U.S. patent application number 14/544987 was filed with the patent office on 2016-09-15 for method for network security using statistical object identification.
The applicant listed for this patent is John W. Hayes. Invention is credited to John W. Hayes.
Application Number | 20160269421 14/544987 |
Document ID | / |
Family ID | 48428269 |
Filed Date | 2016-09-15 |
United States Patent
Application |
20160269421 |
Kind Code |
A1 |
Hayes; John W. |
September 15, 2016 |
Method for network security using statistical object
identification
Abstract
Methods to enforce network policy based on identity
authentication at a network endpoint device by offloading the
authentication to a network attached authentication devices are
disclosed. The authentication device may use Statistical Object
Identification to perform the authentication. The present invention
greatly reduces the resources needed by the network endpoint device
to perform the authentication and eliminates the topological
restrictions found in traditional network appliance based
approaches.
Inventors: |
Hayes; John W.; (Reno,
NV) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Hayes; John W. |
Reno |
NV |
US |
|
|
Family ID: |
48428269 |
Appl. No.: |
14/544987 |
Filed: |
March 11, 2015 |
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
H04L 9/3263 20130101;
H04L 63/06 20130101; H04L 9/3236 20130101; H04L 63/0823 20130101;
H04L 63/08 20130101; H04L 63/126 20130101; G06F 2221/2151 20130101;
G06F 21/64 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06 |
Claims
1. A method comprising the steps of: providing a network endpoint
device (10), a remote network device (11), an authentication device
(18) and a network (20); providing at least one network interface
(49) at said network endpoint device (10); receiving an IP packet
(12) from said remote network device (11) by said network endpoint
device (10) using said network interface (49); said IP packet (12)
including a TCP header (14); said TCP header (14) including a TCP
SYN bit (16); conveying said IP packet (12) to said authentication
device (18) via said network (20); determining the identity (22) of
said IP packet (12) at said authentication device (18); selecting a
policy rule (26); matching said identity (22) from a first table of
policy rules (27); applying said policy rule (26) to said IP packet
(12).
2. A method as recited in claim 1, in which conveying context
information to said authentication device (18) along with said IP
packet (12).
3. A method as recited in claim 1, in which conveying said network
interface (49) information to said authentication device (18) along
with said IP packet (12).
4. A method as recited in claim 1, in which said authentication
device (18) can be used by a plurality of said network endpoint
devices (10) concurrently.
5. A method as recited in claim 1, in which said network endpoint
device (10) does not save context information regarding said IP
packet (12);
6. A method as recited in claim 1, further comprising the steps of
providing an authenticated session table (30) and a TCP/IP protocol
stack (32) at said network endpoint device (10); conveying said IP
packet (12) from said authentication device (18) to said network
endpoint device (10) via said network (20); creating a session
descriptor (28) in said authenticated session table (30); and
conveying said IP packet (12) to said TCP/IP protocol stack
(32).
7. A method as recited in claim 6, further comprising the steps of:
conveying context information and said network interface (49)
information to said network endpoint device (10) by said
authentication device (18) with said IP packet (12); and storing
said context information and said network interface information
(49) in said session descriptor (28).
8. A method as recited in claim 6, further comprising the steps of:
conveying authentication processing information to said network
endpoint device (10) with said IP packet (12); and storing said
authentication processing information in said session descriptor
(28).
9. A method as recited in claim 1, further comprising the steps of
conveying a policy rule (26) to said network endpoint device (10)
from said authentication device (18) via said network (20); and
adding said policy rule (26) to a second table of policy rules (36)
by said network endpoint device (10).
10. A method as recited in claim 9, in which expiring said policy
rule (26) after a period of time.
11. A method as recited in claim 9, in which said step of adding
said policy rule (26) to said second table of policy rules (36) is
performed by a peer authentication management application (44).
12. A method as recited in claim 1, in which said authentication
device (18) uses transport access control to perform
authentication.
13. A method as recited in claim 1, in which said authentication
device (18) uses statistical object identification to perform
authentication.
14. A method as recited in claim 1, in which said authentication
device (18) does not share with said network endpoint device (10)
cryptographic keys necessary to perform said authentication.
15. A method as recited in claim 1, in which said step of receiving
of said IP packet (12) by said network endpoint device (10) further
includes the steps of: selecting a matching policy rule (26) that
matches some portion of said IP packet (12) from a second table of
policy rules (36); and applying said policy rule (26) to said IP
packet (12).
16. A method as recited in claim 1, in which said step of receiving
of said IP packet (12) by said network endpoint device (10) further
includes the steps of: selecting a policy rule (26) that matches
said network interface (49) information from a second table of
policy rules (36); and applying said policy rule (26) to said IP
packet (12).
17. A method as recited in claim 1, further including the steps of:
providing a logging device (42); conveying log information (50) to
said logging device (42) by said authentication device (18); and
including TCP/IP session information from said IP packet (12) and
said network interface (49) said IP packet was received on in said
log information (50).
18. A method as recited in claim 1, further including the steps of:
providing a logging device (42); conveying log information (50) to
said logging device (42) by said authentication device (18); and
including said identity (22) from said IP packet (12) in said log
information (50).
19. A method as recited in claim 1, further comprising the steps
of: providing a logging device (42); conveying log information (50)
to said logging device (42) by said authentication device (18); and
including said policy rule (26) identity applied to said IP packet
(12) in said log information (50).
20. A method as recited in claim 1, in which said step of conveying
of said IP packet (12) to said authentication device (18) is
performed by a peer authentication management application (44).
21. A method as recited in claim 15, in which said network endpoint
device (10), upon receiving said IP Packet (12) from said remote
network device (11), compares said IP packet (12) against entries
in a second table of policy rules (36); failing to select a
matching policy rule (26); and continuing with said determination
the identity (22).
22. A method comprising the steps of: providing a TCP/IP protocol
stack (32) and an authenticated session table (30) at a network
endpoint device (10); receiving an IP packet (12) by said network
endpoint device (10); said IP packet (12) including a TCP header
(14); said TCP header (14) not including a TCP SYN bit (16);
matching said IP packet (12) to a session descriptor (28) in said
authenticated session table (30); and conveying said IP packet (12)
to said TCP/IP protocol stack (32).
23. A method as recited in claim 22, in which information in said
session descriptor (28) in said authenticated session table (30)
was created by an authentication device (18); and said
authentication device (18) using transport access control to
perform authentication.
24. A method as recited in claim 22, in which information in said
session descriptor (28) in said authenticated session table (30)
was created by an authentication device (18); and said
authentication device (18) using statistical object identification
to perform authentication.
25. A method as recited in claim 22, in which said step of
receiving of said IP packet (12) by said network endpoint device
(10) further includes the steps of: selecting a matching policy
rule (26) that matches some portion of said IP packet (12) from a
second table of policy rules (36); and applying said policy rule
(26) to said IP packet (12).
26. A method as recited in claim 22, in which said step of
receiving of said IP packet (12) by said network endpoint device
(10) further includes the steps of: selecting a policy rule (26)
that matches said network interface (49) information from a second
table of policy rules (36); and applying said policy rule (26) to
said IP packet (12).
27. A method comprising the steps of: providing a peer
authentication driver (46), a TCP/IP protocol stack (32), a network
device driver (48), a network interface (49) and an authenticated
session table (30) at a network endpoint device (10); said peer
authentication driver (46) receiving an IP packet (12) from a
TCP/IP protocol stack (32); locating a session descriptor (28)
corresponding to said IP packet (12) in said authenticated session
table (30); processing said IP packet (12) in accordance with said
session descriptor (28); sending said IP packet (12) to said
network device driver (48); and sending said IP packet (12) to said
network interface (49).
28. A method as recited in claim 27, in which said session
descriptor (28) in said authenticated session table (30) was
created by an authentication device (18); and said authentication
device (18) using transport access control to perform
authentication.
29. A method as recited in claim 27, in which said session
descriptor (28) in said authenticated session table (30) was
created by an authentication device (18); and said authentication
device (18) using statistical object identification to perform
authentication.
Description
CROSS-REFERENCE TO RELATED U.S. PATENT APPLICATIONS & CLAIMS
FOR PRIORITY
[0001] The Present Patent Application is a Continuation-in-Part
Application, and is related to Pending Parent Application U.S. Ser.
No. 13/987,747 filed on 27 Aug. 2013; and to U.S. Pat. Grant No.
8,572,697 filed 18 Nov. 2011. In accordance with the provisions of
Sections 119 &120 of Title 35 of the United States Code of
Laws, the Applicant hereby claims the benefit of priority for any
and all subject matter that is commonly disclosed in U.S. Ser. No.
13/987,747, U.S. Pat. No. 8,572,697, and in the Present
Application.
FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
[0002] None.
FIELD OF THE INVENTION
[0003] The present invention pertains to methods for efficiently
and securely authenticating the Identity of network traffic in
arbitrary network topologies using statistical object
identification.
BACKGROUND OF THE INVENTION
[0004] Organizations that use computers and computer networks
continue to work on improving the security of both the networks and
the computers themselves. Some security technologies are most
effective when implemented directly on the computer. Historically,
some security functions have been deployed as network devices, to
allow a single device to provide security for multiple computers.
Each of these approaches has pros and cons.
[0005] For security technologies deployed directly on each
computer, called an "endpoint solution," the technology uses the
resources of the endpoint computer including CPU processor cycles,
memory and network bandwidth. For some security technologies, this
use of endpoint resources can be substantial. Additionally, some
security technologies require the distribution of cryptographic
keys to every participating entity. When keys are widely
distributed, the protection of those keys becomes more difficult to
maintain.
[0006] In large organizations, often with many independent
departments, networks and computer services may be added and
organically grown without centralized planning, leading to network
resources being deployed somewhat arbitrarily throughout the
network. These network resources may have multiple network
interfaces. When attempting to enforce network security policies,
the lack of planning often leads to a lack of achievable policy
enforcement points that do not adversely impact network and
resource performance without the wholesale re-architecture of the
network and the redeployment of the network resources. This can be
exceedingly costly, in both dollars and time.
[0007] For policy enforcement points and security technologies
deployed on a network appliance, the appliance may become a
bottleneck and impact the performance of traffic flowing through
it. Network security appliances also have a network topology
requirement that the traffic must pass through the appliance for it
to provide any security functions. For computers communicating with
one another on a single LAN or network subnet, this topology
requirement is often unachievable. When a computer has multiple
network interfaces, this further complicates the network topology
and complicates consistent implementation of security
functions.
[0008] An analogy to this in the physical world is a building with
a security guard at the entrance checking everyone's driver's
license, their identity, to insure that they have business in the
building. If there are very few visitors to each building, then
each security guard may not be busy most of the time. Instead of
having a security guard at each building that is being protected,
some of the buildings may have a camera and a mechanism to remotely
unlock the door. A security guard, at a location remote from the
building being entered, sees the person wishing to enter the
building, can see their driver's license and to let the person in
by sending a signal to the door unlock mechanism. This is analogous
to what the present invention does within a network of
computers.
[0009] A method to enable endpoint security that utilizes a
security appliance that does not require that the appliance to be
in the network data path, would constitute a major technological
advance, and would satisfy long felt needs and aspirations in the
cyber security industry.
SUMMARY OF THE INVENTION
[0010] The present invention has two components; a peer
authentication driver and an authentication device. The peer
authentication driver, installed on a network endpoint device
provides network identity authentication by monitoring incoming IP
packets for TCP SYN bit and securely sending those IP packets to an
authentication device for authentication. The authentication device
performs authentication and, if successfully authenticated,
securely sends the IP packet and additional authentication
information back to the peer authentication driver for delivery to
the endpoint's TCP/IP stack. The authentication device may use
Statistical Object Identification (SOI) or Transport Access Control
(TAC) to perform the authentication. All subsequent IP packets
belonging to the same TCP session are delivered directly to the
endpoint's TCP/IP stack.
A BRIEF DESCRIPTION OF THE DRAWINGS
[0011] FIG. 1 is an illustration of three buildings and three
security officers.
[0012] FIG. 2 is an analogy of the present invention.
[0013] FIG. 3 is an analogy of the present invention.
[0014] FIG. 4 is an illustration of an IP packet.
[0015] FIG. 5 is an illustration of a TCP header.
[0016] FIG. 6 is Flowchart 1 of the present invention, which
describes the processing of an IP packet received from a remote
network device.
[0017] FIG. 7 is Flowchart 2 of the present invention, which
describes the processing of an IP packet by an authentication
device.
[0018] FIG. 8 is Flowchart 3 of the present invention, which
describes the processing of an IP packet from an authentication
device.
[0019] FIG. 9 is Flowchart 4 of the present invention, which
describes the processing of an IP packet received from the network
endpoint device's TCP/IP protocol stack.
[0020] FIG. 10 is Flowchart 5 of the present invention, which
describes the processing of a rule received from the authentication
device.
[0021] FIG. 11 is an architectural depiction of the present
invention in a network endpoint device.
[0022] FIG. 12 is an architectural depiction of the present
invention in a network endpoint device, showing the flow of an IP
packet with a TCP header containing TCP SYN bit coming from a
remote network device and being sent to an authentication
device.
[0023] FIG. 13 is an architectural depiction of the present
invention in a network endpoint device, showing an alternate flow
of an IP packet with a TCP header containing TCP SYN bit coming
from a remote network device and being sent to an authentication
device.
[0024] FIG. 14 is an architectural depiction of the present
invention in a network endpoint device, showing the flow of an IP
packet with a TCP header matching a session descriptor coming from
a remote network device and being delivered to the TCP/IP protocol
stack.
[0025] FIG. 15 is an architectural depiction of the present
invention in a network endpoint device, showing the flow of a rule
coming from an authentication device and being delivered to the
peer authentication driver.
[0026] FIG. 16 is an architectural depiction of the present
invention in a network endpoint device, showing an alternate flow
of a rule coming from an authentication device and being delivered
to the peer authentication driver.
[0027] FIG. 17 is an architectural depiction of the present
invention in a network endpoint device, showing the flow of an IP
packet coming from the TCP/IP protocol stack and being sent to a
remote network device.
[0028] FIG. 18 is a topological depiction of the present invention
in an operating context.
[0029] FIG. 19 is a topological depiction of the present invention
in an operating context, showing the flow of an IP packet with a
TCP header containing TCP SYN bit coming from a remote network
device.
[0030] FIG. 20 is a topological depiction of the present invention
in an operating context, showing the flow of an IP packet with a
TCP header containing TCP SYN bit being sent from a network
endpoint device to an authentication device.
[0031] FIG. 21 is a topological depiction of the present invention
in an operating context, showing the flow of an IP packet with a
TCP header containing TCP SYN bit being sent from an authentication
device back to a network endpoint device.
[0032] FIG. 22 is a topological depiction of the present invention
in an operating context, showing the flow of IP packets with their
TCP headers matching a session descriptor between a remote network
device and the network endpoint device.
[0033] FIG. 23 is a topological depiction of the present invention
in an operating context, showing the authentication device sending
log information to a logging device.
A DETAILED DESCRIPTION OF PREFERRED & ALTERNATIVE
EMBODIMENTS
I. Introduction to the Invention
[0034] An analogy of the present invention is a set of buildings 2
protected by a security office 4, which is shown in FIG. 1. The
security officer's 4 job is to inspect the driver's license, the
identity, of each person that enters the building 2 and determine
if they have business in the building 2 before letting them
proceed. If the building 2 does not get many visitors, then the
security officer 4 will not be very busy. To get better use from
the security officer 2, security camera's 5 are placed at the
entrance of some of the buildings 2, as shown in FIG. 2. A security
officer 4 is no longer needed at the buildings 2 with the security
camera. The security officer 4 can see a person arriving at the
building 4 and the identity in the form of a driver's license as an
image 7 on a security monitor 6. Once the person has proven who
they are and the security officer 4 has determined that they have
business in the building 2, the security officer 4 sends a door
unlock signal 8 to open the door and let the person in, as shown in
FIG. 3. Although different in the identities used, the
authentication mechanisms employed and the resources protected,
this is analogous to the present invention.
II. Overview of the Invention
[0035] The present invention provides a mechanism to enforce
network policy based on identity authentication at a network
endpoint device 10 by offloading the authentication process to a
remote authentication device 18. An IP packet is shown in FIG. 4.
By only sending those IP packets 12 that may contain identity 22
information to the authentication device 18, the network traffic
flow between the remote network device 11 and the network endpoint
device 10 is maintained once the TCP session initiation has been
authenticated. This is particularly important when both the network
endpoint device 10 and the remote network device 11 are located on
the same LAN segment or network subnet, as traffic between two
devices on the same LAN or subnet often directly communicate with
each other, their traffic being processed by a local network
switch. In this environment, known as a peering environment, it is
often not possible to have a network appliance performing security
functions such as authentication in the traffic path. The present
invention allows the use of an authentication device 18 without
requiring that it is inserted directly into the network traffic
path between two peering devices, hence the name of Peer
Authentication.
[0036] When a network endpoint 10 receives an IP packet 12 with a
TCP header 14 with the TCP SYN bit set 16, this indicates that a
remote network device 11 is requesting the establishment of a TCP
session. A TCP header 14 is shown in FIG. 5. The sender, in this
case the remote network device 11, can be authenticated using a
process called Transport Access Control (TAC). When a large number
of identities 22 are in use, the TAC process may consume a large
number of compute and memory resources. To prevent the TAC process
from consuming a large number of compute and memory resources on
every network endpoint device 10, the TAC process can be offloaded
to an authentication device 18. This authentication device 18 can
process authorization requests from many network endpoint devices
10.
[0037] Other authentication mechanisms may employ statistical
object identification (SOI) to perform the authentication.
Similarly to TAC, when large numbers of identities 22 are in use,
the SOI process may consume a large number of compute and memory
resources. The SOI processes can be offloaded to an authentication
device 18 which performs authentication on behalf of many network
endpoint devices 10.
[0038] When a network endpoint 10 receives an IP packet 12
requesting the establishment if a TCP session, the request is sent
to an authentication device 18. After authenticating the IP packet
12, the authentication device 18 returns the IP packet with any
additional information needed for processing and the IP packet 12
is delivered to the TCP/IP protocol stack 32, establishing the TCP
session. Subsequent IP packets 12 that are part of the same TCP
session are delivered directly to the TCP/IP protocol stack 32.
[0039] In a preferred embodiment, which is illustrated in FIG. 6,
the peer authentication driver 46, which resides between the TCP/IP
protocol stack 32 and the network device driver 48, may be assisted
by a peer authentication management application 44. The peer
authentication management application 44 is an application that
establishes secured communications between the network endpoint
device 10, the authentication device 18, and the peer
authentication driver 46. The peer authentication management
application 44 conveys the network endpoint's Identity to the
authentication device. A preferred mechanism for conveying this
Identity is to establish a secure tunnel to the authentication
device 18 and using the network endpoint's 10 X.509 certificate to
establish the secure tunnel. The peer authentication management
application 44 is responsible for communicating IP packets 12,
policy rules 26 and other information between these entities.
III. Statistical Object Identification
[0040] Statistical Object Identity (SOI) is described in U.S. Pat.
No. 8,572,697, entitled Method for Statistical Object
Identification, and in U.S. Ser. No. 13/987,747, entitled Method
for Statistical Object Identification. The Applicants hereby
incorporate both of these documents by reference.
[0041] One limitation of current information networks is that it is
difficult to verify or approve a communication before the
communication has been allowed to penetrate a network. One reason
for this difficulty is that the means of verification, which is
called a "certificate," is too large to send to the network in the
initial set of digital information which initiates the
communication, and which ultimately leads to an authentication.
[0042] Statistical Object Identity (SOI) solves this problem by
reducing the information in the certificate which is used to
authenticate the communication before it is allowed to proceed by
converting the certificate to a much smaller "statistical object."
SOI allows the network to determine the identity of the initiator
of the communication before the communication is given access to
the network. This method provides a security feature that
substantially eliminates potentially detrimental and malicious
attacks that could be perpetrated on the network using conventional
technology.
[0043] SOI operates by using an identity certificate as an original
object and using a sender to communicate a stream of statistical
objects, based on the original object, to a communications
receiver. The communications receiver aggregates the received
statistical objects until an original object is unambiguously
determined and the calculated probability satisfies a trusted
probability threshold. If the communications receiver fails to
unambiguously determine the original object or if the calculated
probability fails to satisfy the probability threshold, the
original object, the identity, is not recognized. An indication is
made to communicate the identity determined by SOI or an indication
is made to communicate of the lack of identity.
IV. Transport Access Control
[0044] Transport Access Control (TAC) is described in U.S. Pat. No.
8,346,951, entitled Method for First Packet Authentication. The
Applicants hereby incorporate this document by reference.
[0045] TAC provides a mechanism to authenticate a network connected
device on the first packet of a TCP session request. TAC enables a
network connected device to authorize a received TCP connection
request without relying solely on a initiator's IP address. If the
authorization is successful, then the connection establishment
process is continued. If the authorization fails, the request is
"black-holed," even though there is an application associated with
the TCP port in the connection request. This protects against TCP
port scanning and network reconnaissance.
[0046] The authentication mechanism uses various fields in the IP
and TCP headers in the TCP connection request. All of these fields
have a primary function that is defined in the IP and TCP
specifications. The use of existing fields to pass an authorization
key is necessary because the TCP protocol specification does not
provide a mechanism to pass user data on a TCP connection
request.
[0047] The goal of TAC is to enable an authentication mechanism
that functions using only the fields in the IP and TCP headers that
are normally present in the TCP connection establishment request.
Within the IP and TCP headers there are fields that have strictly
defined meanings that do not allow any additional encoding because
this would alter the functionality of the IP and/or TCP protocols.
Examples of such fields are the Source Address, Destination
Address, Checksum, Source Port and Destination Port fields.
[0048] Within the TCP header, on a connection request (TCP-SYN),
the Sequence Number (SEQ) field specifies the starting sequence
number for which subsequent data octets are numbered. Additional
TCP specifications recommend that this number be randomly
generated.
[0049] A remote network device 11 (TCP session initiator) generates
an authorization key, now called an identity token. The initiator
then sends a TCP connection request, inserting the authorization
key in the SEQ field of the TCP header 14, to the desired network
connected device. The receiving device, upon receiving the
connection request, extracts the authorization key. The receiving
device then processes the authorization key to authenticate it.
[0050] TAC provides methods for concealing the existence of a
device connected to a computer network or concealing the existence
of certain applications running on a device connected to a computer
network. This concealment works by authorizing a TCP connection
request using an authorization key embedded within the TCP
connection request.
V. Definition of Terms
[0051] Arbitrary Network Topology--Without regard to the layout of
devices on a network.
[0052] Authentication--The process of verifying the authenticity of
a presented identity credential.
[0053] Authentication Device--A device that performs
authentication.
[0054] Authentication Processing Information--Information provided
by an authentication device to a second entity which enables the
second entity to complete the authentication process. In the case
of TAC, the authentication device provides a second Identity token
which is used for bidirectional authentication on the TCP SYN/ACK
transaction.
[0055] Authenticated Session Table--A table containing session
descriptors of TCP sessions that have been authenticated.
[0056] Authenticated Session Processing--Authenticated session
processing uses authentication processing information to properly
respond to authenticated sessions. In the case of TAC, the
authentication session processing inserts a bidirectional identity
token into TCP SYN/ACK transaction.
[0057] Bidirectional Authentication--Authentication that occurs
between two parties where each party is authenticated. This is in
contrast to unidirectional authentication where only one party is
authenticated.
[0058] Connection--A logical pairing of two devices that enable
them to communicate. A connection utilizes a series of packets to
accomplish this. A TCP connection is an example of a
connection.
[0059] Connection Request--A request by one device to another
device to create a connection.
[0060] Context Information--Information that allows the peer
authentication driver to process the response from the
authentication device without requiring the peer authentication
driver to save any state regarding the IP packet. Context
information will be returned by the authentication device with the
IP packet once the IP packet has been authenticated.
[0061] Device--A device is any object that is capable of being
attached or connected to and communicating on a network. Examples
of devices include computers, servers, clients, laptops, PDAs, cell
phones, smart phones, network appliances, storage systems, virtual
appliances, switches, routers, load balancers, caches, intrusion
detection systems, VPNs, authentication devices, intrusion
prevention systems, and firewalls.
[0062] Endpoint--Any network device that has an IP address and the
ability to perform TCP/IP protocol processing.
[0063] Endpoint Security--Security processing performed on an
endpoint. This may include identity credential authentication,
access authorization, policy enforcement, behavioral analysis,
logging and other security related actions and behaviors.
[0064] Hypervisor--In virtualization technology, hypervisor is a
software program that manages multiple operating systems (or
multiple instances of the same operating system) on a single
computer system.
[0065] Identity--The fact of being who or what a person or thing
is.
[0066] Identity Credential--An object that is verified when
presented to the verifier in an authentication transaction.
Identity Credentials may be bound in some way to the individual or
device to whom they were issued.
[0067] IP--IP is the Internet Protocol. The Internet Protocol is a
data oriented protocol used by devices to communicate across a
packet switched network. IP information is carried by an IP header
in an IP packet. The IP header contains device address information,
protocol control information and user data information.
[0068] Logging Device--A device that receives and processes logs
from other devices, often for purposes of aggregation, storage,
display, data mining or analytics.
[0069] Network--A network is a collection of computers, servers,
clients, routers and devices that are connected together such that
they can communicate with each other. The Internet is an example of
a network.
[0070] Network Appliance--A fixed function device attached to a
network for the purpose of performing set of functions such as
computational, storage, networking or security.
[0071] Network Device Driver--A software module that communicates
with a network interface. A network device driver is responsible
for customizing the interactions to and from a specific network
interface,
[0072] Network Interface--The physical or logical boundary between
a network and a device. A network interface is responsible for
formatting the network frames or packets as appropriate for the
network medium. Many devices have multiple network interfaces.
[0073] Network Policy--The rules governing network and network
connected device access. A network policy describes what network
devices can access other networks and network devices. Network
policy is often applied at policy enforcement points or at an
endpoint.
[0074] Network Topology--The physical or logical layout of devices
on a network. Every network has a topology, or the way that the
devices on a network are arranged and how they communicate.
[0075] Peer authentication driver--A software module that enables
the authentication of network traffic using an authentication
appliance.
[0076] Peering Environment--A network environment where two
endpoints communicate with each other without traversing a common
policy enforcement point.
[0077] Peer Authentication Management Application--A software
module that assists the peer authentication driver. The peer
authentication management application is usually instantiated as an
application and communicates with an authentication device on
behalf of the peer authentication driver. The peer authentication
management application provides management and communications
services for the peer authentication driver.
[0078] Physical Appliance--A network appliance where the appliance
functionality is rendered in physical hardware and software.
Compare against a virtual appliance where the appliance
functionality is rendered solely in software.
[0079] Policy Enforcement Point (PEP)--In networking, a chokepoint
where network policy is enforced.
[0080] Remote Network Device--A device, of a pair of devices that
forms a connection. Connections involve pairs of devices, the
remote network device is half of the connection pair, indicating
the remote device.
[0081] Session Descriptor--A data structure that describes the TCP
session (source IP address, source TCP port, destination IP
address, destination TCP port), context information and
authentication processing information.
[0082] SOI--Statistical Object Identification. A method of
communicating a statistical representation of an original
object.
[0083] SSL--Secure Sockets Layer. A security protocol defined by
the Internet Engineering Task Force (IETF).
[0084] TAC--Transport Access Control. A method of determining
identity on the first packet of a TCP session.
[0085] TAC Bidirectional Identity Token--A TAC Identity token that
is communicated during TCP SYN/ACK processing.
[0086] TCP--TCP is the Transmission Control Protocol. Using TCP,
networked devices can create connections to one another, over which
they can send data. The TCP protocol insures that data sent by one
endpoint will be received in the same order by the other, and
without any pieces missing. The TCP protocol also distinguishes
data for different applications (such as a Web server and an email
server) on the same device.
[0087] TCP SYN/ACK Processing--The response by a TCP/IP protocol
stack upon receiving a TCP SYN to establish a TCP session. This is
performed in accordance with the TCP specification.
[0088] TCP SYN Bit--A control bit within the TCP header that
indicates a request for TCP session establishment.
[0089] TCP Session Initiation--The process of establishing a TCP
session. This is performed in accordance with the TCP protocol
specification.
[0090] TLS--Transport Layer Security. A security protocol defined
by the Internet Engineering Task Force (IETF).
[0091] Virtual Appliance--A network appliance where the appliance
functionality is rendered solely in software. Compare against a
virtual appliance where the appliance functionality is rendered in
physical hardware and software.
VI. Preferred and Alternative Embodiments
[0092] FIGS. 1, 2 and 3 depict prior art which is used as an
analogy to help explain the present invention.
[0093] FIG. 1 is an illustration of three buildings 2, each
protected by a security officer 4.
[0094] FIG. 2 is an analogy of the present invention, showing two
buildings 2 with security cameras 5, and a building 2 with a
security officer 4 and a security monitor 6. An image 7 from the
security camera 5 is shown on the security monitor 6.
[0095] FIG. 3 is an analogy of the present invention, showing two
buildings 2 with security cameras 5, and a building 2 with a
security officer 4 and a security monitor 6. The security officer 4
is sending a door unlock signal 8 to one of the buildings 2. FIG. 1
is an illustration of an IP packet 12, including a TCP header
14.
[0096] FIG. 4 is an illustration of an IP packet 12, including a
TCP header 14.
[0097] FIG. 5 is an illustration of a TCP header 14 and shows the
location of the TCP SYN bit 16.
[0098] FIG. 6 is a flowchart of the present invention which
describes processing of an IP packet 12 by a peer authentication
driver 46.
[0099] FIG. 7 is a flowchart of the present invention which
describes processing of an IP packet 12 by an authentication device
18.
[0100] FIG. 8 is a flowchart of the present invention which
describes processing of an authenticated IP packet 12 containing
TCP SYN bit 16 by a peer authentication driver 46.
[0101] FIG. 9 is a flowchart of the present invention which
describes processing of an IP packet 12 received from a TCP/IP
protocol stack 32 by a peer authentication driver 46.
[0102] FIG. 10 is a flowchart of the present invention which
describes processing of a policy rule 26 received from an
authentication device 18 by a peer authentication driver 46.
[0103] FIG. 11 is an architectural depiction of the present
invention in a network endpoint device 10. A network interface 49
conveys packets between a network (not shown) and the network
device driver 48. The network device driver 48 processes packets
and conveys packets and information between the network interface
49 and the peer authentication driver 46. The peer authentication
driver 46 performs authentication or causes authentication to be
performed. The peer authentication driver 46 conveys packets and
information between the network device driver 48, the TCP/IP
protocol stack 32 and the Peer Authentication Management
Application 44. The TCP/IP protocol stack 32 performs TCP/IP
processing and conveys packets and information between the peer
authentication driver 46, the Peer Authentication Management
Application 44 and other applications. The Peer Authentication
Management Application 44 provides management and communications
services for the peer authentication driver 46. The Peer
Authentication Management Application 44 conveys packets and
information between the peer authentication driver 46 and the
TCP/IP protocol stack 32.
[0104] FIG. 12 is an architectural depiction of the present
invention in a network endpoint device 10, showing the flow of an
IP packet 12 with a TCP header 14 containing TCP SYN bit 16 being
received by a network interface 49, being conveyed to a network
device driver 48 and being subsequently conveyed to a peer
authentication driver 46. The peer authentication driver 46 sends
the IP packet 12 to an authentication device 18 (not shown) by
conveying the IP packet 12 to the network device driver 48 which
subsequently conveys the IP packet 12 to the network interface
49.
[0105] FIG. 13 is an architectural depiction of the present
invention in a network endpoint device 10, showing an alternate
flow of an IP packet 12 with a TCP header 14 containing TCP SYN bit
16 being received by a network interface 49, being conveyed to a
network device driver 48 and being subsequently conveyed to a peer
authentication driver 46. The peer authentication driver 46 sends
the IP packet 12 to an authentication device 18 (not shown) by
conveying the IP packet 12 to a Peer Authentication Management
Application 44 which subsequently conveys the IP packet 12 via an
established TCP session to the TCP/IP protocol stack 32. The TCP/IP
protocol stack conveys the IP packet 12 to the peer authentication
driver 46 which subsequently conveys the IP packet 12 to the
network device driver 48 which subsequently conveys the IP packet
12 to the network interface 49.
[0106] FIG. 14 is an architectural depiction of the present
invention in a network endpoint device 10, showing the flow of an
IP packet 12 with a TCP header 14 being received by a network
interface 49, being conveyed to a network device driver 48 and
being subsequently conveyed to a peer authentication driver 46. The
peer authentication driver 46 upon locating a matching session
descriptor 28 conveys the IP packet 12 to the TCP/IP protocol stack
32 for processing.
[0107] FIG. 15 is an architectural depiction of the present
invention in a network endpoint device 10, showing the flow of a
policy rule 26 being received by a network interface 49, being
conveyed to a network device driver 48 and being subsequently
conveyed to a peer authentication driver 46 for processing.
[0108] FIG. 16 is an architectural depiction of the present
invention in a network endpoint device 10, showing an alternate
flow of a policy rule 26 being transported within a previously
established TCP session. An IP packet 12 containing and TCP header
14 and the policy rule 26 is received by a network interface 49,
being conveyed to a network device driver 48 and being subsequently
conveyed to a peer authentication driver 46. The peer
authentication driver 46 upon locating a matching session
descriptor 28 conveys the IP packet 12 to the TCP/IP protocol stack
32 for processing. The TCP/IP protocol stack 32 performs the
protocol processing and conveys the policy rule 26 to the Peer
Authentication Management Application 44. The Peer Authentication
Management Application 44 conveys the policy rule 26 to the peer
authentication driver 46.
[0109] FIG. 17 is an architectural depiction of the present
invention in a network endpoint device 10, showing the flow of an
IP packet 12 being generated from the TCP/IP protocol stack 32 and
being conveyed to the peer authentication driver 46. The peer
authentication driver 46 performs authentication processing and
conveys the IP packet 12 to the network device driver 48 which
subsequently conveys the IP packet 12 to the network interface 49
to send to its destination.
[0110] FIG. 18 is a topological depiction of the present invention
in an operating context. Two remote network devices 11 are
connected to a network 20. Also connected to the network 20 are two
network endpoint devices 10, a logging device 42 and an
authentication device 18.
[0111] FIG. 19 is a topological depiction of the present invention
in an operating context, showing a remote network device 11
conveying an IP packet 12 with a TCP header 14 containing TCP SYN
bit 16 via a network 20 to a network endpoint device 10.
[0112] FIG. 20 is a topological depiction of the present invention
in an operating context, showing a network endpoint device 10
conveying an IP packet 12 with a TCP header 14 containing TCP SYN
bit 16 via a network 20 to an authentication device 18 performing
authentication.
[0113] FIG. 21 is a topological depiction of the present invention
in an operating context, showing an authentication device 18
conveying an IP packet with a TCP header 14 containing TCP SYN bit
16 after being authenticated to a network endpoint device 10 via a
network 20.
[0114] FIG. 22 is a topological depiction of the present invention
in an operating context, showing the flow of IP packets 12 with TCP
headers 14 not containing TCP SYN bit 16 and matching a session
descriptor 28 between a remote network device 11 and the network
endpoint device 10 via a network 20.
[0115] FIG. 23 is a topological depiction of the present invention
in an operating context, showing the authentication device 18
sending log information 50 to a logging device 42 via a network
20.
VII. Methods of Operation for Peer Authentication
[0116] There are two components in endpoint peering; the peer
authentication driver 46 and the authentication device 18. The peer
authentication driver 46 is installed in a network endpoint device
10, logically inserted between the network device driver 48 and the
TCP/IP protocol stack 32. When an IP packet 12 containing a TCP
header 14 is received by a network interface 49 it is conveyed to a
network device driver 48 which subsequently conveys it to the peer
authentication driver 46. At 100, the IP packet 12 is received by
the peer authentication driver 46. At 102 the IP packet 12 is
compared against a second table of policy rules 36.
[0117] The second table of policy rules 36 allows the
authentication device 18 to define policy rules that are
implemented by the peering device driver 46. An example of a policy
rule 26 in the second table of policy rules 36 is a source IP
address that are being blocked and thus IP packets 12 matching the
source IP address will be discarded. A second example of a policy
rule 26 in the second table of policy rules 36 is a destination IP
address for which Identity is not being authenticated and thus IP
packets 12 matching the destination IP address will be forwarded
without requiring authentication by the authentication device 18. A
network interface 49 can also be specified in a policy rule 26.
This allows different policies to be enforced depending upon which
network interface 49 an IP packet 12 is received on. An example
second table of policy rules 36 is shown below:
TABLE-US-00001 Source IP Source Dest IP Dest Network Address Port
Address Port Interface Protocol VLAN Rule 17.23.21.2 any any any
any any any drop any any 21.44.2.11 any eth0 TCP any allow any any
21.44.2.45 any eth2 TCP 100 redirect to 21.4.2.47 121.32.4.2 any
any any any any any drop
[0118] After any policy rules have been enforced at 110, the TCP
header 14 of the IP packet 12 is checked for TCP SYN bit 16 at 104.
If TCP SYN bit 16 is set, then the IP packet 12 is sent to the
authentication device 18 at 112 for authentication.
[0119] The IP packet 12 being sent to the authentication device 18
may be sent directly by the peer authentication driver 46, or in an
alternate embodiment, the IP packet 12 may be sent to a peer
authentication management application 44. The peer authentication
management application 44 maintains pre-established TCP/IP sessions
with one or more authentication devices 18. The TCP/IP sessions
maintained by the peer authentication management application 44
should be protected by using the SSL, TLS or other cryptographic
security protection to protect information conveyed between the
peer authentication management application 44 and the
authentication device 18.
[0120] At 112, in addition to sending the IP packet 12 to the
authentication device 18, context information may be included with
the IP packet 12. Context information is information that allows
the peer authentication driver 46 to process the response from the
authentication device 18 without requiring the peer authentication
driver 46 to save any state regarding the IP packet 12. This
context information will be returned by the authentication device
18 with the IP packet 12 once the IP packet 12 has been
authenticated.
[0121] At 112, in addition to sending the IP packet 12 to the
authentication device 18, information about the network interface
49 may be included with the IP packet 12.
[0122] At 104, if TCP SYN bit 16 is not set in the TCP header 14 of
the IP packet 12, the IP packet 12 then compared against an
authenticated session table 30 at 106. The authenticated session
table 30 contains session descriptors 28. Each session descriptor
28 contains session information for each active TCP session. Each
session descriptor 28 also contains the identity 22 that was
authenticated to establish the TCP session. The session descriptor
28 also contains authentication processing information that enables
the peer authentication driver 46 to properly respond to
authenticated sessions. In one embodiment, the authentication
processing information includes the TAC bidirectional identity
token used to communicate bidirectional authentication. The TAC
bidirectional identity token is provided to the peer authentication
driver 46 by the authentication device 18. If a session descriptor
28 matching the TCP session in the IP packet 12 is found, at 114,
the IP packet is sent to the TCP/IP protocol stack 32.
[0123] If a session descriptor 28 matching the TCP session in the
IP packet 12 is not found, at 108, the IP packet is discarded.
[0124] When an authentication device 18 receives an IP packet 12
from a peer authentication driver 46, at 116, it determines, at
118, the identity 22 of the sender of the IP packet 12. A preferred
embodiment of determining the identity of the sender on the first
packet of a TCP session is by using Transport Access Control (TAC).
A second preferred embodiment of determining the identity of the
sender on the first packet of a TCP session is by using statistical
object identification (SOT). Once the identity 22 has been
determined, a policy rule 26 in a first table of policy rules 27 is
located that matches the identity 22.
[0125] The first table of policy rules 27 allows the authentication
device 18 to define and maintain policy rules 26 based on identity
22. An example of a policy rule 26 in the first table of policy
rules 27 is an identity 22 that is allowed to access a specified
destination IP address. A second example of a policy rule 26 in the
first table of policy rules 27 is a, identity 22 matching a
specified destination IP address that will be redirected to an
alternate IP address. A third example of a policy rule 26 in the
first table of policy rules 27 is a wildcard rule that matches any
identity 22 and instructs that an IP packet 12 will be discarded.
An example first table of policy rules 27 is shown below:
TABLE-US-00002 Dest IP Identity Address Dest Port Protocol Group
Rule John 121.34.22.15 any any eng allow Mark 121.34.21.100 any any
corp redirect to 121.34.21.200 any 121.34.22.120 any any any drop
none any any any none drop
[0126] Once the identity 22 and the matched policy rule 26 has been
determined, the policy rule 26, at 120 is enforced. For example, if
the policy rule 26 is "Allow", then the IP packet 12, at 128, is
sent back to the peer authentication driver 46.
[0127] In addition to sending back the IP packet 12 to the peer
authentication driver 46, if context information was received with
the IP packet 12, then context information should be returned with
the IP packet 12. Additionally, if the peer authentication driver
46 requires additional information to complete the authentication
processing, then authentication processing information should also
be sent to the peer authentication driver 46.
[0128] At 120, if the policy is "Discard", then the IP packet 12 is
discarded, at 122. The identity 22, the lack of identity and the
associated policy may also be recorded in log information 50 that
is sent to a logging device 42.
[0129] A logging device 42 can be any device used for the purpose
of collecting, aggregating, processing, analyzing and storing log
records. Commonly a logging device 42 is a network connected device
with a large storage capacity and the ability to perform advanced
analytics, such as a HADOOP cluster. Less sophisticated logging
devices 42 can simply aggregate and store logs set to them across
the network. Splunk is a common software package that runs on a
logging devices 42.
[0130] At 118, as part of determining identity 22, the receipt of
the IP packet 12 in conjunction with the identity determination
process may produce policy rules 26 that must be communicated to
the peer authentication driver 46. For example, if during SOI
processing, an attack threshold is reached, the authentication
device 18 may want to block all IP packets 12 originating from a
certain source EP address for a period of time. Sending a policy
rule 26 to the peer authentication driver 46, at 130, allows this
to happen without requiring that the authentication device 18
discard all of the corresponding IP packets 12 directly. The policy
rule 26 should include an expiration so that it will expire
automatically and not require additional coordination or management
from the authentication device 18. If no new rules are generated,
then no additional processing occurs at 126.
[0131] When the peer authentication driver 46 receives an
authenticated IP packet 12 from the authentication device 18 at
132, it creates a session descriptor 28 at 134. A session
descriptor 28 contains session information from the TCP header 14
in the IP packet 12. A session descriptor 28 also contains the
identity 22 that was authenticated. The session descriptor 28 also
contains authentication processing information that enables the
peer authentication driver 46 to properly respond to authenticated
sessions. The session descriptor 28 may also contain context
information and information about the network interface 49 on which
the IP packet 12 was originally received.
[0132] At 136, the peer authentication driver adds the session
descriptor 28 to an authenticated session table 30 and then sends
the IP packet 12 to the TCP/IP protocol stack 32 at 138. An example
authenticated session table 30 containing session descriptors 28 is
shown below:
TABLE-US-00003 Auth Network Context Processing Source Destination
Protocol Interface Identity Info Info 17.20.3.22: 46.18.2.201: TCP
eth0 Mike 0x1243 bi-token = 34566 443 0xd54a2113 11.17.2.34:
46.18.2.201: TCP eth1 John 0xcd1a bi-token = 16775 443 0x5bc32a14
17.20.3.22: 46.18.2.220: TCP eth0 Mike 0xdc32 bi-token = 34576 80
0x12cba435 11.17.2.66: 46.18.2.100: TCP eth0 Dave 0xbba3 bi-token =
23241 443 0xcb34ad56
[0133] When the TCP/IP protocol stack 32 sends an IP packet 12, it
is received by the peer authentication driver 46 at 140. At 142,
the IP packet 12 is compared against an authenticated session table
30.
[0134] If a session descriptor 28 matching the TCP session in the
IP packet 12 is found, at 144, authenticated session processing is
performed at 148. Authenticated session processing uses
authentication processing information in the session descriptor 28
to properly respond to authenticated sessions. In one embodiment,
the authentication processing information includes the TAC
bidirectional identity token used to communicate bidirectional
authentication. The TAC bidirectional identity token is provided to
the peer authentication driver 46 by the authentication device 18.
After authenticated session processing has been performed, the IP
packet 12 is sent to the network device driver 48 at 146.
[0135] If a session descriptor 28 matching the TCP session in the
IP packet 12 is not found, at 144, the IP packet 12 is sent to the
network device driver 48 at 146.
[0136] When an authentication device 18 sends a policy rule 26 to
the peer authentication driver 46, it is received by the peer
authentication driver 46 at 150. The peer authentication driver 46
then inserts the policy rule 26 into the second table of policy
rules 36 at 152.
VIII. Apparatus for Peer Authentication
[0137] The apparatus that performs peer authentication is varied
and diverse. The peer authentication driver 46 is usually
implemented as a software module that is loaded or linked into an
operating system. The peer authentication driver 46 may be created
using software or firmware and may also be offloaded to a separate
processing module where the functionality is provided by software,
firmware, hardware or a combination of these. The peer
authentication driver 46 may also reside within a hypervisor,
providing authentication services to multiple operating system
instances. The hypervisor functionality may also be implemented as
software or firmware and may also be implemented as a separate
processing module where the functionality of the hyper visor and
the peer authentication driver 46 is provided by software,
firmware, hardware or a combination of these.
[0138] The authentication device 18 is a network connected device
that may be created as a physically separate physical appliance.
The authentication device 18 may also be created as a virtual
appliance that operates within a hypervisor environment. Both the
physical appliance and the virtual appliance may be constructed
using software, firmware or hardware or a combination of these. In
the case of a virtual appliance and hardware offload, some
functions provided by the authentication appliance 18 may be
offloaded to hardware offload devices available within the virtual
environment.
[0139] The apparatus that performs peer authentication may be used
in communications devices, security devices, network routing
devices, application routing devices, service delivery devices and
other devices that are enabled by the addition of the efficient
authentication of identity 22 and the application of network policy
based on that identity 22.
CONCLUSION
[0140] Although the present invention has been described in detail
with reference to one or more preferred embodiments, persons
possessing ordinary skill in the art to which this invention
pertains will appreciate that various modifications and
enhancements may be made without departing from the spirit and
scope of the claims that follow. The various alternatives for
providing an efficient means for peer authentication that have been
disclosed above are intended to educate the reader about preferred
embodiments of the invention, and are not intended to constrain the
limits of the invention or the scope of Claims. The List of
Reference Characters which follows is intended to provide the
reader with a convenient means of identifying elements of the
invention in the Specification and Drawings. This list is not
intended to delineate or narrow the scope of the Claims.
LIST OF REFERENCE CHARACTERS
[0141] 2 Building [0142] 4 Security Officer [0143] 5 Security
Camera [0144] 6 Security Monitor [0145] 7 Image [0146] 8 Door
Unlock Signal [0147] 10 Network endpoint device [0148] 11 Remote
network device [0149] 12 IP packet [0150] 14 TCP header [0151] 16
TCP SYN bit [0152] 18 Authentication device [0153] 20 Network
[0154] 22 Identity [0155] 26 Policy rule [0156] 27 First table of
policy rules [0157] 28 Session descriptor [0158] 30 Authenticated
session table [0159] 32 TCP/IP protocol stack [0160] 36 Second
table of policy rules [0161] 42 Logging device [0162] 44 Peer
authentication management application [0163] 46 Peer authentication
driver [0164] 48 Network device driver [0165] 49 Network interface
[0166] 50 Log information [0167] 100 Flowchart 1, Step 1 [0168] 102
Flowchart 1, Step 2 [0169] 104 Flowchart 1, Step 3 [0170] 106
Flowchart 1, Step 4 [0171] 108 Flowchart 1, Step 5 [0172] 110
Flowchart 1, Step 2a [0173] 112 Flowchart 1, Step 3a [0174] 114
Flowchart 1, Step 4a [0175] 116 Flowchart 2, Step 1 [0176] 118
Flowchart 2, Step 2 [0177] 120 Flowchart 2, Step 3 [0178] 122
Flowchart 2, Step 4 [0179] 124 Flowchart 2, Step 5 [0180] 126
Flowchart 2, Step 6 [0181] 128 Flowchart 2, Step 3a [0182] 130
Flowchart 2, Step 5a [0183] 132 Flowchart 3, Step 1 [0184] 134
Flowchart 3, Step 2 [0185] 136 Flowchart 3, Step 3 [0186] 138
Flowchart 3, Step 4 [0187] 140 Flowchart 4, Step 1 [0188] 142
Flowchart 4, Step 2 [0189] 144 Flowchart 4, Step 3 [0190] 146
Flowchart 4, Step 4 [0191] 148 Flowchart 4, Step 3a [0192] 150
Flowchart 5, Step 1 [0193] 152 Flowchart 5, Step 2
* * * * *