US20050138204A1 - Virtual private network having automatic reachability updating - Google Patents

Abstract

A unified policy management system for an organization including a central policy server and remotely situated policy enforcers. A central database and policy enforcer databases storing policy settings are configured as LDAP databases adhering to a hierarchical object oriented structure. Such structure allows the policy settings to be defined in an intuitive and extensible fashion. Changes in the policy settings made at the central policy server are automatically transferred to the policy enforcers for updating their respective databases. Each policy enforcer collects and transmits health and status information in a predefined log format and transmits it to the policy server for efficient monitoring by the policy server. For further efficiencies, the policy enforcement functionalities of the policy enforcers are effectively partitioned so as to be readily implemented in hardware. The system also provides for dynamically routed VPNs where VPN membership lists are automatically created and shared with the member policy enforcers. Updates to such membership lists are also automatically transferred to remote VPN clients. The system further provides for fine grain access control of the traffic in the VPN by allowing definition of firewall rules within the VPN. In addition, policy server and policy enforcers may be configured for high availability by maintaining a backup unit in addition to a primary unit. The backup unit become active upon failure of the primary unit.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
• This application claims the benefit of U.S. provisional applications 60/138,849, 60/138,850, 60/139,033, 60/139,034 60/139,035, 60/139,036, 60/139,038, 60/139,042, 60/139,043, 60/139,044, 60/139,047, 60/139,048, 60/139,049, 60/139,052, 60/139,053, all filed on Jun. 10, 1999, and U.S. provisional application 60/139,076, filed on Jun. 11, 1999, the contents of all of which are incorporated herein by reference.
FIELD OF THE INVENTION
• The present invention relates to computer networks, and more particularly, to devices and methods for providing efficient configuration, management, and updating of virtual private networks extending over remote sites across the Internet.
BACKGROUND OF THE INVENTION
• The growth and proliferation of computers and computer networks allow businesses to efficiently communicate with their own components as well as with their business partners, customers, and suppliers. However, the flexibility and efficiencies provided by such computers and computer networks come with increasing risks, including security breaches from outside the corporation, accidental release of vital information from within it, and inappropriate use of the LAN, WAN, Internet, or extranet.
• In managing the growth of computer networks as well as addressing the various security issues, network managers often turn to network policy management services such as firewall protection, Network Address Translation, spam email filtering, DNS caching, Web caching, virtual private network (VPN) organization and security, and URL blocking for keeping network users from accessing certain Web sites through use of the organization's ISP. Each policy management service, however, generally requires a separate device that needs to be configured, managed, and monitored. Furthermore, as an organization grows and spreads across multiple locations, the devices maintained also multiplies, multiplying the associated expenditures and efforts to configure, manage, and monitor the devices.
• The solution to this problem is not as simple as just integrating multiple network policy management functions into a single device at each location and allowing each location to share its policy information with other locations. In fact, there are many obstacles and challenges in adopting such an approach. One of these challenges is devising a scheme for efficient configuration, management, and updating of VPNs extending over remote sites separated by the Internet. Typical Internet Protocol Security (IPSec) VPN tunnels are point-to-point entities with static reachability information, that is, information about which fellow VPN members they can reach for the networks behind each VPN gateway. Encrypting or otherwise tunneling traffic between many sites that have potentially different dynamic routing protocols over an IPSec tunnel can therefore be problematic. It may also be problematic to set up a fully meshed VPN where every site has full connectivity to every other site if there are a large number of sites. Furthermore, VPN definitions are typically an association of source and destination network addresses that allow unrestricted access between the networks in the VPN, and providing fine grained access control to such traffic may be difficult.
• Accordingly, there remains a need in the art for a network management solution that overcomes these and other obstacles of the prior art.
SUMMARY OF THE INVENTION
• The present invention is directed to a unified policy management system allowing the efficient configuration, management, and updating of VPNs extending over remote sites separated by the Internet. The system allows each endpoint in a VPN tunnel to aggregate and abstract out the reachability information of the networks associated with each endpoint. This information is then shared with all the other tunnel endpoints in the same VPN. Furthermore, the system provides a hierarchical organization of VPNs facilitating the creation of fully-meshed VPNs. In addition, access control rules may be defined for a VPN to allow users to have fine grain control over the traffic flowing through the VPN.
• According to one embodiment of the invention, a computer network includes a first edge device coupled to a first private network and a second edge device coupled to a second private network. The first and second edge devices preferably act as VPN tunnel endpoints allowing secure communication between the first and second private networks. In addition, the first edge device is configured to create a first table with information of member networks reachable through the first edge device, and the second edge device is configured to create a second table with information of member networks reachable through the second edge device. The first and edge devices share their membership information with each other, allowing the creation of VPNs whose member lists are dynamically compiled.
• In one particular aspect of the invention, the communication between the first and second private networks is managed according to a security policy associated with the member networks. The security policy is defined for a security policy group, referred to as a VPN cloud, providing hierarchical organization of the group. The VPN cloud includes member networks (hosts), users allowed to access the member networks, and a rule controlling access to the member networks. The hierarchical organization provided by the VPN clouds thus allows the network administrator to create fully meshed VPNs. The network administrator need no longer manually configure each possible connection in the VPN, but only need to create a VPN cloud and specify the sites, users, and rules to be associated with the VPN. Each connection is then configured based on the configuration specified for the VPN cloud. The hierarchical organization thus facilitates the setup of a VPN with a large number of sites.
• In another aspect of the invention, the rule in the VPN is a firewall rule providing access control of the traffic among the member networks. Such firewall rules allow the administrator to have fine grained access control over the traffic that flows through the VPN, all within the realm of the encrypted access provided by such VPN.
BRIEF DESCRIPTION OF THE DRAWINGS
• These and other features, aspects and advantages of the present invention will be more fully understood when considered with respect to the following detailed description, appended claims and accompanying drawings wherein:
• FIG. 1 is a schematic block diagram of an exemplary unified policy management system;
• FIG. 2 illustrates the hierarchical object-oriented structure of policies stored for an organization in accordance with the principles of the invention;
• FIG. 3 is a schematic block diagram of a policy server in the policy management system ofFIG. 1;
• FIG. 4 is a schematic diagram of a central management sub-module in the policy server ofFIG. 3;
• FIG. 5 is an exemplary flow diagram of a device registration process carried out by the central management sub-module ofFIG. 4;
• FIG. 6 is a screen illustration of an exemplary graphical user interface for registering a device;
• FIG. 7 is a screen illustration of an exemplary global monitor user interface presenting device health and status information;
• FIG. 8 is a screen illustration of an exemplary graphical user interface provided by a policy management sub-module in the policy server ofFIG. 3;
• FIG. 9 is a screen illustration of an exemplary graphical user interface for managing system devices;
• FIG. 10 is a screen illustration of an exemplary graphical user interface for managing system hosts;
• FIG. 11 is a screen illustration of an exemplary graphical user interface for managing system services;
• FIG. 12 is a screen illustration of an exemplary graphical user interface for managing time groups;
• FIG. 13 is a screen illustration of an exemplary graphical user interface displaying a plurality of VPN clouds;
• FIG. 14 is a screen illustration of an exemplary graphical user interface for adding a new firewall policy;
• FIG. 15 is a schematic functional block diagram of policy enforcers updating their respective VPN membership information;
• FIG. 16 is a block diagram of components in a self-extracting executable for downloading by a remote VPN client;
• FIG. 17 is a functional block diagram for downloading the self-extracting executable ofFIG. 16;
• FIG. 18 is a schematic block diagram of a policy enforcer in the policy management system ofFIG. 1;
• FIG. 19 is a more detailed schematic block diagram of a policy engine in the policy enforcer ofFIG. 18;
• FIG. 20 is a more detailed schematic block diagram of a protocol classification engine of the policy enforcer ofFIG. 18;
• FIG. 21 is a more detailed schematic block diagram of an Internet protocol security engine in the policy enforcer ofFIG. 18;
• FIG. 22 is a schematic layout diagram of a common log format according to one embodiment of the invention;
• FIG. 23 is a block diagram of an LDAP tree structure according to one embodiment of the invention;
• FIG. 24 is a more detailed block diagram of a branch of the LDAP tree ofFIG. 23;
• FIG. 25 is a flow diagram for logging and propagating LDAP changes to policy enforcers;
• FIG. 26 is a schematic block diagram of a high availability system including a primary unit and a backup unit;
• FIG. 27 is a flow diagram of an exemplary status discovery process conducted by a high availability unit;
• FIG. 28 is a flow diagram of a process for maintaining configuration information synchronized in the primary and backup units ofFIG. 26;
• FIG. 29 is an exemplary flow diagram of updating the primary and backup units ofFIG. 26 when they are both functional; and
• FIG. 30 is an exemplary flow diagram of updating the primary and backup unitsFIG. 26 when the primary is not functional.
DETAILED DESCRIPTION OF THE INVENTION
• I. Unified Policy Management System Architecture
• FIG. 1 is a schematic block diagram of an exemplary unified policy management system according to one embodiment of the invention. As illustrated inFIG. 1, privatelocal networks102,104, and106 are all coupled to a public network such as theInternet108 via respective routers (generally identified at110) and Internet Service Providers (ISPs) (not shown). Also coupled to thepublic Internet108 via the ISPs areweb surfers112, dial-upnetwork users114, servers providingunauthorized web sites116, email,spammers118 sending out unsolicited junk email, andremote VPN clients140 seeking access to the privatelocal networks102.
• According to one example,local network102 connects users and resources, such as workstations, servers, printers, and the like, at a first location of the organization, such as the organization's headquarters, andlocal network104 connects users and resources at a second location of the organization, such as a branch office. Furthermore,local network106 connects users and resources of a customer of the organization requiring special access to the organization's users and resources. Authorized dial-upnetwork users114 of the organization are respectively situated at remote locations from the first and second local networks, and also require special access to the organization's users and resources. Furthermore,web surfers112 communicate with the organization'sweb server120 over thepublic Internet108 and access the organization's web site.
• Local network102 includes apolicy server122 for defining and managing network services and policies for the organization. The network policies are a set of rules and instructions that determine the network's operation, Such as firewall, VPN, bandwidth, and administration policies. The firewall policies decide the network traffic that is to be allowed to flow from thepublic Internet108 into thelocal networks102,104, and the traffic that is to be blocked. The bandwidth policies determine the kind of bandwidth that is to be allocated to the traffic flowing through the local networks. The VPN policies determine the rules for implementing multiple site connectivity across the local networks. The administration policies decide the users that have access to administrative functions, the type of administrative functions allocated to these users, and thepolicy enforcers124,126 on which these users may exercise such administrative functions. The firewall, VPN, bandwidth, and administration policies for the entire organization are preferably stored in a policy-server database130 maintained by thepolicy server122.
• Eachlocal network102,104 also includes an edge device, referred to as apolicy enforcer124,126, for controlling access to the network. Eachpolicy enforcer124,126 manages the network policies and services for the users and resources of their respectivelocal networks102,104, as permitted by thepolicy server122. Respective portions of thepolicy server database130 are copied to thepolicy enforcer databases132,134 for allowing the policy enforcers to manage the network policies and services for thelocal networks102,104.
• According to one embodiment of the invention, thepolicy server122 andpolicy enforcers124,126 may be implemented in a similar fashion as the FORT KNOX series of policy routers made by Alcatel Internetworking, Inc., of Milpitas, Calif.
• II. Object Model for Network Policy Management
• According to one embodiment of the invention, thepolicy server database130 andpolicy enforcer databases132,134 are LDAP databases adhering to a unified hierarchical object oriented structure. The LDAP directory service model is based on entries where each entry is a collection of attributes referenced by a distinguished name (DN). Each of the attributes includes a type and one or more values. The type is typically a mnemonic string, such as “o” for organization, “c” for country, or “mail” for email address. The values depend on the type of attribute. For example, a “mail” attribute may contain the value “babs@umich.edu.” A “jpegPhoto” attribute may contain a photograph in binary JPEG/JFIF format. Additional details of the LDAP directory service model are defined in RFC 1777 “The Lightweight Directory Access Protocol” (W. Yeong, T. Howes, and Kille, Network Working Group, March 1995) and “LDAP Programming: Directory-enabled Applications with Lightweight Directory Access Protocol” (T. Howes, and M. Smith, Macmillan Technical Publishing, 1997), incorporated herein by reference.
• The entries in the LDAP database are preferably arranged in a hierarchical tree-like structure reflecting political, geographic, and/or organizational boundaries. Entries representing countries appear at the top of the tree. Below them are entries representing states or national organizations. Below the states or national organizations may be entries representing people, organization units, printers, documents, and the like.
• FIG. 2 is a schematic layout diagram of a unified hierarchical object oriented structure adhered by thepolicy server database130 according to one embodiment of the invention. Thepolicy enforcer databases132,134 adhere to a similar structure except for a few differences. For example, the policy enforcer databases preferably do not contain a policyserver domain object201 and related policy server objects, nor apolicy domain object240.
• As illustrated inFIG. 2, each object in the structure is preferably stored as an LDAP entry. At the top of the hierarchy is the policyserver domain object201 including various policy server resources and a plurality of policy domains objects (generally referenced at204). Eachpolicy domain object240 is a grouping of policy enforcers that share common policies. Eachpolicy domain object240 includes a resource root object200 and agroup root object202. All policy management functions are preferably implemented in terms of the resource objects which includedevices204,users206, hosts208,services210, andtime220. Thus, a firewall policy may be defined by simply assigning the particular devices, users, hosts, services, and time applicable to the policy. The devices, users, hosts, and services are preferably organized ingroups212,214,216, and218, respectively, having a group name, description, and member information for a more intuitive way of addressing and organizing the resources.
• Users206 are preferably associated with a user domain providing a secure and efficient means of authenticating the user. Each user domain has a single policy enforcer who is authorized to authenticate the user. Thus, user domains ensure that the authenticating agent is generally located in the same local network as the user. This helps eliminate the cost of network dependency or network latency during the user authentication process. It should be noted, however, that users may also constitute authorized dial-upusers114 and users from thecustomer network106. These users contact a remote authenticating agent which proxies the authentication back to the appropriate policy enforcer.
• Hosts208 are the various networks present in an organization. For instance, a particular LAN subnet may be specified as a host in the system.Hosts208 are preferably organized based on their physical locations within the organization. A host's physical location is identified by the device (policy enforcer)204 associated with the host.
• Services210 reflect the various services provided by thepolicy server122. Such services include, for example, multimedia streaming/conferencing, information retrieval, security and authentication, database applications, mail applications, routing applications, standard communication protocols, and the like. Attributes associated with each service preferably include a service name, description, type (e.g. HTTP, HTTPS, FTP, TELNET, SMTP, Real Networks, and the like), and group.
• Devices204 are thepolicy enforcers124,126 at the edge of a particular local network. Each device/policy enforcer preferably includesusers206 and a host/network208 that is managed by the policy enforcer.
• Time220 is another dimension in controlling access to the network resources. Various time objects covering a range of times may be created and used in creating the firewall policies.
• Similar to resources, network policies are also preferably defined in terms of objects for a more efficient and intuitive definition of the policies. Policies are defined by the administrators and implemented by thepolicy enforcers124,126 on the network traffic flowing between thepublic Internet108 and thelocal networks102 and104.
• According to one embodiment of the invention, apolicy object222 includes abandwidth policy224,firewall policy226, administration policy228, andVPN policy230. TheVPN policy230 defines a security policy for the member networks and includes one or more VPN clouds232. EachVPN cloud232 is an individual VPN or a group of VPNs defining a security policy group which includes a list ofsites234 andusers236 who can communicate with each other. A site is preferably a set of hosts/networks physically located behind one of thepolicy enforcers124,126. In other words, a site is a definition of a network which includes the policy enforcer that is associated with it. The policy enforcers for the sites act as VPN tunnel endpoints once the hosts under the sites start communicating. These communications are governed by a set ofrules238 configured for each VPN cloud. Therules238 may govern, among other things, VPN access permissions and security features such as the level of encryption and authentication used for the connectivity at the network layer.
• The object oriented structure ofFIG. 2 thus allows the network administrators to define policies in an intuitive and extensible fashion. Such policies may be defined by simply associating resources to the policies. This allows for a policy-centric management model where the administrator is given the impression that a single logical server provides the firewall, bandwidth management, and VPN services across the enterprise. The fact that the policy is enforced on individual policy enforcers in different locations is transparent to the administrator.
• III. Policy-Based Network Architecture
• FIG. 3 is a more detailed schematic block diagram of thepolicy server122 according to one embodiment of the invention. Thepolicy server122 preferably includes amanagement module302 that allows centralized control over thepolicy enforcers124,126 from a single console. Thepolicy server122 further includes a log collecting andarchiving module304 and a policyserver reports module316. The log collecting andarchiving module304 collects information about the status and usage of resources from thepolicy enforcers124,126 as well as from themanagement module302, and stores them in anarchive database318. The policyserver reports module316 uses the collected logs and archives to generate reports in an organized report format.
• Referring again to themanagement module302, themanagement module302 preferably includes four sub-modules aiding in the centralized control, namely, acentralized management sub-module306,policy management sub-module308, secure role-basedmanagement sub-module310, and multiple siteconnectivity management sub-module312.
• Thecentralized management sub-module306 enables a network administrator to install and manage individual policy enforcers from a central location. The network administrator preferably uses a web-based graphical user interface to define the policy enforcer's network configuration and monitor various aspects of the device, such as device health, device alarms, VPN connection status, and the like.
• Thepolicy management sub-module308 provides the network administrator with the ability to create policies that span multiple functional aspects of the policy enforcer (e.g. firewall, bandwidth management, and virtual private networks), multiple resources (e.g. users, hosts, services and time), and multiple policy enforcers.
• The secure role-basedmanagement sub-module310 provides role-based management to enable administrators to delegate administrative responsibilities to other administrators. This sub-module preferably provides for maximum security when it comes to accessing the management functions.
• The multiple siteconnectivity management sub-module312 allows the network administrator to set-up secure communication channels between two or more remote sites. In doing so, this sub-module leverages thecentralized management sub-module306,policy management sub-module308, dynamic routing capabilities of thepolicy enforcers124,126, and the management infrastructure to provide virtual private networks across the enterprise with fine grained access control.
• FIG. 4 is a more detailed schematic diagram of the centralpolicy management sub-module306 according to one embodiment of the invention. The sub-module includes a policyserver installation wizard404 providing an interactive user interface to aid the installation of thepolicy server122. In this regard, the network administrator has access to a personal computer connected to a LAN port of thepolicy server122 via a cross over cable, hub, or the like. The network administrator connects to thepolicy server122 by preferably typing-in a URL of thepolicy server122 into a standard Internet browser such as Microsoft Internet Explorer. The URL is preferably of the form of “http://<ipaddress>:88/index.html” where <ipaddress> is the IP address that is to be assigned to the policy server. The IP address is automatically assigned to the policy server when the browser attempts to contact the address. When the administrator's personal computer sends an address resolution protocol request for the IP address, the policy server detects that a packet directed to port88 is not claimed, and assumes the IP address.
• Once connected, the policyserver installation wizard404 invokes the interactive user interface to assist the administrator in setting up thepolicy server122. Among other things, the policyserver installation wizard404 prompts the administrator to specify a server name, server IP address, and router IP address. Furthermore, the policyserver installation wizard404 prompts the administrator to select one of various default policies for creating default firewall, VPN, bandwidth, and administrator policies. These policies are then replicated on each new policy enforcer registering with thepolicy server122.
• Thecentralized management sub-module306 further includes a policyenforcer installation wizard406 providing an interactive user interface to aid the installation of thepolicy enforcers124,126. As with the installation of thepolicy server122, the access to thewizard406 is preferably web-based using the network administrator's personal computer.
• Once connected, the policyenforcer installation wizard406 invokes the interactive user interface to assist the network administrator in setting up aparticular policy enforcer124,126. Among other things, the policy enforcer installation wizard464 prompts the administrator to specify the policy server IP address, policy enforcer IP address, and router IP address. The policy enforcer then registers with thepolicy server122 by invoking a URL on the policy server with basic bootstrap information of its own. The registration of the policy enforcer allows the initialization of the policy enforcer'sdatabase132,134 with the configuration information, as well as the monitoring of the policy enforcer's status and health by thepolicy server122.
• Prior to registering the policy enforcer with thepolicy server122, the network administrator preferably pre-registers the policy enforcer on the policy server. Such pre-registering allows the creation of a placeholder node on the policy server for the policy enforcer data for when the policy enforcer does in fact register. In this regard, thecentralized management sub-module306 includes aconfiguration interface410 allowing the pre-registration of a new policy enforcer.
• FIG. 5 is an exemplary flow diagram of a policy enforcer pre-registration and registration process according to one embodiment of the invention. Instep401, the policy enforcer is connected to the network and installed at its actual physical location using the above-described policyenforcer installation wizard406. The network administrator, possessing the new device's serial number, pre-registers the policy enforcer by adding the new policy enforcer to a device group instep403. In this regard, theconfiguration interface410 invokes an interactive graphical interface, such as the one illustrated inFIG. 6, allowing the network administrator to enter adevice name415, serial number417, and location information419, and further allowing the administrator to select adevice group421 to which the new policy enforcer is to belong. Actuation of an applybutton423 causes the new policy enforcer, instep405, to contact thepolicy server122 by preferably invoking a URL on the policy server. Once the policy server has been contacted, the new policy enforcer transmits its registration packet to the policy server. The registration packet includes at least a serial number of the new policy enforcer, as well as the IP addresses of the LAN, WAN, and DMS on the policy enforcer. Instep407, thecentralized management sub-module306 compares the serial number of the new policy enforcer with the list of policy enforcers pre-registered with thepolicy server122. If a match is found, thepolicy server122 proceeds with the registration process by packaging, instep409, the settings selected for the policy enforcer during its installation process, preferably into an LDAP Data Interchange Format (ldif) file. Instep411, the file is transmitted to the policy enforcer, preferably over an HTTPS channel, by invoking a common gateway interface (CGI) on the policy enforcer. The policy enforcer then uses the file to initialize its configuration database, such asdatabase132,134, instep413.
• Referring again toFIG. 4, thecentralized management sub-module306 also includes a globalmonitor user interface402 and adata collector program412, respectively displaying and collecting the health and status of all the policy enforcers managed by thepolicy server122. Thedata collector program412 receives health and status information from each of the up-and-running policy enforcers it manages, and passes the relevant information to the global monitor user interface. A health agent running as a daemon in each of the policy enforcers being monitored periodically collects data from the device and analyzes its health status. The collected data is then transferred to thepolicy server122 when requested by thedata collector program412.
• FIG. 7 is a screen illustration of an exemplary globalmonitor user interface402 presenting various types of health and status information. Such information may relate to the health of the device, such assystem load712 andnetwork usage information714. The information may also relate tocurrent alarms716 on the device including alarm name, type, description, and the like. The information may further relate tocurrent VPN connections718 including connection type, source/destination, duration, and VPN traffic volume.
• Referring again toFIG. 3, thepolicy management sub-module308 allows for policy management of thepolicy enforcers124,126. As discussed above, all policy management functions are implemented in terms of resource objects stored in thepolicy databases130,132,134 including users, devices, hosts, services, and time. Preferably, all resources are associated with default policy settings selected by the administrator during the installation process. The network administrator views, adds, and modifies the policies centrally via a graphical user interface provided by thepolicy management sub-module308. This allows for a policy-centric management model where the administrator is given the impression that a single logical server provides the firewall, bandwidth management, and VPN services across the enterprise. The fact that the policy is enforced on individual policy enforcers in different locations is transparent to the administrator.
• FIG. 8 is a screen illustration of an exemplary graphical user interface provided by thepolicy management sub-module308. The interface includes aresource palette718 including a list of resource tabs including ausers tab718a,devices tab718b, hoststab718c,services tab718d, andtime tab718e. The resource palette allows the administrator to add and modify resource definitions from a single console.
• Selection of theusers tab718acauses a display of theuser groups722 defined for the system. New users may be added to the group by selecting a particular group and defining various attributes of the user such as a login name, full name, policy enforcer to which the user belongs, authentication scheme, password, and the like.
• Selection of thedevices tab718bcauses a display of various device management icons for managing thepolicy server122 and thepolicy enforcers124,126 as is illustrated inFIG. 9. A policy serversystems settings icon750 allows the network administrator to view and modify system settings like LAN, WAN/DMS IP addresses of thepolicy server122. A policy serverarchive options icon752 allows specification of reporting and other database archive options at thepolicy server122. A globalURL blocking icon754 allows the administrator to specify a list ofunauthorized web sites116 to be blocked by all thepolicy enforcers124,126 of the system. Similarly, a globalspam list icon756 allows the administrator to specify a list of email addresses ofspammers118 to be blocked by all the policy enforcers.
• The administrator may view information on all thepolicy enforcers124,126 by selectingicon758. Information on a specific policy enforcer may be viewed by selecting aspecific policy enforcer760 under aparticular device group761. Such information includessystem settings information762,URL blocking information764,spam list information766, and the like, that is specific to the selected policy enforcer. For instance, selection of the policy enforcer'sURL blocking information764 icon causes a display ofvarious categories768 of URLs that the network administrator may select to block for the selected policy enforcer.
• Selection of thehosts tab718ccauses a display of various hosts (networks) of the system as is illustrated inFIG. 10. A host is organized based on its physical location and is further associated with aparticular policy enforcer124,126. Hosts are associated with various attributes including aunique name770, an IP address of thenetwork772, and asubnet mask774. In addition, the administrator may specify whether the host is anexternal host776 belonging to a network that is not administered by thepolicy server122. If the host is an external host, the administrator specifies anIP address778 of the external device to which the host belongs. Adevice field780 allows the administrator to enter the policy enforcer's name to which the host belongs. Each host is further associated with aparticular group782 assigned by the administrator.
• Selection of theservices tab718dcauses a display of various service groups supported by thepolicy server122 as is illustrated inFIG. 11. Such service groups include, for example, multimedia streaming/conferencing, information retrieval, security and authentication, mail applications, routing applications, database applications, standard communication protocols and the like. Users may also add new service groups as desired.
• Each service is associated with aname784,description786, and service type788 (e.g. HTTP, HTTPS, FTP, TELNET, SMTP, Real Networks, and the like) Furthermore, each service is associated with aservice group790. Based on the type of service, additional information may also be specified for the service. For instance, for an HTTP service, the administrator may specify whether URL blocking792 is to be enabled.
• Selection of thetime tab718ecauses a display of varioustime group icons794 covering a range of times to be used in the firewall policies as is illustrated inFIG. 12. For instance, selection of a work time group icon allows the network administrator to set the days and times which are to be set as working days and hours.
• Referring again toFIG. 8, the interface also includes apolicy canvas720 including a list of policies available to the system. A policy definition is preferably an association of a set of resources that may be dragged from theresource palette718 and dropped onto thepolicy canvas720.
• Selection of afirewall tab720acauses a display of all the firewall policies defined for a particular policy domain including one or more policy enforcers. The network administrator decides the domain to which a policy enforcer is to belong during pre-registration of the policy enforcer. The interface allows the network administrator to view, add, and modify the various policies from thepolicy server122 and effectuate the changes on thepolicy enforcers124,126 without the need to make such changes individually in each policy enforcer.
• According to one embodiment of the invention, each firewall policy includes a policy identifier (ID) attribute724 for identifying a particular policy rule in the list of policies. Anorder number attribute726 for the policy rule indicates the sequence in which the policy is to be applied. In this regard, thepolicy enforcer124,126 for the local network takes one rule at a time, in sequence, compares it against the network traffic, and preferably applies the first rule that matches the network traffic.
• Each firewall policy also includes adescription attribute728 for describing the firewall policy to be applied. For instance, the description may indicate that the policy allows spam blocking, URL blocking, VPN key management, and the like. Anaction flag attribute730 indicates whether traffic is to be allowed or denied for the indicated policy. Anactive flag attribute732 indicates whether the policy has been activated or de-activated. Thus, the network administrator may create a policy and activate it at a later time. A policy that has been de-activated preferably has no effect on the network traffic.
• Each firewall policy further includes auser attribute734,source attribute736,service attribute738, destination attribute (not shown), and time attribute (not shown). Each of these attributes is preferably represented by a group name or a resource name. The name acts as a pointer to an entry in thegroup root object202 or resource root object of theLDAP database130,132, or134.
• Preferably, theuser attribute734 indicates the user groups and users that are eligible for the policy. Thesource attribute736 indicates a point of origination of the network traffic associated with the user. The services attribute738 indicates the services to the allowed or denied by the policy. The destination attribute indicates a specific LAN, WAN, DMS segment or specific hosts where the specified services are to be allowed or denied. For example, to configure SMTP pop services on a mail server, the host may be the IP address where the mail server is running, and the services specified is SMTP. The time attribute indicates a time slot in which the policy is to be effective, In addition to the above, each firewall policy also includes an authentication attribute (not shown) indicating an authentication scheme for the policy (e.g. none, LDAP, SecurID, RADIUS, WinNT, or all).
• FIG. 14 is a screen illustration of an exemplary graphical user interface for adding a new firewall policy to the policy domain upon actuation of anadd button725. Existing firewall policies may also be modified or deleted by actuation of a modifybutton727 and adelete button729, respectively.
• As illustrated inFIG. 14, a new firewall policy may be defined by simply adding a description of the policy in adescription area728a, selecting an action to be applied to the matching network traffic in anaction box730a, and indicating in anactive area732awhether the policy is to be active or inactive. Furthermore, the network administrator specifies the user, source, services, destination, and time resources in auser area734a,source area736a,services area738a, destination area739a, andtime area741, respectively. The network administrator further selects an authentication scheme for the policy in an authentication area743. Upon actuation of anOK button745, appropriate entries of the policy server database's LDAP tree are suitably changed to reflect the addition of the new policy. The change is also transmitted to the respective policy enforcers as is described in further detail below.
• Referring again toFIG. 8, selection of thebandwidth tab720callows the display, addition, and modification of various bandwidth policies determining the kind of bandwidth to be allocated to a traffic flowing through a particular policy enforcer. Different bandwidths may be specified for different users, hosts, and services.
• Selection of theadministration tab720dallows the display, addition, and modification of various administrative policies allowing a head network administrator to delegate administrative responsibilities to other administrators. In this regard, the head network administrator specifies administration policies that determine which users have access to what functions, and for what devices. Preferably the administration policies include similar attributes as the firewall rules except for the specification of a role attribute. Extra administrative privileges may be afforded to certain users depending on their role.
• IV. Virtual Private Network Having Automatic Reachability Updating
• Referring again toFIG. 3, the multi-siteconnectivity management module312 allows the creation of dynamically routed VPNs where VPN membership lists are automatically created without statically configuring the membership information by the network administrator. Thus, once the administrator configures a VPN from one policy enforcer's LAN to another, routing protocols such as RIPv1 or RIPv2 running on the LAN interfaces learn about the networks reachable through their respective interfaces. These networks then become the VPN's members, and thepolicy enforcers124,126 on either side of the VPN create membership tables using the learned routes. The membership information is preferably exchanged between thepolicy enforcers124,126 through theLDAP databases132,134. Thus, the combined use of routing protocols and LDAP allows the creation of VPNs whose member lists are dynamically compiled.
• Referring again toFIG. 8, the network administrator configures VPN policies for multiple site connectivity using theresource palette718 andpolicy canvas720. Selection of theVPN tab720bin thepolicy canvas720 causes the display of a collection ofVPN clouds270 already configured for the system as is illustrated inFIG. 13. As described above, a VPN cloud is an individual VPN or a group of VPNs for which a security policy may be defined. Each VPN cloud includes a list of sites under asites node234 and users under ausers node236, who can communicate with each other. A site is a set of hosts that are physically behind one of thepolicy enforcers124,126. The policy enforcers for the sites preferably act as VPN tunnel endpoints once the hosts under the sites start communicating.
• The users in the VPN cloud are the users who may access the hosts associated with thesites234. The users access the hosts as VPN clients using VPN client software installed in each user's personal computer as is described in further detail below.
• EachVPN cloud270 further includes a firewall rulesnode276 including firewall rules to be applied all the connections in the cloud. The rules may govern, among other things, VPN access permissions, security features such as the level of encryption and authentication used for the connectivity at the network layer.
• The hierarchical organization provided by the VPN clouds thus allows the network administrator to create fully meshed VPNs where every site within a VPN cloud has full connectivity with every other site. The network administrator need no longer manually configure each possible connection in the VPN, but only need to create a VPN cloud and specify the sites, users, and rules to be associated with the VPN. Each connection is then configured based on the configuration specified for the VPN cloud. The hierarchical organization thus facilitates the setup of a VPN with a large number of sites.
• The network administrator preferably adds a new VPN cloud by actuating anadd button280. In response, thepolicy server122 automatically creates thesites node272,users node274, and rulesnode276 under the VPN cloud. The administrator then specifies the sites and users in the VPN.
• According to one embodiment of the invention, therules node276 initially includes adefault VPN rule278 corresponding to the policy settings selected by the network administrator during setup of thepolicy server122. Thedefault VPN rule278 allows unrestricted access between the hosts in the VPN.
• The administrator may implement the access control within the VPN cloud by deleting thedefault rule278 and adding specific firewall rules to the VPN. Such firewall rules allow the administrator to have fine grained access control over the traffic that flows through the VPN, all within the realm of the encrypted access provided by such VPN. The firewall rules are applied to the cleartext packet after it is decrypted or before it is encrypted.
• According to one embodiment of the invention, the administrator selects thedefault rule278 to effectuate such changes to the default rule. Selection of the default rule invokes a graphical user interface similar to the one illustrated inFIG. 8. The network administrator then fine tunes the access to the VPN by defining the firewall rules applicable to the VPN. The parameters in these firewall rules are preferably identical to the general firewall rules illustrated inFIG. 8.
• Once a VPN cloud is configured, VPN membership information is dynamically created by thepolicy enforcers124,126 in the VPN. In this regard, each VPN site includes a tag identifying the hosts included in the site. At runtime, thepolicy enforcers124,126 for the respective sites associate IP addresses to the tag identifying the hosts in each site. This allows the IP addresses to be dynamically discovered without requiring static configuration of the IP addresses.
• After the creation of the membership tables, any changes in the routing information is detected and notified to the member policy enforcers using a publish/subscribe process. The actual changes are retrieved by a policy enforcer by querying the LDAP database on the particular network that corresponds to the changed routing information.
• FIG. 15 is a schematic functional block diagram ofpolicy enforcers124,126 at opposite ends of a VPN tunnel updating their respective routing information. As illustrated inFIG. 15, eachpolicy enforcer124,126 includes agated module252,261 configured as a daemon to run one or more routing protocols for exchanging routes on the network. Such routing protocols may include RIPv1, RIPv2, OSPF, and the like.
• When a network administrator wishes to add a new route to the privatelocal network102 connected topolicy enforcer124, the administrator submits, instep241, the new route to agated module252 in thepolicy enforcer124. This is typically done by configuring a downstream of the policy enforcer to have an additional network. This information is then propagated by standard routing protocols to thegated module252 of thepolicy enforcer124. For example, thepolicy server122 may publish the new route to thepolicy enforcer124 with which the new route is to be associated. The route may be specified, for example, by an LDAP statement such as “LAN_Group@PR1,” which specifies a new route from a policy enforcer PR1 to a LAN named LAN_Group. Thegated module252, instep242, writes the new route to akernel253 of the policy enforcer including aVPN driver254 so that thepolicy enforcer124 can properly direct appropriate messages along the new route. Furthermore, thegated module252, instep243, writes the new route to itsLDAP database132.
• Thegated module252 also provides, instep244, the name of the new route to a distinguished name monitor (DNMonitor)daemon255 configured to listen for updates in theLDAP database132. The DNMonitor in turn notifies, insteps245a,245b, aVPN daemon256 and a policy deployment point (PDP)engine257 of the change in theLDAP database132. The PDP engine then updates the modules that enforce the policies, with the change.
• TheVPN daemon256, instep246, uses the route name to access theLDAP database132 to get the complete route information, a list of all VPNs to which the new route belongs, and a list of all other policy routers connected to those VPNs. Instep247, theVPN daemon256 proceeds to send the new route name to each of the other policy routers.
• Whenpolicy router126 receives a new route name frompolicy router124, itsnetwork daemon258, instep248, accesses theLDAP database132 in the sendingpolicy router124 to obtain the complete new route information. If the new route belongs to more than one VPN and has different parameters for the different VPNs, routers on the different VPNs retrieve different information corresponding to the individual VPNs.
• Instep249, thenetwork daemon258 writes the new route information obtained in itsown LDAP database134 and provides it to its own DNMonitor module. As in the sendingpolicy router124, theDNMonitor module259 in the receivingpolicy router126 provides the new route information to itsPDP engine260 for updating itskernel265 with the latest changes.
• AlthoughFIG. 15 has been described in connection with addition of a route to a policy enforcer and its associated VPNs, it should be readily apparent to those skilled in the art that essentially the same techniques may be applied to deletion of a route (for example, if a network component becomes inoperative or incommunicative), or change of a route (the policy router may recognize that a route already exists in a different form and simply overwrite it). In this way, the VPN system or systems can dynamically maintain routing information between its policy enforcers with minimal intervention by the system administrator.
• V. Virtual Private Network Having Automatic Updating of Client Reachability Information
• Remote users communicate over thepublic Internet108 with the other members of the VPN behindpolicy enforcers124,126, upon presenting appropriate credentials. These remote users access the private networks asVPN clients140 using a VPN client software. According to one embodiment of the invention, the system allows the remote user to download a self-extracting executable which, upon execution, installs both the VPN client software and VPN reachability information unique to the remote user in the user's remote terminal.
• Eachpolicy enforcer124,126 preferably maintains a copy of the self-extracting executable of the VPN client software including a setup program and VPN reachability configuration template. The setup program allows the VPN client software to be installed on theVPN client140. When downloading the self-extracting executable, the configuration template is replaced with the VPN reachability information that is specific to the downloading user.
• According to another embodiment of the invention, the system allows theVPN client140 to download a self-extracting executable which, upon execution, only installs the VPN reachability information that is unique to the user. According to this embodiment, the VPN client software is already installed on theVPN client140. In this scenario, the setup program allows the installation of the reachability information that is specific to the downloading user, on theVPN client140.
• According to a third embodiment of the invention, the system allows theVPN client140 to automatically download the VPN reachability information each time it connects to thepolicy enforcer124,126. Thus, VPN reachability information is kept up-to-date for eachVPN client140. Once a VPN session is established, the connection between theVPN client140 and the policy enforcer is assumed to already be secure. The VPN client preferably makes a common gateway interface (CGI) query to a web server running on the policy enforcer, and downloads the current VPN reachability information from the corresponding LDAP database.
• FIG. 16 is a block diagram of components in a self-extractingexecutable290 according to one embodiment of the invention. The self-extractingexecutable290 may be created using commercially available tools such as the INSTALLSHIELD EXEBUILDER of InstallShiled Software Corporation of Schaumburg, Ill.
• The self-extractingexecutable290 preferably includes anexecutable setup file292 for installing the VPN client software and/or the VPN configuration information. Thesetup file292 preferably forms astatic portion298 of the self-extracting executable since this information does not change based on the downloading VPN client. The self-extractingexecutable290 further includes VPN configuration file templates for theVPN reachability information294 and the VPN client's presharedkey information296. TheVPN reachability information294 and the VPN client's preshared key296 preferably form adynamic portion299 of the self-extractingexecutable290 since this information changes based on the downloading VPN client. The self-extractingexecutable290 is then saved as a template file in thepolicy enforcers124,126 and is ready to the downloaded by the remote users.
• FIG. 17 is a functional block diagram for downloading the self-extractingexecutable290 ofFIG. 16 according to one embodiment of the invention. Instep320, anew VPN client140 first establishes a secure communication session with thepolicy enforcer124,126 to download the self-extractingexecutable290. Preferably, this is accomplished via an HTTPS protocol session on the VPN client's web browser or the like. Insteps322 and324, the policy enforcer engages the VPN client in an authentication procedure where the policy enforcer requests, and the VPN client provides, his or her user name and password. Instep326, the policy enforcer compares the provided information with entries in itsVPN client database328. If the information is correct, the policy enforcer finds appropriate preshared keys for the user, and instep330, also determines the VPN reachability information of the client from aVPN configuration database332. TheVPN client database328 andVPN configuration database332 may reside as part of asingle LDAP database312,314 managed by thepolicy enforcer124,126, or may constitute separate LDAP databases.
• Instep334, the policy enforcer replaces thedynamic portion299 of the self-extracting executable290 with the VPN reachability information and preshared key that is unique to the VPN client. The newly generated self-extracting executable is then downloaded to theVPN client140 in step336. When the executable is run, it either installs the VPN client software and/or the VPN reachability information.
• Similar techniques may also be used for downloading a new and updated copy of the VPN configuration information to the VPN client each time the client connects to the policy enforcer and negotiates a session key. In addition, the user may obtain the latest configuration of the VPN network by expressly requesting the policy enforcer for such information. Thus, the VPN client need not be reinstalled and reconfigured each time updates are made to the VPN reachability information.
• VI. Integated Policy Enforcer
• According to one embodiment of the invention, the functionalities of thepolicy enforcer124,126 for policy enforcement are partitioned for effective hardware implementation. However, it should be apparent to one skilled in the art that some or all of the functionalities may be implemented in software, hardware, or various combinations thereof.
• FIG. 18 is a schematic block diagram of thepolicy enforcer124,126 illustrating the partitioning of the various functionalities according to one embodiment of the invention. The policy enforcer includes an Internet protocol security (IPSec)engine502 for performing security and authentication functions in implementing, for instance, virtual private networks. A stream table506 assembles the packets passing through the policy enforcer into streams. Aprotocol classification engine508 decodes the protocols used in forwarding the packets. Apolicy engine510 enforces policies for the packets based on the policy settings stored in thepolicy database132,134. Apacket forwarding module504 receives packets from the public Internet via therouter110 and buffers, forwards, or drops the packets based on the policies being enforced. Abandwidth management module514 provides bandwidth shaping services to the packets being forwarded based on the bandwidth settings stored in thepolicy database132,134.
• In practice, an incoming packet is matched against the stream table506 for determining if a matching entry already exists in the table. If not, a new entry is added. The stream table preferably includes enough portions of the packet to uniquely identify a stream. For example, in enforcing policies on IP layer three through layer four traffic, the stream table may store a source IP, destination IP, source port, destination port, and protocol number of the incoming packet.
• Theprotocol classification engine508 takes the new stream and obtains a detailed protocol decode for the stream. Thepolicy engine510 is then queried for the policy rules to be applied to the stream. Based on the policy rules returned by thepolicy engine510, thepacket forwarding module504,IPSec engine502, and/or thebandwidth management module514 process the streams accordingly. The processing may be recursive until the packets in the stream have had all the actions specified by the policy rule set applied to them.
• The policy enforcer also includes astatistics module512 for collecting statistics on the packets forwarded through the local network as well as other status and resource usage information, and provides the same in logs and archives for sending to thepolicy server122. According to one embodiment of the invention, thestatistics module512 keeps running byte counts of the packets passing through thenetwork102,104. These byte counts may be automatically sorted by classes, such as classes based on certain resources (e.g. users, hosts, services), as well as by bytes that are blocked by policies and exceptions, such as firewall policies. In this regard, thestatistics module512 maintains in a cache a state table including a list of resources involved for each connection allowed through the firewall. For every packet flowing through the connection, the statistics module increments the packet and byte count for each of the resources in the list. Thestatistics module512 then forwards the organized information to thepolicy server122 which enters the information directly into tables organized by classes and aged out periodically.
• FIG. 19 is a more detailed schematic block diagram of thepolicy engine510 according to one embodiment of the invention. Thepolicy engine510 includes a policy request table602 that acts as a queue for all the policy decision requests. In this regard, the portion of the packet matching the information stored in the stream table506 is presented to thepolicy engine510 in the form of a policy request. The policy request is then queued in the policy request table602.
• Aresource engine604 maintains an up-to-date mapping of resource group names to member mappings. A policy rulesdatabase buffer608 stores a current policy rule set to be applied by thepolicy engine510. The policy rules stored in thebuffer608 are preferably in the original group-based rule specification format. Thus, thebuffer608 stores a rule created for a group in its group-based form instead of instantiating a rule for each member of the group.
• Adecision engine606 includes logic to serve the incoming policy decision requests in the policy request table602 by matching it against the policy rule set in the policyrules database buffer608 based on the actual membership information obtained from theresource engine604. The relevant group-based rule matching the traffic is then identified and decision bits in the stream table set for enforcing the corresponding actions. The decision bits thus constitute the set of actions to be performed on the packets of the stream. All packets matching the streams are then processed based on these decision bits. The decision engine may also specify an access control list (ACL) including a set of rules that allow/deny traffic, a DiffServ standard for providing a quality of service level to the traffic, and/or VPN implementation information.
• FIG. 20 is a more detailed schematic block diagram of theprotocol classification engine508 according to one embodiment of the invention. As illustrated inFIG. 20, theprotocol classification engine508 includes astream data assembly702, a slidingstream data window704, an ASN.1block706, a protocolclassification state machine708, and a protocoldefinition signature database710. Thestream data assembly702 extracts and re-assembles the data portion of an input packet stream and stores it in the slidingstream data window704. Preferably, the sliding stream data window follows first-in-first-out protocols. The ASN.1 decoder further decodes the data stream, if needed, per conventional ASN.1 encoding/decoding standards. The protocolclassification state machine708 then matches the fully re-assembled and decoded data against the protocoldefinition signature database710. Thisdatabase710 preferably holds a mapping of protocol names to data patterns to be found in the data stream. The matched protocol is then returned to the stream table506.
• Thus, theprotocol classification engine508 provides extensive layer three through layer seven protocol decode and packet classification, including complete identification of dynamic streams using a dynamically updated signature database compiled from scripted protocol definitions. As new protocols are defined in the future and/or users create their own custom applications with custom protocols, a need may arise to add recognition of these protocols to the protocol classification engine. The described protocol classification engine architecture allows such additions by simply adding a new scripted definition of the new protocol to the protocol classification engine without having to change the design each time a new protocol is added. This allows for custom protocol support and future protocol extensibility.
• FIG. 21 is a more detailed schematic block diagram of theIPSec engine502 according to one embodiment of the invention. As illustrated inFIG. 21, theIPSec engine502 includes a Pseudo-Random Number Generator (PRNG) function802 for generating random numbers used for cryptographic key generation according to well known methods. ADiffie Hellman804 andRSA812 blocks implement the corresponding asymmetric public key encryption/decryption/signature algorithms which are also well known in the art. An IKE block806 communicates with an IPSec SA table808 for implementing standard ISAKMP/Oakley (IKE) key exchange protocols. A cryptographic transforms block814 implements standard symmetric encryption/decryption algorithms. An IPSec Encapsulation/Decapsulation block810 performs standard encapsulation/decapsulation functions. Accordingly, theIPSec engine502 provides mature, standards-based IKE/IPSec implementation with public key certificate support and necessary encryption/decryption functionality for packets passing through the privatelocal networks102,104.
• VII. Network Policy Logs and Statistics Aggregation
• Referring again toFIG. 3, the log collecting andarchiving module304 collects information about the status and usage of resources from thepolicy enforcers124,126 as well as from themanagement module302, and stores them in thearchive database318. The policyserver reports module316 then uses the collected logs and archives to generate reports in an organized report format.
• According to one embodiment of the invention, eachpolicy enforcer124,126 maintains a log file with information collected about the flow of traffic through the policy enforcer as well as the status and usage of resources associated with the policy enforcer. All the log files follow a predefined common log format, preferably designed to create compact logs.
• FIG. 22 is a schematic layout diagram of such a log format according to one embodiment of the invention. Each log entry includes atimestamp820 in the format yyyymmddhhmmss, indicative of the year, month, date, hours, minutes, and seconds in which the log entry was created. Aservice field822 indicates the type of service rendered by thepolicy enforcer124,126. Such services include VPN, FTP, Telnet, HTTP, packet filter, bandwidth, and the like. Each log entry further includes a source IP address andport824 indicating the source from where a packet was received, as well as a destination IP address andport826 indicating the destination to which the packet was forwarded.
• Auser ID field828 identifies the user transmitting the packet. The user ID may be mapped to an entry in theLDAP database130,132, or134 for obtaining additional details about the user.
• Astatus field830 indicates the status of an operation and may include a result code, error code, and the like. For example, for a packet filter service, the status field may include a result code “p” if the packet was passed or code “b” if the packet was blocked.
• Anoperation field832 indicates codes for a type of operation conducted by the service. For instance, operations for a VPN service may include sending packets and receiving packets.
• Operations for an FTP service may include GET and PUT operations. Operations for an HTTP service may include GET and POST operations.
• In addition to the above, each log entry includes an in-bytes field832 indicative of the number of bytes the policy enforcer received as a result of the activity, and an out-bytes field834 indicative of the number of bytes transferred from the policy enforcer. Furthermore, aduration field836 indicates the duration (e.g. in seconds) of the activity.
• Certain fields of a particular log entry may be left blank if not applicable to a particular service. For instance, for an FTP download. Where there is no outgoing traffic, the out-bytes field is left blank. Furthermore, additional fields may be added based on the type of service being logged. For instance, for an HTTP activity, the URL that is accessed is also logged in the log entry. The additional fields are preferably appended to the end of the standard log format.
• A person skilled in the art should recognize that additions, deletions, and other types of modifications may be made to the log format without departing from the spirit and the scope of the invention as long as the log format common to all the policy enforcers and is aimed in creating compact logs.
• The log files created by thepolicy enforcers124,126 are transferred to thepolicy server122 based on archive options set by the policy server. In this regard, the network administrator specifies a threshold size for the logs created by the policy enforcers upon selection of the policyserver archive option752 ofFIG. 9. When the log file exceeds the specified size, it is sent to thepolicy server122. Preferably, the logs are transferred to thepolicy server122 at least once a day even if the threshold size has not been exceeded. The logs may also be archived locally at the policy enforcer if so specified by the network administrator.
• Once thepolicy server122 receives the logs, it is stored in thearchive database318 preferably taking the form of an SQL database. The policyserver reports module316 queries this database to generate reports for eachpolicy enforcer124,126. In addition, the logs may be exported in a format that may be interpreted by commercially available products such as WEBTRENDS, manufactured by WebTrends Corporation of Portland, Oreg.
• The reports created by thereports module316 include summary usage reports for the various resources including policy enforcers, users, services, hosts, and VPNs. For instance, the reports may include VPN summary reports, bandwidth summary reports, packet filter reports, and the like, for each policy enforcer.
• The reports preferably show usage of each of the resources over a period time. The start and the end date for the report may be specified by the user. The user may further drill down on the time dimension and on the resource dimension for viewing specific times and specific resources. For instance, in creating the packet filter reports, the user may indicate a start and end time, source IP address, source port, destination IP address, and destination port. All packets meeting these criteria are then fetched from thearchive database318 and shown in a packet report.
• VIII. Method for Selective LDAP Database Synchronization
• According to one embodiment of the invention, thedatabases130,132,134 in the unified policy management system ofFIG. 1 are LDAP databases storing policy management information including policies for firewall, VPNs, bandwidth, administration, user records, network records, services, and the like. As described above, the LDAP directory service model is based on entries where each entry is a collection of attributes. Entries are arranged in a tree structure that follows a geographical and organizational distribution. Entries are named according to their position in the hierarchy by a distinguished name (DN).
• Thepolicy server122 preferably stores the policy management information for all the policy enforcers in thepolicy server database130. This information is organized in thedatabases130 as one or more DNs with corresponding attributes. Appropriate portions of the policy server database are then copied to thepolicy enforcer databases132,134.
• FIG. 23 is a block diagram of an LDAP tree structure including anLDAP root265 and a plurality ofbranches264,266,268,270. According to one example, thepolicy server122 maintains in thepolicy server database130branches264 and266 with policy management information for all thepolicy enforcers124,126. Each of thepolicy enforcers124,126 also maintain portions of thebranches264 and/or266 in their respectivepolicy enforcer databases132,134 as sub-trees of thepolicy server database130. The portions of the branches maintained by eachpolicy enforcer124,126 preferably relates to the configuration information for that policy enforcer as well as some additional information about the other policy enforcers. This additional information is used to communicate with the other policy enforcers.
• Thepolicy server122 may further maintainbranch268 storing information used only by the applications running on the server and not shared with any of thepolicy enforcers124,126. Likewise,policy enforcers124,126 may maintain a portion ofbranch268 containing information used only by the applications on each of the policy enforcers and not shared elsewhere. Typically, the data stored inbranch268 is dynamically generated and used by the applications running on the corresponding server or agent.
• Branch270 is preferably only included in the LDAP tree for thepolicy server database130 and stores logged policy management changes that may be propagated to thepolicy enforcers124,126. Such changes may include, for example, addition, deletion, or modifications of a user on a device, VPN cloud, bandwidth policy, or firewall policy made by the network administrator via the various graphical user interfaces described above. Such changes result in the updating of thepolicy database130 where the corresponding DN of the LDAP tree is added, deleted, or modified. Thepolicy server122 further creates a log of the changes and stores them inbranch270 for later distribution to thepolicy enforcers124,126.
• FIG. 24 is a more detailed block diagram ofbranch270 of the LDAP tree ofFIG. 23. TheLDAP root265 includes anApplyLog270aentry which in turn includes auser log entry270band adevice log entry270c. The user log entries include specific administrator log entries identified byspecific DNs270dfor reflecting the changes made by the particular administrators. Thedevice log entry270cincludes specific device log entries identified byspecific DNs270ereflecting the changes that are to be distributed to the particular policy enforces124,126. Preferably, the changes made by the administrators are propagated to thepolicy enforcers124,126 upon actuation of an apply button such as the apply button417 illustrated inFIG. 6.
• FIG. 25 is a flow diagram for logging and propagating LDAP changes to the policy enforcers according to one embodiment of the invention. Instep420, a particular network administrator makes a policy setting change. According to one example, the administrator is administrator “adm” working in the domain “domain1,” and the change is the addition of a new user on a device.
• Instep422, the change made the administrator is reflected in thepolicy server database130. In this regard,branches264 and266 of the LDAP tree are modified accordingly to reflect the change in the policy setting. Additionally, instep424, thepolicy server122 creates a log of the changes for the administrator for later processing and sending to the appropriate policy agent. Instep426, thepolicy server122 updates the administrator'slog DN270dto reflect the change. In the above example and as illustrated inFIG. 24, if the log created is named “A_L1,” thepolicy server122 updates theDN270dfor “adm” at “domain1” to create an attribute “apply”270fthat has the value “A_L1”270g. Other changes made by the administrator are reflected in separate logs (e.g. “A_L2,” “A_L3”) and appended to the existing value of the apply attribute in the administrator'slog DN270d.
• Instep428, thepolicy server122 checks whether the changes made by the administrator are to be propagated to theappropriate policy enforcers124,126. As discussed above, the changes are preferably propagated upon actuation of an apply button from the administrator's graphical user interface.
• If the apply button has been actuated, the policy server creates, instep430, a log for each policy enforcer to whom the change is to be transmitted. In this regard, thepolicy server122 collects all the changes made by the administrator as reflected in thevalues270g,270hof the applyattribute270fof the administrator'slog DN270d. These changes are processed for each policy enforcer belonging to the administrator's domain. Such processing preferably involves picking the relevant changes and suitably modifying the DNs for the policy enforcer's LDAP. Such suitable modifications may be necessary, for instance, due to the differences in the tree structures in thepolicy server database130 and thepolicy enforcer databases132,134. For instance, a change in the administrator's log may contain a DN that specifies the domain name of the policy enforcer. In applying this change to the policy enforcer, the domain name would not be specified in the DN since the policy enforcer's tree structure does not include a domain name.
• The changes suitably modified for each policy enforcer's LDAP are then stored in a device log. Each policy enforcer'slog DN270eis then modified to reflect the change to the transmitted to the particular policy enforcer. In the above example and as illustrated inFIG. 24, if the device log created is named “PE_L1,” thepolicy server122 updates theDN270efor the particular policy enforcer “PE1” at “domain1” to create an attribute “apply”270ithat has the value “PE_L1”270j.
• Instep432, the applyattribute270ffor the administrator'slog DN270dis then deleted from the LDAP tree. Instep434, the changes collected for each policy enforcer, as reflected in the values270j,270kof the applyattribute270iof the policy enforcer'slog DN270e, are transmitted to the policy enforcer for updating itsdatabase132,134. The changes are sent to the policy enforcers preferably over the HTTPS channel.
• Instep436, thepolicy server122 checks whether the updates have been successful. In this regard, thepolicy server122 waits to receive an acknowledgment from the policy enforcer that the updates have been successfully completed. Upon a positive response from the policy enforcer, thepolicy server122 deletes the applyattribute270efor the policy enforcer'slog DN270e. Otherwise, if the update was not successful (e.g. because the policy enforcer was down), the apply log is re-sent the next time another apply function is invoked. Alternatively, the failed policy enforcer transmits a request to thepolicy server122 of the log of non-applied changes when it rejoins the network (e.g. by rebooting).
• IX. State Transition Protocol for High Availability Units
• According to one embodiment of the invention, thepolicy server122,policy enforcers124,126, as well as other network devices may be configured for high availability by maintaining a backup unit in addition to a primary unit.
• FIG. 26 is a schematic block diagram of a high availability system including a primary unit902 and a backup unit904. The two units902,904 communicate with each other by exchanging heartbeats over parallel ports906a,906band a cable908. Such parallel ports906a,906band cable908 are conventional components that are commonly available in the art.
• The primary unit902 and the backup unit904 are each similarly connected to other components910,912,914 via ports920a,920b,922a,922b,924a,924b, respectively. These components910,912,914 may be hubs, switches, connectors, or the like. Because the primary unit902 and backup unit904 provide similar services and functions and may be used interchangeably, each unit is preferably connected to the same components910,912,914.
• The parallel port cable908 is preferably a conventional laplink cable designed to connect two parallel ports and allow communications between them. The primary unit902 and the backup unit904 preferably communicate with each other via TCP packets over the high-availability ports906a,906b. A point-to-point connection preferably exists between the primary unit902 and the backup unit904 over the high-availability ports906a,906b.
• The primary unit902 is preferably responsible for checking the status of its network ports for problems or failures. For example, if the primary unit902 detects that one of its network ports is inoperable, e.g. port922a, the primary unit902 then checks whether the corresponding port922bin the backup unit904 is operational. Upon determining that the corresponding port922bin the backup unit904 is operational, the primary unit902 sends a request to the backup unit904 to take over the system functions as the active unit. The primary unit902 then relinquishes its role as the active unit and shuts itself down, allowing the backup unit904 to take on the responsibilities of the primary unit902. When the primary unit902 restarts operation, the backup unit904 receives a request from the primary unit902 to relinquish its role as the active unit.
• When the primary unit902 is active and does not detect any defects in its ports, it continuously listens on the high-availability port906ato keep track of the status of the backup unit904. The primary unit902 continues to listen on the high-availability port906afor signals coming from the backup unit904. When the backup unit904 is up and running, it connects to the primary unit902. Once the connection is made, the backup unit904 begins sending heartbeats to the primary unit902. The backup unit904 continuously sends heartbeats to the primary unit902 in predetermined intervals. According to one embodiment of the invention, the backup unit904 sends a “Keep Alive” packet including a KEEP_ALIVE command to the primary unit902 every one second.
• The primary unit902 responds to the “Keep Alive” packet by changing the command field of the packet to a KEEP_ALIVE_RESP command and re-transmitting the packet to the sender. If the backup unit904 does not receive a response back from the primary unit902 for a predetermined period of time (e.g. one second) for one “Keep Alive” packet, the backup unit904 begins preparing to take over the active role. Preferably, the predetermined period should not be greater less than two consecutive “Keep Alive” packets.
• Upon taking the role of the active unit, the backup unit904 attempts to reestablish a connection with the primary unit902 at regular intervals to determine whether the problem or failure in the primary unit has been cured. If the problem or failure has been cured, the backup unit904 relinquishes its control to the primary unit902 after setting the IP addresses of all the network interface cards to the assigned value.
• In situations where the backup unit904 takes over the active role from the primary unit902, an alert/alarm is sent to the network administrator indicating such a change. In addition, if the primary unit902 does not receive heartbeats from the backup unit904, an alert/alarm is sent to the administrator indicating that the backup unit has failed.
• A situation may arise when both the primary unit902 and the backup unit904 are fully functional, and the backup unit904 desires to take over the active role. In this case, the backup unit904 transmits a shut-down command to the primary unit902 which then relinquishes control. The backup unit904 continues its role as the active unit until the primary unit902 transmits a request to the backup unit904 to relinquish its active role.
• According to one embodiment of the invention, the initial status determination protocol of each high availability unit as a primary, backup, or stand-alone unit relies on a self-discovery process.FIG. 27 is a flow diagram of an exemplary status discovery process according to one embodiment of the invention. Instep930, a first high availability unit (unit X) that has not yet definitively discovered its status as a primary or a backup unit boots up, and instep932 assumes the role of a backup unit. Instep934, unit X searches the network for a primary unit and inquires, instep936, whether a primary unit has been detected. If the answer is YES, unit X tries to connect to the primary unit. If it is successful, unit X initializes as the backup unit instep938. If, on the other hand, unit X does not detect the primary unit, unit X assumes the role of the primary unit instep940.
• Instep942, unit X searches the network for a backup unit. If the backup unit is detected, as inquired instep944, unit X connects to the backup unit and initializes as the primary unit instep946. If, on the other hand, unit X does not detect any other units in the network within a predetermined time, unit X initializes as a stand-alone unit instep948.
• Once the primary and secondary units have been initialized, configuration changes of the primary unit are also transferred to the backup unit in order to keep the two units synchronized. The configuration information is preferably stored in an LDAP database such as the centralpolicy server database130 orpolicy agent databases124,126.
• FIG. 28 is a flow diagram of a process for maintaining configuration information synchronized in the primary and backup units. Instep950, the primary unit boots up and instep952, detects the backup unit. In step954, the backup unit receives configuration change information from the primary unit if it is functional. Otherwise, the configuration changes are entered directly into the backup unit by the network administrator. If the configuration change is to be received from the primary unit, the primary unit notifies the backup unit when configuration changes occur in the primary unit. The changes are then transferred and applied to the backup unit. The backup unit in turn transmits the status of the transfer and the apply back to the primary unit.
• Instep956, the primary unit is checked to determine whether it is functional. If it is, the primary unit is likewise updated with the configuration change. Otherwise, if the primary unit is not functional, the backup unit takes on the active role and becomes the active unit instep958. The primary unit may become non-functional and thus, inactive, due failures in the CPU board, the network interface card, or power supply.
• Instep960, the backup unit tags the changes to transfer them to the primary once the primary becomes functional. Once the primary unit becomes functional, the primary unit is updated with the tagged changes maintained by the backup unit as is reflected instep962.
• According to one embodiment of the invention, software updates on the primary and backup units are also synchronized so as to update the primary and backup units serially in a single cycle without the need for multiple update cycles. Thus, the network administrator need not duplicate the efforts of updating the backup unit with the same information as the primary unit.
• FIG. 29 is an exemplary flow diagram of updating the primary and backup units when they are both functional. Instep970, an update, such as a software update not stored in the LDAP databases, is sent/transmitted to the primary unit from a management station accessible by the network administrator. The primary unit then updates itself instep972. Instep974, the primary unit automatically sends/transmits the update information to the backup unit. Instep976, the backup unit updates itself with the update information received from the primary unit.
• FIG. 30 is an exemplary flow diagram of updating the primary and backup units when the primary unit is not functional. Instep978, the primary unit becomes nonfunctional, and instep980, the network administrator sends/transmits an upgrade directly to the backup unit instead of the primary unit. Instep982, the backup unit updates itself with the information received from the management station and waits for the primary unit to become functional. Once the primary unit becomes functional, the update is automatically sent/transmitted to the primary unit for upgrading instep986. The primary unit then updates itself instep988.
• Although the present invention has been described in detail with reference to the preferred embodiments thereof, those skilled in the art will appreciate that various substitutions and modifications can be made to the examples described herein while remaining within the spirit and scope of the invention as defined in the appended claims.
• For example, the unified policy management system ofFIG. 1 should be viewed as illustrative rather than limiting. It should be apparent to those skilled in the art who are enlightened by the present invention that many alternative configurations are possible. For example, there may be additional networks with policy enforcers or no additional networks at all. Likewise, policy enforcers may not necessarily access the policy server through the Internet, but may be connected via other means such as a WAN, MAN, etc. In short, the number and type of users and resources within and without the organization can vary greatly while staying within the scope of the invention.

Claims (16)

1. A computer network comprising:

a first edge device coupled to a first private network, the first edge device configured to create a first table with information of member networks reachable through the first edge device, the first table being stored in a first database;

a second edge device coupled to a second private network, the second edge device configured to create a second table with information of member networks reachable through the second edge device, the second table being stored in a second database;

wherein, the first and second edge devices enable secure communication between the first and second private networks, and the first edge device shares the first table with the second edge device and the second edge device shares the second table with the first edge device.

2. The computer network ofclaim 1, wherein the first edge device includes logic for:

receiving a new route information;

storing the new route information in the first database; and

transmitting a portion of the new route information to the second edge device.

3. The computer network ofclaim 2, wherein the portion of the new route information is a route name.

4. The computer network ofclaim 2, wherein the second edge device includes logic for:

receiving the portion of the new route information;

accessing the first database based on the portion of the new route information;

retrieving the new route information from the first database; and

storing the retrieved route information in the second database.

5. The computer network ofclaim 1, wherein communication between the first and second networks is managed according to a security policy associated with the networks.

6. The computer network ofclaim 5, wherein the security policy is defined for a security group providing a hierarchical organization of the group, the group including member networks, users allowed to access the member networks, and a rule controlling access to the member networks.

7. The computer network ofclaim 6, wherein each member network has full connectivity with all other member networks and the security policy defined for the security policy group is automatically configured for each connection.

8. The computer network ofclaim 6, wherein the security policy provides encryption of traffic among the member networks and the rule is a firewall rule providing access control of the encrypted traffic among the member networks.

9. In a computer network including a first edge device coupled to a first private network and a second edge device coupled to a second private network, the first and second edge devices enabling secure communication between the first and second private networks, a method for gathering membership information comprising:

creating a first table with information of member networks reachable through the first edge device,

storing the first table in a first database;

creating a second table with information of member networks reachable through the second edge device;

storing the second table in a second database;

sharing the first table with the second edge device; and

sharing the second table with the first edge device.

10. The method ofclaim 9 further comprising:

receiving a new route information;

storing the new route information in the first database; and

transmitting a portion of the new route information to the second edge device.

11. The method ofclaim 10, wherein the portion of the new route information is a route name.

12. The method ofclaim 10 further comprising:

receiving the portion of the new route information;

accessing the first database based on the portion of the new route information;

retrieving the new route information from the first database; and

storing the retrieved route information in the second database.

13. The method ofclaim 9, wherein communication between the first and second networks is managed according to a security policy associated with the networks.

14. The method ofclaim 13 further comprising defining the security policy for a security policy group, the group providing a hierarchical organization of the group including member networks, users allowed to access the member networks, and a rule controlling access to the member networks.

15. The method ofclaim 14, wherein each member network has full connectivity with all other member networks and the security policy defined for the security policy group is automatically configured for each connection.

16. The method ofclaim 14, wherein the security policy provides encryption of traffic among the member networks and the rule is a firewall rule providing access control of the encrypted traffic among the member networks.

Images