The present invention relates to a method and system for network security and, more particularly, to a physical, virtual or containerized computer network or a host machine that provides network communication to applications, wherein network communication is provided only after authentication and authorization for the specific application has occurred, while ensuring authorized communication is not malicious.
As organizations increase remote access to corporate computing applications due to increased work from home/remote business models and the increased need to enable offsite vendor and contractor access to such applications, traditional remote access solutions have introduced significant security risks. Furthermore, corporate computing environments have embraced BYOD (bring your own device) and more and more personal computing devices (iPhones, Android, tablets, PCs) are being brought into the corporate infrastructure that may be infected with malware that can spread laterally or breach corporate information.
Traditional solutions that enable remote access to networks that ultimately lead to remote access to applications have typically included technologies that fall into the historic, Virtual Private Network category (IPSEC, SSL VPN, L2TP, etc.). The challenge with these legacy technologies is that they have provided device to network access first vs. user to application access first. The fundamental problem with this approach is in the device to network access first model. With this model, once a user is on the network, that use can move laterally within the network to other applications that the user may or may not be authorized to communicate with. This model now puts the burden of authentication onto the applications to allow access. One might think that this approach is just fine, however history has proven that applications often have unknown vulnerabilities and by allowing even unauthenticated network communication to those applications, opens up the possibility for a malicious actor to exploit weaknesses within them. These same problems that exist with remote access also exist with local access, especially when users bring in unmanaged devices into the infrastructure.
These well-known problems have caused the cybersecurity industry to react and build solutions that promise to provide authentication & authorization first before allowing any sort of communication to said applications. This new model prevents unauthorized users from sending even a single packet to an application, that could take advantage of a vulnerability. The industry is now calling these solutions, “ZTNA” or Zero Trust Network Access, “SDP” or Software Defined Perimeter and they are beginning to show promise. The challenges with these ZTNA/SDP solutions, are that a significant amount of friction exists in the migration away from existing, legacy VPN architectures to modern day ZTNA/SDP architectures. Organizations want to achieve the benefits of ZTNA/SDP without having to replace existing or new investments in VPN solutions or undergo the burden of reconfiguring the networking environment.
According to the present invention there is provided a method for isolating applications on a network, the method including: denying network traffic access to applications sitting behind an Access Gateway Engine; receiving a username of a user that logs onto the network; extracting a source address associated with the username; retrieving a list of applications with which the username is permitted to communicate; extracting application destination information for each application of the list of applications; generating an access control policy for the username, the access control policy allowing the username having the source address to communicate with the list of application each of which having respective the destination information; the Access Gateway Engine allowing or denying the network traffic, originating from the username source address, access to the applications, according to the access control policy for the user.
According to further features in preferred embodiments of the invention described below the method further includes effecting security-related tasks on the network traffic passing through the Access Gateway Engine.
According to still further features in the described preferred embodiments the method includes detecting suspicious or malicious data packets or behavior from the network traffic; and associating the suspicious or malicious data packets or behavior with the username from which the network traffic originated. According to still further features the method further includes removing the access control policy from the access gateway engine.
According to still further features the step of removing the access control policy includes: receiving the username of the user when the user logs off the network, re-extracting the source address associated with the username, re-retrieving the list of applications with which the username is permitted to communicate, re-extracting the application destination information for each of the list of applications, regenerating the access control policy for the username, searching the access gateway engine for the access control policy, and removing the access control policy from the access gateway engine.
According to still further features the username and source address are extracted by an application programming interface (API). According to still further features the username and network address are extracted by parsing an authentication log received from a native authentication service of the network.
According to another embodiment there is provided an Application Isolation System installed on a network, the system including: an access gateway engine (AGE) interposed between a user and an application, the AGE configured to allow or deny the user network access to the application based on an access control policy; and an Access Controller in network communication with a native authentication service and a native authorization database, the Access Controller configured to generate the access control policy based on user authentication logs from the native authentication service and an authorization policy from the native authorization service, wherein the AGE provides zero trust network access controls to the network.
According to further features, the Access Controller includes: a User to Network Address Extraction & Correlation (UNA E&C) Engine configured to extract a username and associated source network address for the user; and an Authorization Engine configured to extract from the authorization policy, a list of applications and corresponding, respective destination information for each application of the list of applications.
According to still further features the UNA E&C engine polls the native authentication service. According to still further features the UNA E&C engine is configured to receive and parse the user authentication logs to extract the username and associated source network address.
According to still further features the destination information for each the application, includes at least one of: a network destination address, a destination port and a protocol type.
According to still further features the system further includes an Authentication Portal adapted to facilitate a user logon from outside the network.
According to still further features the AGE includes a micro component engine configured to provide content inspection and additional security-related tasks on data packets allowed by the AGE.
Various embodiments are herein described, by way of example only, with reference to the accompanying drawings, wherein:
Preferred embodiments of the invention include a method and system for providing isolation for a plurality of applications operating on a physical, virtual or containerized network or host machine. A plurality of applications is defined on said networks or host machines and are interconnected via the network infrastructure. Applications communicate across the switching infrastructure via network communication protocols such as but not limited to, UDP, TCP/IP, IPX/SPX, NetBIOS and the like. Each application will have uniqueness within the network addressing schema such as, but not limited to, a unique TCP port number, IP address or combination of the like. An example of an application could be a web server, database, IOT device, HRIS system, CRM system, SaaS applications, that a user may need to access to perform computing related tasks.
According to the instant innovation, applications are isolated from the totality of the network by placing one or more isolation gateways between users and applications and, optionally, between different applications on the same network. The purpose of isolating applications is so that the totality of the network, which includes users and other devices, are by default, unable to communicate with applications until properly authenticated and authorized. The instant method and system effectively create a “Zero Trust Dark Network”, in which the behavior of the network changes from the prior default behavior of allowing communication to all, to a new behavior of denying communication to all, until properly authenticated and authorized. The user may be authenticated by any method that exists within the environment and the instant security solution will capture authentication events and perform the authorization of access to the application.
The instant system helps organizations extend the usefulness of their existing VPN solution, while, over time, design a plan and roadmap to implement SDP solutions. The instant system and method also enable a more robust level of security that provides secure communication laterally (East to West) and remotely (North to South). The aforementioned network security is achieved through the deployment of the instant system, which is referred throughout the remainder of this document as an Application Isolation System 10.
The principles and operation of an Application Isolation System according to the present invention may be better understood with reference to the drawings and the accompanying description.
Referring now to the drawings,
The five major components are: (1) Access Gateway Engine (AGE) 100, (2) User to Network Address Extraction & Correlation Engine (UNA E&C engine) 210, (3) Authentication Portal 220, (4) Authorization Engine 230, and (5) Micro Component Engine 110. It is made clear that the chosen names of the components are merely exemplarily and not intended to be limiting in any way. Furthermore, specific components are described below as performing specific tasks. This is not to be viewed as limiting. That is to say that when one component has been described as performing a function, yet it is possible or optional for a different component to perform that same function, then it is to be understood that the description is not intended to necessarily be limiting but merely exemplary. Accordingly, performance of the specified function is not limited to being performed by the specified component.
The Application Isolation System 10 can be seen as including two broad types of components: ‘brains’ and ‘brawn’ (muscle). The ‘brains’ of the system fall under the umbrella component called the Access Controller 200 which includes at least the UNA E&C Engine 210 and the Authorization Engine 230. By default, the Authentication portal 220 is also inside the Access Controller but can actually be located anywhere in the system or on the network.
The ‘muscle’ of the system is the Access Gateway Engine (AGE) 100 that actually, physically, secures the network from malicious attacks. Preferably, the AGE 100 includes the Micro Component Engine 110 which provides additional security features. Each of the components are described hereafter.
The Access Gateway Engine (AGE) 100 is an OSI layer 2-7 ethernet switch that can operate within a physical, virtual or containerized network or host machine. The AGE 100 can be deployed inline and transparently between users and applications without any changes to network routing topologies (like an L2 switch) or can be deployed to further isolate network subnets (like an L3 router). The primary purpose of the access gateway engine is, by default, to deny all traffic to applications that sit behind it. Only when instructed by the Authorization Engine 230, does the AGE open up access to a specific application for a specific user.
The access gateway can also perform content inspection functions for the purpose of security and access control. This is achieved by the Access Gateway Engine 100 optionally communicating with the Micro Component Engine 110. For example, the Micro Component Engine 110, has the ability to do deep packet inspection, acting as a “network sensor”, to match packets to known bad network behavior, much like a traditional Intrusion Detection and Prevention System (IDS/IPS).
Another example of the Access Gateway Engine's communication with the Micro Component Engine, is its ability to instruct the Micro Component Engine to perform packet metadata extraction for the purpose of Artificial Intelligence (AI) and Machine Learning (ML) to identify anomalous, unknown behavior. The Access Gateway's use of the Micro Component Engine is limitless.
The User to Network Address Extraction & Correlation (UNA E&C) Engine 210 is a component in the Access Controller 200. The UNA E&C engine 210 identifies the users that have been authenticated on the network, prior to identifying which applications they are authorized to access. The UNA E&C engine can extract this information from any service within the network that authenticates users, such as, but not limited to: (1) Firewall/VPN Devices, (2) Authentication Directory (such as LDAP, Kerberos, Active Directory, Active Directory Federation Services/ADFS), and (3) Isolation System's Authentication Portal.
The way UNA E&C engine 210 extracts the username and its associated address, fixed or temporary, is by communicating with authentication services within the network. Dedicated devices on a LAN have a fixed network address. As such, someone logging onto the network from their regular station will have the same network address every time they log on. However, a roving user, connecting to the network from random stations each time, will have a different network address each time they log on from a different station. A user logging on remotely may have a different network address each time they log on. In at least the latter two cases, and in any case where there is not a direct and permanent correlation between a username and a network address, knowing the IP address does not translate into knowing the username. The UNA E&C engine connects the username to the current IP address assigned to that user, for every session that the user logs onto the network. Innovatively, when suspicious or malicious data traffic is traced back to an IP address, the system now knows, thanks to the UNA EC&C engine, which username is the source of the problematic data traffic.
The UNA E&C Engine 210 can either actively poll for this information or can passively receive the information directly from the native authentication services, depending on the configuration of the network and the capabilities of the components. The engine can perform the polling via service application programming interfaces (APIs). Polling is a less-preferred method due to the fact that polling with lengthy intervals between each query to the authentication service means that a user could potentially wait the duration of the interval before being allowed onto the network. Polling at short intervals means that the system send many queries to the authentication service of the network over a short time, wasting computing and bandwidth resources.
The second option is for the engine to receive authentication log data which is automatically and immediately send from the authentication service when a user logs on. When the engine receives the authentication log data, the engine parses the log to pull out the username, associated address and other relevant information.
Regardless of the manner in which the Engine 210 receives the log data, once received, the username and network address are extracted and submitted to the authorization engine 230. The username is used by the authorization engine to map which applications the specific user is allowed to communicate with. The system also allows the user to log in from multiple devices at the same time and still be allowed to access applications from any device.
The Authentication Portal 220 is a web application that allows a user to login directly to the Isolation Platform and is typically used when there is no Authentication Directory within the infrastructure and the user is not connecting via a Firewall/VPN device nor is the user simply on the local area network (LAN). The Authentication Portal 210 can also be applied to users who may be temporary workers and may not be listed in the organization Authentication Directory. Once a user logs into this portal, a lookup occurs to see if a user has been provisioned within the portal. If the user does exist, the username and network address of the user are captured and sent over to the Authorization Engine 230 just like the other methods of capturing user identity. The Authentication Portal 220 may support multi factor authentication and may also be used to add multi factor authentication to environments that have single authentication methods.
The Authorization Engine 230, upon receiving information from the User to Network Address Extraction & Correlation Engine 210, identifies (by performing a lookup task) the application(s) the user is permitted to communicate with. Once the engine has found the application(s), it pulls out the application destination information for each application. Application destination information can come in many forms such as, but not limited to, the destination IP address and/or the port number of the application.
The system, usually via the Access Controller 200, then begins to construct an access control policy that includes the source address(es) of the user, as well as the destination address, destination port number and protocol of each of the application(s). An example of the newly constructed access control policy could like the following: SRCIP: SRC: 10.1.2.1-DST: 10.1.2.2-DST PORT: 80-PROTOCOL: TCP or a domain name such as SALESFORCE.com. This policy then gets dynamically added to the access gateway Engine, where enforcement of the policies on the network traffic can now begin to take place.
Another example of a policy could be the same information stated in the policy above, but where the policy also includes other policy controls, such as the amount of bandwidth the user is allowed to consume (a quality-of-service policy) or how much time the user is allowed to stay connected to the application before being required to re-authenticate. Another policy may relate to geolocation (based on the user's public IP), such as disallowing connections to the network from certain countries. Another policy may be related to a time restriction. For example, all or specific user may not be allowed to connect to the network over the weekend. Therefore, a hacker trying to log onto the network on a Saturday or Sunday will not be allowed to access the network application.
The Authorization engine not only can allow users to connect to applications, upon authorization, but can also allow applications to communicate with other applications if authorized.
The Authorization Engine 230 not only waits to receive information when a user logs in, but also when a user logs off. If a log off event is captured, the Authorization Engine will retrace the steps performed when the user logged on in order to gather the same information that was used to build the access control policy in the first place. Now, the system searches for the policy associated with the username and removes that access control policy from the access gateway engine.
The Micro Component Engine 110 is an engine that works in conjunction with the Access Gateway Engine 100 to add on other features to the solution. The MCE passes network traffic to these additional add-on components to perform additional network security-related tasks. Examples of these additional components could be an Intrusion Detection and Prevention System (IDS/IPS), a Gateway Antivirus (AV), Sandboxing, Network Traffic Sensor, Web Proxy, a component that can provide application firewalling and more.
Exemplarily, a user logs onto the network from a remote location via the Internet. The user authenticates to the VPN/firewall. The Application Isolation System 10 captures the authentication event from the VPN/firewall. In this step, the AIS extracts the username, source IP address, etc. In the next step the AIS looks up the authorization policy in the system database, labeled Authorization Database. The AIS constructs a policy according to the authorization policy from the database. In the next step the AIS installs the policy on the gateway (AGE), so now the previously closed system has a policy according to which it opens the door. Now the user can access the applications, but only the application(s) for which the user is authorized. When the user disconnects from the network, the AIS removes the access control policy (closing the system once again).
On the right-hand side of
Legacy ZTNA systems replace the VPN/Firewall block with their own network access block, which would be a ZTNA block. The instant system, by contrast, can be easily employed on an existing network without making changes to the network. The VPN/Firewall is not removed, rather the ZTNA functionality is added. The instant system installs an additional piece of hardware and companion software (and in some cases, firmware) on the existing network. The VPN/Firewall is reconfigured/instructed to forward the log messages to the AIS which then extracts the necessary information as discussed above. In summary, the instant system leverages the telemetry of the existing VPN/Firewall to bring ZTNA controls to the environment.
The applications in the exemplary architecture of
Another possible configuration is shown in
It is noted that the AGE 100 is preferably embodied as a physical device located between the user and the network object that the AIS 10 is protecting. The network object may be an application (e.g., embodied on an application server) or a network device (e.g., a printer or telephone).
When a user logs onto the network using at least a username and password, the AIS 10 receives, at step 604, the username. As mentioned, the UNA E&C engine 210 can either poll the native authentication service or the service can automatically send the username to the engine. At step 606 the UNA E&C engine 210 extracts the source address associated with the username. The user may have a public IP address and a private IP address inside the network. For example, a user working remotely from home will have the public IP address of his home computer, but once he enters the network, he is assigned a private IP address within the internal network. See for example
At step 608, the Authorization Engine 230, upon receiving the aforementioned information from the User to Network Address Extraction & Correlation Engine 210, identifies the list of at least one application that the user is permitted to communicate with. This information can be extracted from a database that has the list of the user's permissions stored on it (see for example
In step 610, the Authorization Engine 230 extracts the destination address of the application or applications that the user is permitted to communicate with. In the example depicted in
In step 614, the AGE begins to enforce the new policy. Data packets coming from the IP address assigned to user/username John will be allowed or denied based on the policy. Therefore, if, for example, John requests access to or use of the SAP server, that network traffic, i.e., those data packets will be allowed to pass through the AGE 100 and reach the SAP server. However, any other data packets with a different destination will be denied at that AGE. It is noted that user John, in the example, is not even able to ‘see’ the other applications on the network. As such, a malicious user with certain permissions will not be able to see or communicate with other applications on the network for which s/he does not have permissions. Also, a hacker using a stolen or hijacked username will not be able to see, let alone access, any application for which the username does not have a permission for.
As an additional security measure, the access control policy is removed from the AGE when the user logs off the system.
In step 716, the user logs off the network and the AIS 10 removes the access control policy for that user from the AGE 100. In order to remove the policy, it is necessary to recreate the policy, search the AGE for the existing policy that matches the recreated policy and then delete the policy from the AGE 100. It is necessary to remove a policy that is no longer in use because otherwise a new user would inherit the permissions of the policy. To clarify, as detailed above, exemplarily, the policy includes a source IP (of the user/username), a destination IP of the application, a destination port and a protocol. When the current user logs off, the dynamic, private IP address that was assigned to the user will be reassigned. The new user that is assigned the old user's IP address will in essence inherit all of the policies for that IP address. Accordingly, it is important for the system to remove the policy once it is no longer in use.
Once the policy has been recreated, the Access Controller 200, in step 814, searches the AGE for the policy by comparing the regenerated access control policy with the list of policies in the AGE 100. In step 816 the access control policy is removed from the AGE 100.
The processes escribed up to here prevent users or usernames from communicating with applications that they do not have permissions for. However, a hacker or malicious user can gain access to applications for which the hijacked or real user is allowed. Therefore, it is necessary to have additional security features to examine data packets that are permitted to pass through the AGE, in order to ensure that these data packets are not malicious or harmful in any way.
Prior to being forwarded, in step 910, the data packets are inspected for suspicious and/or malicious content and/or behavior. In step 910 one or more security-related tasks are performed on the data packets. A partial list of such tasks is detailed above in relation to the micro component engine 110 which is tasked with inspection of the network traffic and/or effecting other security-related tasks on the network traffic passing through the AGE. In step 912 the user logs off the network and in step 914 the access control policy or policies for that user are removed from the AGE.
While the invention has been described with respect to a limited number of embodiments, it will be appreciated that many variations, modifications and other applications of the invention may be made. Therefore, the claimed invention as recited in the claims that follow is not limited to the embodiments described herein.
This patent application claims priority from, and the benefit of, U.S. Provisional Patent Application No. 63/005,365, filed Apr. 3, 2020, which is incorporated in its entirety as if fully set forth herein.
Number | Date | Country | |
---|---|---|---|
63005365 | Apr 2020 | US |