additional policy information may include one or more of: attached function location information; attached function configuration information; attached function operating system information; attached function security features information; user location information; and network entry port information. Network operations of the distributed computing network may be monitored to detect when the attached function initiates network access. The attached function may be authenticated in response to the attached function initiating network access.

According to another implementation, a computer program product residing on a computer readable medium has a plurality of instructions stored on it. When the instructions are executed by a processor, the instructions cause the processor to acquire address block information for an attached function that initiates network access on a distributed computing network. Additional policy information in acquired concerning the attached function. One or more access policies are set based, at least in part, on the address block information and the additional policy information.

One or more of the following features may also be included. The address block information may be obtained from an OUI field of a MAC address. Acquiring additional policy information may include obtaining stored policy information, or querying the attached function for policy information. The additional policy information may include one or more of: attached function location information; attached function configuration information; attached function operating system information; attached function security features information; user location information; and network entry port information. Network operations of the distributed computing network may be monitored to detect when the attached function initiates network access. The attached function may be authenticated in response to the attached function initiating network access.

According to another implementation, a system is configured for acquiring address block information for an attached function that initiates network access on a distributed computing network. Additional policy information in acquired concerning the attached function. One or more access policies are set based, at least in part, on the address block information and the additional policy information.

One or more of the following features may also be included. The address block information may be obtained from an OUI field of a MAC address. Acquiring additional policy information may include obtaining stored policy information, or querying the attached function for policy information. The additional policy information may include one or more of: attached function location information; attached function configuration information; attached function operating system information; attached function security features information; user location information; and network entry port information. Network operations of the distributed computing network may be monitored to detect when the attached function initiates network access. The attached function may be authenticated in response to the attached function initiating network access.

5

The details of one or more implementations is set forth in the accompanying drawings and the description below. Other features and advantages will become apparent from the description, the drawings, and the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a simplified diagrammatic block representation of an example network system with integrated comprehensive access control of the present embodiment;

FIG. 2 is a flow diagram of an illustrative preliminary network access and policy process of the present embodiment; and

FIG. 3 is a table listing example event infonnation, network occurrences and static and dynamic policies for purposes of controlling network system access and usage through the policying system and method of the present embodiment.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

In a general aspect, the embodiment adds another element to a dynamic policying system. The use of the OUI field within the MAC address of the IEEE 802 assigned Ethernet address provides anotheruseful data point for dynamic policy and AUP assigmnent. The OUI is often referred to as the company code and is assigned to a company by the IEEE 802 foruse in providing a unique address block to the company for use in their products. IEEE 802 network devices, with the exception of the traditional PC and Laptops, are often becoming specialized commodity items with many dedicated devices emerging. Often the dedicated devices are receiving dedicated OUI identifiers based on the company of origin. Cell phones are a new class of mobile device with this property, for which rapid setup, high QOS and guest service will be required on the enterprise data infrastructure. Additionally, the IEEE address assigmnent authority has a further refinement of the addressing structure called an Individual Assignment Block (IAB) This block is only 4096 addresses and allows even the smallest business or organization to have unique address groups for their LAN products. In addition to these well defined address blocks, another mechanism exists to provide further meaning and information to an IEEE 802 addressing structure. Local address administration is another technique, whereby the administrators’ addresses may be assigned. In a structured approach, these locally administered addresses are generally assigned in groups, blocks, or some organized or hierarchical manner. Local address assigmnent allows for even stronger association between address and functional capability, network AUP and service requirements, including being the sole definitive, determining factor. These assigmnents types and techniques of adding grouping and classification to the addressing structure shall be defined herein to be Address Blocks. It should be recognized that the block size may be as large as the addressing capability, or as small as a single address.Additionally, other structure may be added or impressed by assigmnent or interpretation to the addressing, such as groups within groups or hierarchical mapping. Address blocks may provide at least a strong hint or even a definitive requirement to the network use, capabilities, limitations and needs of the devices using these addresses. Dynamic policy systems may further refine the AUP, ingress and egress policy assigmnent based on additional data and event infonnation. However, the address block infonnation provides an extremely strong starting point in that process. This address block based starting point for the static or dynamic policy based system may vastly decrease the effort

6

and time to place the device in the “best” policy assigned states. Here, “best” is defined as the most restrictive policies in terms of packets egressing to the device (protect the device from hann by the network) and full coverage of all required ingress capabilities including all features, bandwidth and forwarding QOS metrics, while further limiting its ingress as completely as possible to ONLY the required ingress capabilities (tightly controlled AUP assigmnent).

The address block can simple be considered another finer grained event in the trigger based system of dynamic policy. A trigger is any detected or observed event, activity, occurrence, infonnation or characteristic identified in a network system by the network administrator as being of interest for the purpose of making a modification to an assigned set of policies. The types of triggers that define usage restrictions may be of any type of interest to the network administrator, including those associated with user authentication as traditionally understood. Examples of relevant triggers will be provided herein. The system configuration can vary and can include any type of data network, including LANs, MANs, Wide Area Networks (WANs), Personal Area Networks (PANs), Virtual Private Networks (VPNs), and Home Networks. The system may be used in any of a variety of ways to improve network usage, configuration accuracy, allocation of network resources, control, and security.

The present embodiment is a system and related method for provisioning policies to attached functions in a dynamic manner using address block infonnation as an input. Referring to FIG. 1, a network system 100 incorporating the capability of the address block policying system of the present embodiment operates and provides network services to attached functions according to policies assigned to the attached functions. Network system 100 includes a network infrastructure 101 and one or more attached functions connected to or connectable to the network infrastructure 101. The network infrastructure 101 includes multiple switching devices, routing devices, access points, MANs, WANs, VPNs, and internet connectivity intercomiected and connectable to by way of connection points (e.g., 102a-k). The policying system of the embodiment employs both hardware and software (e.g., a function embodied in an application executing on policy server 103) to establish network usage control throughout the entire network system 100 at all times as described below. An attached function is extemal to infrastructure 101 and fonns part of network system 100. Examples of attached functions 104a-104d are represented in FIG. 1, and may be any of the types of attached functions previously identified. Network infrastructure entry devices 105a-b of infrastructure 101 provide the means by which the attached functions connector attach to the infrastructure 101. A network entry device can include and/ or be associated with a wireless access point 150. For wireless connection of an attached function to the infrastructure 101, the wireless access point 150 can be an individual device external or internal to the network entry device 104b. A central switching device 106 enables the interconnection of a plurality of network entry devices as well as access to network services, such as policy server 103 or an application server 107. The central switching device 106 further enables the interconnection of the network infrastructure 101 to attached functions that include VPNs (represented by VPN gateway device 120) and WANs (represented by intemet cloud 130).

One or more of the devices of the infrastructure 101 include a dynamic policy function module 108 (e.g., modules 108a, 108b, 108c, 108d). The dynamic policy function module 108 includes the sub-functions of monitoring the network for triggers, including address block information, decision mak