Patent Application
20250184723
This disclosure relates generally to network security. In particular, this disclosure relates to systems and methods for providing a micro-tunneling solution for network security.
Typical communication and computing networks need security measures and policies to reduce the network attack surface, ensure no implicit trust, and help prevent damaging lateral movements. A fundamental aspect of security solution is tunneling data between two network elements over public network. Many standard solutions exist for tunneling such as Layer 2 (e.g., “L2” or data link layer) and Layer 3 (e.g., “L3” or network layer) tunneling solutions (e.g., IPsec, secure socket shell, Virtual extensible Local Area Network, L2 tunneling protocol, etc.) exist to address these needs. However, most of these existing solutions fall short of addressing the scaling needs of many networks (e.g., mobile broadband, WWAN, and the like) which can contain a multitude of physical/virtual sites, clients, and gateways. Similarly, existing solutions lack link bandwidth efficiency and increase overhead.
Other drawbacks, inefficiencies, and inconveniences also exist with current systems and methods.
Accordingly, disclosed embodiments address the above and other drawbacks, inefficiencies, and inconveniences that exist with current systems and methods. For example, Cradlepoint, of Boise, Idaho, provides Netcloud Exchange (NCX) as a network based on modern zero trust principles that significantly reduce the network attack surface, ensure no implicit trust, and help prevent damaging lateral movements. Additionally, the herein disclosed micro tunnel solutions provide link bandwidth efficiency and improve system scalability via on demand tunneling. One aspect of an NCX network is the ability to tunnel data between various components in an NCX network like physical/virtual sites, clients, and gateways.
Disclosed embodiments include Cradlepoint's NCX micro-tunneling solution that addresses not only tunneling, but also the ability to carry metadata to support zero trust principles in an NCX network. In some embodiments of micro-tunnel solutions, the life cycle of micro-tunnels in an NCX network are managed by a control plane component that has visibility across every component in the NCX network.
Disclosed embodiments include a network for secure communications using micro-tunneling, the network having a site including a router in communication with a device over a control plane and wherein the router includes program instructions for assigning a signed identity to the site, and a gateway node in communication with the router over the control plane and wherein the gateway node includes program instructions for verifying the signed identity received from the site, and wherein the device initiating a transport flow inserts the signed identity for the site in a metadata field of a packet in the transport flow and the gateway node verifies the signed identity before allowing the transport flow.
In some embodiments the signed identity comprises a token. In further embodiments the token comprises a JavaScript Object Notation (JSON) web token.
In some embodiments the signed identity is assigned using security assertion markup language (SAML).
In some embodiments the gateway node verifies the signed identity using a key. In further embodiments the key comprises a public key.
In some embodiments the metadata field of the packet in the transport flow is encrypted.
In some embodiments the signed identity can be revoked by a network administrator.
Also disclosed is a method for secure communications over a network using micro-tunneling, the method including assigning a signed identity to a site, the site having a router in communication with a device over a control plane, and verifying the signed identity received from the site at a gateway node in communication with the router over the control plane, wherein the device initiating a transport flow inserts the signed identity for the site in a metadata field of a packet in the transport flow and the gateway node verifies the signed identity before allowing the transport flow.
Other embodiments also exist.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiments have been shown by way of example in the drawings and will be described in detail herein. However, it should be understood that the disclosure is not intended to be limited to the particular forms disclosed. Rather, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope of the invention as defined by the appended claims.
Each site 104 will typically include one or more devices 106 such as, but not limited to, point-of-sale devices, cameras, GPS units, HVAC systems, barcode scanners, smartphones, laptop computers, desktop computers, tablets, televisions, smart-speakers, internet-of-things (IoT) devices, appliances, and the like, for communicating data and information over the NCX network 100. Enterprises can establish secure connections across distributed sites 104 and the users 110 and IoT devices within them using site-based access policies 120. As also indicated schematically, users 110 and devices 106 at the various sites 104 may communicate over NCX network 100 using a variety of routers, modems, switches, hubs, and the like, (collectively, “routers” or “router” 108).
As also indicated schematically, an identity provider 112, which may be unique to each enterprise, may be implemented to bring increased visibility and control to the NCX network 100 by verifying and authenticating users 110 before they can access the NCX network 100. In this manner, NCX network 100 can extend secure, isolated user-to-resource access to users 110 accessing the NCX network 100 from anywhere through a client 114. As used herein client 114 also comprises another type of site 104D for remote workers or the like. As indicated, access to remote users 110 may be through a router 108.
Embodiments of NCX network 100 also provide a variety of applications 116 which may be cloud-based (e.g., Microsoft Azure, AWS IoT Greengrass, etc.). As also indicated schematically, NCX network 100 administrators 118 may apply policies 120 over the NCX network 100. In some embodiments, rather than authenticating users 110 to NCX network 100, users 110 are authenticated directly to specific resources. This increases security and prevents lateral movement. Other features and advantages also exist.
An important aspect of embodiments of the disclosed zero trust, micro tunnel solution is that a NCX gateway node 102 allows traffic exclusively from trusted endpoints. Disclosed embodiments address this is as follows. Control plane 206 ensures that network end points (104, 114, etc.) are provisioned with unique signed identity 210 (e.g., user token, certificate, etc.) via various mechanisms (e.g., security assertion markup language (SAML) or the like). Control plane 206 also configures each NCX gateway node 102 with a key to verify the above identity.
In some embodiments control plane 206 ensures that the identity 210 is rotated and can be revoked by an administrator 118. The NCX device 106 (or 104, 114, etc.) initiating transport flow 200 adds its identity 210 in metadata field 202 of first packet in flow 200. As described herein, this section of metadata 202 is encrypted to prevent eavesdropping. The other side of the micro tunnel 208 (e.g., service gateway 102) will verify the identity 210 before allowing the flow 200.
As many of NCX network 100 components (e.g., site 104, client 114, gateway 102, etc.) are part of a public network, the herein disclosed systems and methods allow these components to talk to each other over an encrypted and authenticated tunnel 208. Sensitive fields in metadata 202 are encrypted and replay protection is also supported.
As an exemplary embodiment also illustrated in
As those of ordinary skill in the art having the benefit of this disclosure will understand, disclosed embodiments enable methods for stateless policy evaluation per flow 200. For example, an enterprise typically deploys security solutions (like Cradlepoint NCX) to monitor traffic and apply access control and security policies (e.g., policies 120). In an NCX gateway node 102, every new transport flow 200 is matched to a set of configured policies 120, and flow 200 is accepted only if policy 120 allows it. Such a mechanism to enforce policies 120 in gateway 102 is an important aspect of the disclosed security solution.
A typical rule in many policies 120 consists of a set of criteria (like user attribute, device profile, source/destination site, source/destination fqdn/ip, application/web category, etc.). To match a rule, flow 200 attributes should match all the criteria of the rule.
The disclosed zero trust, micro tunnel approach simplifies policy 120 evaluation in gateway 102. Certain flow 200 attributes are added in the packet metadata 202. This is typically in first packet metadata 202 but can also be in metadata of subsequent packet. Advantages include that because end points (104, 114, etc.) originating flow 200 embed attributes needed for policy 120 evaluation in flow 200 itself, there is no need of a side channel mechanism to distribute these attributes to gateways 102.
Additionally, policy 120 rule evaluation in gateway 102 is much faster as it does not need additional lookups to find flow 200 attributes. Likewise, the micro tunnel 208 control plane component 206 is responsible to identify and provision attributes that end points (104, 114, etc.) include in metadata 202 section. This includes, but is not limited to, user 110 attributes (e.g., username, department, role, etc.) identified by authenticating NCX network 100 users 110 and attributes of a device 106 (e.g., virus scan result, corporate certificate presence, etc.) being used by user 110.
Although various embodiments have been shown and described, the present disclosure is not so limited and will be understood to include all such modifications and variations would be apparent to one skilled in the art.
