US20160269421A1 - Method for network security using statistical object identification - Google Patents
Method for network security using statistical object identification Download PDFInfo
- Publication number
- US20160269421A1 US20160269421A1 US14/544,987 US201514544987A US2016269421A1 US 20160269421 A1 US20160269421 A1 US 20160269421A1 US 201514544987 A US201514544987 A US 201514544987A US 2016269421 A1 US2016269421 A1 US 2016269421A1
- Authority
- US
- United States
- Prior art keywords
- packet
- authentication
- network
- recited
- tcp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000012545 processing Methods 0.000 claims description 44
- 238000013459 approach Methods 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 22
- 230000008569 process Effects 0.000 description 18
- 238000004891 communication Methods 0.000 description 13
- 238000013475 authorization Methods 0.000 description 10
- 230000002457 bidirectional effect Effects 0.000 description 10
- 230000007246 mechanism Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 239000003999 initiator Substances 0.000 description 4
- 230000004044 response Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 2
- 238000013439 planning Methods 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012517 data analytics Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 229920001690 polydopamine Polymers 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2151—Time stamp
Definitions
- the present invention pertains to methods for efficiently and securely authenticating the Identity of network traffic in arbitrary network topologies using statistical object identification.
- an endpoint solution For security technologies deployed directly on each computer, called an “endpoint solution,” the technology uses the resources of the endpoint computer including CPU processor cycles, memory and network bandwidth. For some security technologies, this use of endpoint resources can be substantial. Additionally, some security technologies require the distribution of cryptographic keys to every participating entity. When keys are widely distributed, the protection of those keys becomes more difficult to maintain.
- networks and computer services may be added and organically grown without centralized planning, leading to network resources being deployed somewhat arbitrarily throughout the network. These network resources may have multiple network interfaces.
- the lack of planning often leads to a lack of achievable policy enforcement points that do not adversely impact network and resource performance without the wholesale re-architecture of the network and the redeployment of the network resources. This can be exceedingly costly, in both dollars and time.
- Network security appliances For policy enforcement points and security technologies deployed on a network appliance, the appliance may become a bottleneck and impact the performance of traffic flowing through it.
- Network security appliances also have a network topology requirement that the traffic must pass through the appliance for it to provide any security functions. For computers communicating with one another on a single LAN or network subnet, this topology requirement is often unachievable. When a computer has multiple network interfaces, this further complicates the network topology and complicates consistent implementation of security functions.
- An analogy to this in the physical world is a building with a security guard at the entrance checking everyone's driver's license, their identity, to insure that they have business in the building. If there are very few visitors to each building, then each security guard may not be busy most of the time. Instead of having a security guard at each building that is being protected, some of the buildings may have a camera and a mechanism to remotely unlock the door. A security guard, at a location remote from the building being entered, sees the person wishing to enter the building, can see their driver's license and to let the person in by sending a signal to the door unlock mechanism. This is analogous to what the present invention does within a network of computers.
- a method to enable endpoint security that utilizes a security appliance that does not require that the appliance to be in the network data path, would constitute a major technological advance, and would satisfy long felt needs and aspirations in the cyber security industry.
- the present invention has two components; a peer authentication driver and an authentication device.
- the peer authentication driver installed on a network endpoint device provides network identity authentication by monitoring incoming IP packets for TCP SYN bit and securely sending those IP packets to an authentication device for authentication.
- the authentication device performs authentication and, if successfully authenticated, securely sends the IP packet and additional authentication information back to the peer authentication driver for delivery to the endpoint's TCP/IP stack.
- the authentication device may use Statistical Object Identification (SOI) or Transport Access Control (TAC) to perform the authentication. All subsequent IP packets belonging to the same TCP session are delivered directly to the endpoint's TCP/IP stack.
- SOI Statistical Object Identification
- TAC Transport Access Control
- FIG. 1 is an illustration of three buildings and three security officers.
- FIG. 2 is an analogy of the present invention.
- FIG. 3 is an analogy of the present invention.
- FIG. 4 is an illustration of an IP packet.
- FIG. 5 is an illustration of a TCP header.
- FIG. 6 is Flowchart 1 of the present invention, which describes the processing of an IP packet received from a remote network device.
- FIG. 7 is Flowchart 2 of the present invention, which describes the processing of an IP packet by an authentication device.
- FIG. 8 is Flowchart 3 of the present invention, which describes the processing of an IP packet from an authentication device.
- FIG. 9 is Flowchart 4 of the present invention, which describes the processing of an IP packet received from the network endpoint device's TCP/IP protocol stack.
- FIG. 10 is Flowchart 5 of the present invention, which describes the processing of a rule received from the authentication device.
- FIG. 11 is an architectural depiction of the present invention in a network endpoint device.
- FIG. 12 is an architectural depiction of the present invention in a network endpoint device, showing the flow of an IP packet with a TCP header containing TCP SYN bit coming from a remote network device and being sent to an authentication device.
- FIG. 13 is an architectural depiction of the present invention in a network endpoint device, showing an alternate flow of an IP packet with a TCP header containing TCP SYN bit coming from a remote network device and being sent to an authentication device.
- FIG. 14 is an architectural depiction of the present invention in a network endpoint device, showing the flow of an IP packet with a TCP header matching a session descriptor coming from a remote network device and being delivered to the TCP/IP protocol stack.
- FIG. 15 is an architectural depiction of the present invention in a network endpoint device, showing the flow of a rule coming from an authentication device and being delivered to the peer authentication driver.
- FIG. 16 is an architectural depiction of the present invention in a network endpoint device, showing an alternate flow of a rule coming from an authentication device and being delivered to the peer authentication driver.
- FIG. 17 is an architectural depiction of the present invention in a network endpoint device, showing the flow of an IP packet coming from the TCP/IP protocol stack and being sent to a remote network device.
- FIG. 18 is a topological depiction of the present invention in an operating context.
- FIG. 19 is a topological depiction of the present invention in an operating context, showing the flow of an IP packet with a TCP header containing TCP SYN bit coming from a remote network device.
- FIG. 20 is a topological depiction of the present invention in an operating context, showing the flow of an IP packet with a TCP header containing TCP SYN bit being sent from a network endpoint device to an authentication device.
- FIG. 21 is a topological depiction of the present invention in an operating context, showing the flow of an IP packet with a TCP header containing TCP SYN bit being sent from an authentication device back to a network endpoint device.
- FIG. 22 is a topological depiction of the present invention in an operating context, showing the flow of IP packets with their TCP headers matching a session descriptor between a remote network device and the network endpoint device.
- FIG. 23 is a topological depiction of the present invention in an operating context, showing the authentication device sending log information to a logging device.
- An analogy of the present invention is a set of buildings 2 protected by a security office 4 , which is shown in FIG. 1 .
- the security officer's 4 job is to inspect the driver's license, the identity, of each person that enters the building 2 and determine if they have business in the building 2 before letting them proceed. If the building 2 does not get many visitors, then the security officer 4 will not be very busy.
- security camera's 5 are placed at the entrance of some of the buildings 2 , as shown in FIG. 2 .
- a security officer 4 is no longer needed at the buildings 2 with the security camera.
- the security officer 4 can see a person arriving at the building 4 and the identity in the form of a driver's license as an image 7 on a security monitor 6 .
- the security officer 4 sends a door unlock signal 8 to open the door and let the person in, as shown in FIG. 3 .
- a door unlock signal 8 is analogous to the present invention.
- the present invention provides a mechanism to enforce network policy based on identity authentication at a network endpoint device 10 by offloading the authentication process to a remote authentication device 18 .
- An IP packet is shown in FIG. 4 .
- the network traffic flow between the remote network device 11 and the network endpoint device 10 is maintained once the TCP session initiation has been authenticated. This is particularly important when both the network endpoint device 10 and the remote network device 11 are located on the same LAN segment or network subnet, as traffic between two devices on the same LAN or subnet often directly communicate with each other, their traffic being processed by a local network switch.
- the present invention allows the use of an authentication device 18 without requiring that it is inserted directly into the network traffic path between two peering devices, hence the name of Peer Authentication.
- a network endpoint 10 When a network endpoint 10 receives an IP packet 12 with a TCP header 14 with the TCP SYN bit set 16 , this indicates that a remote network device 11 is requesting the establishment of a TCP session.
- a TCP header 14 is shown in FIG. 5 .
- the sender in this case the remote network device 11 , can be authenticated using a process called Transport Access Control (TAC).
- TAC Transport Access Control
- the TAC process may consume a large number of compute and memory resources.
- the TAC process can be offloaded to an authentication device 18 . This authentication device 18 can process authorization requests from many network endpoint devices 10 .
- SOI statistical object identification
- a network endpoint 10 When a network endpoint 10 receives an IP packet 12 requesting the establishment if a TCP session, the request is sent to an authentication device 18 . After authenticating the IP packet 12 , the authentication device 18 returns the IP packet with any additional information needed for processing and the IP packet 12 is delivered to the TCP/IP protocol stack 32 , establishing the TCP session. Subsequent IP packets 12 that are part of the same TCP session are delivered directly to the TCP/IP protocol stack 32 .
- the peer authentication driver 46 which resides between the TCP/IP protocol stack 32 and the network device driver 48 , may be assisted by a peer authentication management application 44 .
- the peer authentication management application 44 is an application that establishes secured communications between the network endpoint device 10 , the authentication device 18 , and the peer authentication driver 46 .
- the peer authentication management application 44 conveys the network endpoint's Identity to the authentication device.
- a preferred mechanism for conveying this Identity is to establish a secure tunnel to the authentication device 18 and using the network endpoint's 10 X.509 certificate to establish the secure tunnel.
- the peer authentication management application 44 is responsible for communicating IP packets 12 , policy rules 26 and other information between these entities.
- SOI Statistical Object Identity
- SOI operates by using an identity certificate as an original object and using a sender to communicate a stream of statistical objects, based on the original object, to a communications receiver.
- the communications receiver aggregates the received statistical objects until an original object is unambiguously determined and the calculated probability satisfies a trusted probability threshold. If the communications receiver fails to unambiguously determine the original object or if the calculated probability fails to satisfy the probability threshold, the original object, the identity, is not recognized.
- An indication is made to communicate the identity determined by SOI or an indication is made to communicate of the lack of identity.
- Transport Access Control (TAC) is described in U.S. Pat. No. 8,346,951, entitled Method for First Packet Authentication. The Applicants hereby incorporate this document by reference.
- TAC provides a mechanism to authenticate a network connected device on the first packet of a TCP session request.
- TAC enables a network connected device to authorize a received TCP connection request without relying solely on a initiator's IP address. If the authorization is successful, then the connection establishment process is continued. If the authorization fails, the request is “black-holed,” even though there is an application associated with the TCP port in the connection request. This protects against TCP port scanning and network reconnaissance.
- the authentication mechanism uses various fields in the IP and TCP headers in the TCP connection request. All of these fields have a primary function that is defined in the IP and TCP specifications. The use of existing fields to pass an authorization key is necessary because the TCP protocol specification does not provide a mechanism to pass user data on a TCP connection request.
- TAC The goal of TAC is to enable an authentication mechanism that functions using only the fields in the IP and TCP headers that are normally present in the TCP connection establishment request.
- IP and TCP headers there are fields that have strictly defined meanings that do not allow any additional encoding because this would alter the functionality of the IP and/or TCP protocols. Examples of such fields are the Source Address, Destination Address, Checksum, Source Port and Destination Port fields.
- the Sequence Number (SEQ) field specifies the starting sequence number for which subsequent data octets are numbered. Additional TCP specifications recommend that this number be randomly generated.
- a remote network device 11 (TCP session initiator) generates an authorization key, now called an identity token.
- the initiator then sends a TCP connection request, inserting the authorization key in the SEQ field of the TCP header 14 , to the desired network connected device.
- the receiving device upon receiving the connection request, extracts the authorization key.
- the receiving device then processes the authorization key to authenticate it.
- TAC provides methods for concealing the existence of a device connected to a computer network or concealing the existence of certain applications running on a device connected to a computer network. This concealment works by authorizing a TCP connection request using an authorization key embedded within the TCP connection request.
- Authentication The process of verifying the authenticity of a presented identity credential.
- Authentication Device A device that performs authentication.
- Authentication Processing Information Information provided by an authentication device to a second entity which enables the second entity to complete the authentication process.
- the authentication device provides a second Identity token which is used for bidirectional authentication on the TCP SYN/ACK transaction.
- Authenticated Session Table A table containing session descriptors of TCP sessions that have been authenticated.
- Authenticated Session Processing uses authentication processing information to properly respond to authenticated sessions.
- the authentication session processing inserts a bidirectional identity token into TCP SYN/ACK transaction.
- Bidirectional Authentication Authentication that occurs between two parties where each party is authenticated. This is in contrast to unidirectional authentication where only one party is authenticated.
- Connection A logical pairing of two devices that enable them to communicate.
- a connection utilizes a series of packets to accomplish this.
- a TCP connection is an example of a connection.
- Connection Request A request by one device to another device to create a connection.
- Context Information Information that allows the peer authentication driver to process the response from the authentication device without requiring the peer authentication driver to save any state regarding the IP packet. Context information will be returned by the authentication device with the IP packet once the IP packet has been authenticated.
- a device is any object that is capable of being attached or connected to and communicating on a network. Examples of devices include computers, servers, clients, laptops, PDAs, cell phones, smart phones, network appliances, storage systems, virtual appliances, switches, routers, load balancers, caches, intrusion detection systems, VPNs, authentication devices, intrusion prevention systems, and firewalls.
- Endpoint Any network device that has an IP address and the ability to perform TCP/IP protocol processing.
- Endpoint Security Security processing performed on an endpoint. This may include identity credential authentication, access authorization, policy enforcement, behavioral analysis, logging and other security related actions and behaviors.
- Hypervisor In virtualization technology, hypervisor is a software program that manages multiple operating systems (or multiple instances of the same operating system) on a single computer system.
- Identity Credential An object that is verified when presented to the verifier in an authentication transaction. Identity Credentials may be bound in some way to the individual or device to whom they were issued.
- IP—IP is the Internet Protocol.
- the Internet Protocol is a data oriented protocol used by devices to communicate across a packet switched network.
- IP information is carried by an IP header in an IP packet.
- the IP header contains device address information, protocol control information and user data information.
- Logging Device A device that receives and processes logs from other devices, often for purposes of aggregation, storage, display, data mining or analytics.
- Network A network is a collection of computers, servers, clients, routers and devices that are connected together such that they can communicate with each other.
- the Internet is an example of a network.
- Network Appliance A fixed function device attached to a network for the purpose of performing set of functions such as computational, storage, networking or security.
- Network Device Driver A software module that communicates with a network interface.
- a network device driver is responsible for customizing the interactions to and from a specific network interface,
- Network Interface The physical or logical boundary between a network and a device.
- a network interface is responsible for formatting the network frames or packets as appropriate for the network medium.
- Many devices have multiple network interfaces.
- Network Policy The rules governing network and network connected device access.
- a network policy describes what network devices can access other networks and network devices.
- Network policy is often applied at policy enforcement points or at an endpoint.
- Network Topology The physical or logical layout of devices on a network. Every network has a topology, or the way that the devices on a network are arranged and how they communicate.
- Peer authentication driver A software module that enables the authentication of network traffic using an authentication appliance.
- Peering Environment A network environment where two endpoints communicate with each other without traversing a common policy enforcement point.
- Peer Authentication Management Application A software module that assists the peer authentication driver.
- the peer authentication management application is usually instantiated as an application and communicates with an authentication device on behalf of the peer authentication driver.
- the peer authentication management application provides management and communications services for the peer authentication driver.
- Physical Appliance A network appliance where the appliance functionality is rendered in physical hardware and software. Compare against a virtual appliance where the appliance functionality is rendered solely in software.
- PEP Policy Enforcement Point
- Remote Network Device A device, of a pair of devices that forms a connection. Connections involve pairs of devices, the remote network device is half of the connection pair, indicating the remote device.
- Session Descriptor A data structure that describes the TCP session (source IP address, source TCP port, destination IP address, destination TCP port), context information and authentication processing information.
- SOI Statistical Object Identification. A method of communicating a statistical representation of an original object.
- SSL Secure Sockets Layer. A security protocol defined by the Internet Engineering Task Force (IETF).
- TAC Transport Access Control. A method of determining identity on the first packet of a TCP session.
- TAC Bidirectional Identity Token A TAC Identity token that is communicated during TCP SYN/ACK processing.
- TCP Transmission Control Protocol
- networked devices can create connections to one another, over which they can send data.
- the TCP protocol insures that data sent by one endpoint will be received in the same order by the other, and without any pieces missing.
- the TCP protocol also distinguishes data for different applications (such as a Web server and an email server) on the same device.
- TCP SYN/ACK Processing The response by a TCP/IP protocol stack upon receiving a TCP SYN to establish a TCP session. This is performed in accordance with the TCP specification.
- TCP SYN Bit A control bit within the TCP header that indicates a request for TCP session establishment.
- TCP Session Initiation The process of establishing a TCP session. This is performed in accordance with the TCP protocol specification.
- TLS Transport Layer Security. A security protocol defined by the Internet Engineering Task Force (IETF).
- Virtual Appliance A network appliance where the appliance functionality is rendered solely in software. Compare against a virtual appliance where the appliance functionality is rendered in physical hardware and software.
- FIGS. 1, 2 and 3 depict prior art which is used as an analogy to help explain the present invention.
- FIG. 1 is an illustration of three buildings 2 , each protected by a security officer 4 .
- FIG. 2 is an analogy of the present invention, showing two buildings 2 with security cameras 5 , and a building 2 with a security officer 4 and a security monitor 6 . An image 7 from the security camera 5 is shown on the security monitor 6 .
- FIG. 3 is an analogy of the present invention, showing two buildings 2 with security cameras 5 , and a building 2 with a security officer 4 and a security monitor 6 .
- the security officer 4 is sending a door unlock signal 8 to one of the buildings 2 .
- FIG. 1 is an illustration of an IP packet 12 , including a TCP header 14 .
- FIG. 4 is an illustration of an IP packet 12 , including a TCP header 14 .
- FIG. 5 is an illustration of a TCP header 14 and shows the location of the TCP SYN bit 16 .
- FIG. 6 is a flowchart of the present invention which describes processing of an IP packet 12 by a peer authentication driver 46 .
- FIG. 7 is a flowchart of the present invention which describes processing of an IP packet 12 by an authentication device 18 .
- FIG. 8 is a flowchart of the present invention which describes processing of an authenticated IP packet 12 containing TCP SYN bit 16 by a peer authentication driver 46 .
- FIG. 9 is a flowchart of the present invention which describes processing of an IP packet 12 received from a TCP/IP protocol stack 32 by a peer authentication driver 46 .
- FIG. 10 is a flowchart of the present invention which describes processing of a policy rule 26 received from an authentication device 18 by a peer authentication driver 46 .
- FIG. 11 is an architectural depiction of the present invention in a network endpoint device 10 .
- a network interface 49 conveys packets between a network (not shown) and the network device driver 48 .
- the network device driver 48 processes packets and conveys packets and information between the network interface 49 and the peer authentication driver 46 .
- the peer authentication driver 46 performs authentication or causes authentication to be performed.
- the peer authentication driver 46 conveys packets and information between the network device driver 48 , the TCP/IP protocol stack 32 and the Peer Authentication Management Application 44 .
- the TCP/IP protocol stack 32 performs TCP/IP processing and conveys packets and information between the peer authentication driver 46 , the Peer Authentication Management Application 44 and other applications.
- the Peer Authentication Management Application 44 provides management and communications services for the peer authentication driver 46 .
- the Peer Authentication Management Application 44 conveys packets and information between the peer authentication driver 46 and the TCP/IP protocol stack 32 .
- FIG. 12 is an architectural depiction of the present invention in a network endpoint device 10 , showing the flow of an IP packet 12 with a TCP header 14 containing TCP SYN bit 16 being received by a network interface 49 , being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46 .
- the peer authentication driver 46 sends the IP packet 12 to an authentication device 18 (not shown) by conveying the IP packet 12 to the network device driver 48 which subsequently conveys the IP packet 12 to the network interface 49 .
- FIG. 13 is an architectural depiction of the present invention in a network endpoint device 10 , showing an alternate flow of an IP packet 12 with a TCP header 14 containing TCP SYN bit 16 being received by a network interface 49 , being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46 .
- the peer authentication driver 46 sends the IP packet 12 to an authentication device 18 (not shown) by conveying the IP packet 12 to a Peer Authentication Management Application 44 which subsequently conveys the IP packet 12 via an established TCP session to the TCP/IP protocol stack 32 .
- the TCP/IP protocol stack conveys the IP packet 12 to the peer authentication driver 46 which subsequently conveys the IP packet 12 to the network device driver 48 which subsequently conveys the IP packet 12 to the network interface 49 .
- FIG. 14 is an architectural depiction of the present invention in a network endpoint device 10 , showing the flow of an IP packet 12 with a TCP header 14 being received by a network interface 49 , being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46 .
- the peer authentication driver 46 upon locating a matching session descriptor 28 conveys the IP packet 12 to the TCP/IP protocol stack 32 for processing.
- FIG. 15 is an architectural depiction of the present invention in a network endpoint device 10 , showing the flow of a policy rule 26 being received by a network interface 49 , being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46 for processing.
- FIG. 16 is an architectural depiction of the present invention in a network endpoint device 10 , showing an alternate flow of a policy rule 26 being transported within a previously established TCP session.
- An IP packet 12 containing and TCP header 14 and the policy rule 26 is received by a network interface 49 , being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46 .
- the peer authentication driver 46 upon locating a matching session descriptor 28 conveys the IP packet 12 to the TCP/IP protocol stack 32 for processing.
- the TCP/IP protocol stack 32 performs the protocol processing and conveys the policy rule 26 to the Peer Authentication Management Application 44 .
- the Peer Authentication Management Application 44 conveys the policy rule 26 to the peer authentication driver 46 .
- FIG. 17 is an architectural depiction of the present invention in a network endpoint device 10 , showing the flow of an IP packet 12 being generated from the TCP/IP protocol stack 32 and being conveyed to the peer authentication driver 46 .
- the peer authentication driver 46 performs authentication processing and conveys the IP packet 12 to the network device driver 48 which subsequently conveys the IP packet 12 to the network interface 49 to send to its destination.
- FIG. 18 is a topological depiction of the present invention in an operating context.
- Two remote network devices 11 are connected to a network 20 .
- Also connected to the network 20 are two network endpoint devices 10 , a logging device 42 and an authentication device 18 .
- FIG. 19 is a topological depiction of the present invention in an operating context, showing a remote network device 11 conveying an IP packet 12 with a TCP header 14 containing TCP SYN bit 16 via a network 20 to a network endpoint device 10 .
- FIG. 20 is a topological depiction of the present invention in an operating context, showing a network endpoint device 10 conveying an IP packet 12 with a TCP header 14 containing TCP SYN bit 16 via a network 20 to an authentication device 18 performing authentication.
- FIG. 21 is a topological depiction of the present invention in an operating context, showing an authentication device 18 conveying an IP packet with a TCP header 14 containing TCP SYN bit 16 after being authenticated to a network endpoint device 10 via a network 20 .
- FIG. 22 is a topological depiction of the present invention in an operating context, showing the flow of IP packets 12 with TCP headers 14 not containing TCP SYN bit 16 and matching a session descriptor 28 between a remote network device 11 and the network endpoint device 10 via a network 20 .
- FIG. 23 is a topological depiction of the present invention in an operating context, showing the authentication device 18 sending log information 50 to a logging device 42 via a network 20 .
- the peer authentication driver 46 is installed in a network endpoint device 10 , logically inserted between the network device driver 48 and the TCP/IP protocol stack 32 .
- the peer authentication driver 46 is installed in a network endpoint device 10 , logically inserted between the network device driver 48 and the TCP/IP protocol stack 32 .
- an IP packet 12 containing a TCP header 14 is received by a network interface 49 it is conveyed to a network device driver 48 which subsequently conveys it to the peer authentication driver 46 .
- the IP packet 12 is received by the peer authentication driver 46 .
- the IP packet 12 is compared against a second table of policy rules 36 .
- the second table of policy rules 36 allows the authentication device 18 to define policy rules that are implemented by the peering device driver 46 .
- An example of a policy rule 26 in the second table of policy rules 36 is a source IP address that are being blocked and thus IP packets 12 matching the source IP address will be discarded.
- a second example of a policy rule 26 in the second table of policy rules 36 is a destination IP address for which Identity is not being authenticated and thus IP packets 12 matching the destination IP address will be forwarded without requiring authentication by the authentication device 18 .
- a network interface 49 can also be specified in a policy rule 26 . This allows different policies to be enforced depending upon which network interface 49 an IP packet 12 is received on.
- An example second table of policy rules 36 is shown below:
- the TCP header 14 of the IP packet 12 is checked for TCP SYN bit 16 at 104 . If TCP SYN bit 16 is set, then the IP packet 12 is sent to the authentication device 18 at 112 for authentication.
- the IP packet 12 being sent to the authentication device 18 may be sent directly by the peer authentication driver 46 , or in an alternate embodiment, the IP packet 12 may be sent to a peer authentication management application 44 .
- the peer authentication management application 44 maintains pre-established TCP/IP sessions with one or more authentication devices 18 .
- the TCP/IP sessions maintained by the peer authentication management application 44 should be protected by using the SSL, TLS or other cryptographic security protection to protect information conveyed between the peer authentication management application 44 and the authentication device 18 .
- Context information is information that allows the peer authentication driver 46 to process the response from the authentication device 18 without requiring the peer authentication driver 46 to save any state regarding the IP packet 12 . This context information will be returned by the authentication device 18 with the IP packet 12 once the IP packet 12 has been authenticated.
- information about the network interface 49 may be included with the IP packet 12 .
- the IP packet 12 then compared against an authenticated session table 30 at 106 .
- the authenticated session table 30 contains session descriptors 28 .
- Each session descriptor 28 contains session information for each active TCP session.
- Each session descriptor 28 also contains the identity 22 that was authenticated to establish the TCP session.
- the session descriptor 28 also contains authentication processing information that enables the peer authentication driver 46 to properly respond to authenticated sessions.
- the authentication processing information includes the TAC bidirectional identity token used to communicate bidirectional authentication.
- the TAC bidirectional identity token is provided to the peer authentication driver 46 by the authentication device 18 . If a session descriptor 28 matching the TCP session in the IP packet 12 is found, at 114 , the IP packet is sent to the TCP/IP protocol stack 32 .
- the IP packet is discarded.
- an authentication device 18 When an authentication device 18 receives an IP packet 12 from a peer authentication driver 46 , at 116 , it determines, at 118 , the identity 22 of the sender of the IP packet 12 .
- a preferred embodiment of determining the identity of the sender on the first packet of a TCP session is by using Transport Access Control (TAC).
- a second preferred embodiment of determining the identity of the sender on the first packet of a TCP session is by using statistical object identification (SOT).
- SOT statistical object identification
- the first table of policy rules 27 allows the authentication device 18 to define and maintain policy rules 26 based on identity 22 .
- An example of a policy rule 26 in the first table of policy rules 27 is an identity 22 that is allowed to access a specified destination IP address.
- a second example of a policy rule 26 in the first table of policy rules 27 is a, identity 22 matching a specified destination IP address that will be redirected to an alternate IP address.
- a third example of a policy rule 26 in the first table of policy rules 27 is a wildcard rule that matches any identity 22 and instructs that an IP packet 12 will be discarded.
- An example first table of policy rules 27 is shown below:
- the policy rule 26 is enforced. For example, if the policy rule 26 is “Allow”, then the IP packet 12 , at 128 , is sent back to the peer authentication driver 46 .
- context information should be returned with the IP packet 12 .
- authentication processing information should also be sent to the peer authentication driver 46 .
- the IP packet 12 is discarded, at 122 .
- the identity 22 , the lack of identity and the associated policy may also be recorded in log information 50 that is sent to a logging device 42 .
- a logging device 42 can be any device used for the purpose of collecting, aggregating, processing, analyzing and storing log records. Commonly a logging device 42 is a network connected device with a large storage capacity and the ability to perform advanced analytics, such as a HADOOP cluster. Less sophisticated logging devices 42 can simply aggregate and store logs set to them across the network. Splunk is a common software package that runs on a logging devices 42 .
- the receipt of the IP packet 12 in conjunction with the identity determination process may produce policy rules 26 that must be communicated to the peer authentication driver 46 .
- the authentication device 18 may want to block all IP packets 12 originating from a certain source EP address for a period of time. Sending a policy rule 26 to the peer authentication driver 46 , at 130 , allows this to happen without requiring that the authentication device 18 discard all of the corresponding IP packets 12 directly.
- the policy rule 26 should include an expiration so that it will expire automatically and not require additional coordination or management from the authentication device 18 . If no new rules are generated, then no additional processing occurs at 126 .
- a session descriptor 28 contains session information from the TCP header 14 in the IP packet 12 .
- a session descriptor 28 also contains the identity 22 that was authenticated.
- the session descriptor 28 also contains authentication processing information that enables the peer authentication driver 46 to properly respond to authenticated sessions.
- the session descriptor 28 may also contain context information and information about the network interface 49 on which the IP packet 12 was originally received.
- the peer authentication driver adds the session descriptor 28 to an authenticated session table 30 and then sends the IP packet 12 to the TCP/IP protocol stack 32 at 138 .
- An example authenticated session table 30 containing session descriptors 28 is shown below:
- the TCP/IP protocol stack 32 When the TCP/IP protocol stack 32 sends an IP packet 12 , it is received by the peer authentication driver 46 at 140 . At 142 , the IP packet 12 is compared against an authenticated session table 30 .
- authenticated session processing uses authentication processing information in the session descriptor 28 to properly respond to authenticated sessions.
- the authentication processing information includes the TAC bidirectional identity token used to communicate bidirectional authentication.
- the TAC bidirectional identity token is provided to the peer authentication driver 46 by the authentication device 18 .
- the IP packet 12 is sent to the network device driver 48 at 146 .
- the IP packet 12 is sent to the network device driver 48 at 146 .
- an authentication device 18 sends a policy rule 26 to the peer authentication driver 46 , it is received by the peer authentication driver 46 at 150 .
- the peer authentication driver 46 then inserts the policy rule 26 into the second table of policy rules 36 at 152 .
- the apparatus that performs peer authentication is varied and diverse.
- the peer authentication driver 46 is usually implemented as a software module that is loaded or linked into an operating system.
- the peer authentication driver 46 may be created using software or firmware and may also be offloaded to a separate processing module where the functionality is provided by software, firmware, hardware or a combination of these.
- the peer authentication driver 46 may also reside within a hypervisor, providing authentication services to multiple operating system instances.
- the hypervisor functionality may also be implemented as software or firmware and may also be implemented as a separate processing module where the functionality of the hyper visor and the peer authentication driver 46 is provided by software, firmware, hardware or a combination of these.
- the authentication device 18 is a network connected device that may be created as a physically separate physical appliance.
- the authentication device 18 may also be created as a virtual appliance that operates within a hypervisor environment. Both the physical appliance and the virtual appliance may be constructed using software, firmware or hardware or a combination of these. In the case of a virtual appliance and hardware offload, some functions provided by the authentication appliance 18 may be offloaded to hardware offload devices available within the virtual environment.
- the apparatus that performs peer authentication may be used in communications devices, security devices, network routing devices, application routing devices, service delivery devices and other devices that are enabled by the addition of the efficient authentication of identity 22 and the application of network policy based on that identity 22 .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Methods to enforce network policy based on identity authentication at a network endpoint device by offloading the authentication to a network attached authentication devices are disclosed. The authentication device may use Statistical Object Identification to perform the authentication. The present invention greatly reduces the resources needed by the network endpoint device to perform the authentication and eliminates the topological restrictions found in traditional network appliance based approaches.
Description
- The Present Patent Application is a Continuation-in-Part Application, and is related to Pending Parent Application U.S. Ser. No. 13/987,747 filed on 27 Aug. 2013; and to U.S. Pat. Grant No. 8,572,697 filed 18 Nov. 2011. In accordance with the provisions of Sections 119 &120 of Title 35 of the United States Code of Laws, the Applicant hereby claims the benefit of priority for any and all subject matter that is commonly disclosed in U.S. Ser. No. 13/987,747, U.S. Pat. No. 8,572,697, and in the Present Application.
- None.
- The present invention pertains to methods for efficiently and securely authenticating the Identity of network traffic in arbitrary network topologies using statistical object identification.
- Organizations that use computers and computer networks continue to work on improving the security of both the networks and the computers themselves. Some security technologies are most effective when implemented directly on the computer. Historically, some security functions have been deployed as network devices, to allow a single device to provide security for multiple computers. Each of these approaches has pros and cons.
- For security technologies deployed directly on each computer, called an “endpoint solution,” the technology uses the resources of the endpoint computer including CPU processor cycles, memory and network bandwidth. For some security technologies, this use of endpoint resources can be substantial. Additionally, some security technologies require the distribution of cryptographic keys to every participating entity. When keys are widely distributed, the protection of those keys becomes more difficult to maintain.
- In large organizations, often with many independent departments, networks and computer services may be added and organically grown without centralized planning, leading to network resources being deployed somewhat arbitrarily throughout the network. These network resources may have multiple network interfaces. When attempting to enforce network security policies, the lack of planning often leads to a lack of achievable policy enforcement points that do not adversely impact network and resource performance without the wholesale re-architecture of the network and the redeployment of the network resources. This can be exceedingly costly, in both dollars and time.
- For policy enforcement points and security technologies deployed on a network appliance, the appliance may become a bottleneck and impact the performance of traffic flowing through it. Network security appliances also have a network topology requirement that the traffic must pass through the appliance for it to provide any security functions. For computers communicating with one another on a single LAN or network subnet, this topology requirement is often unachievable. When a computer has multiple network interfaces, this further complicates the network topology and complicates consistent implementation of security functions.
- An analogy to this in the physical world is a building with a security guard at the entrance checking everyone's driver's license, their identity, to insure that they have business in the building. If there are very few visitors to each building, then each security guard may not be busy most of the time. Instead of having a security guard at each building that is being protected, some of the buildings may have a camera and a mechanism to remotely unlock the door. A security guard, at a location remote from the building being entered, sees the person wishing to enter the building, can see their driver's license and to let the person in by sending a signal to the door unlock mechanism. This is analogous to what the present invention does within a network of computers.
- A method to enable endpoint security that utilizes a security appliance that does not require that the appliance to be in the network data path, would constitute a major technological advance, and would satisfy long felt needs and aspirations in the cyber security industry.
- The present invention has two components; a peer authentication driver and an authentication device. The peer authentication driver, installed on a network endpoint device provides network identity authentication by monitoring incoming IP packets for TCP SYN bit and securely sending those IP packets to an authentication device for authentication. The authentication device performs authentication and, if successfully authenticated, securely sends the IP packet and additional authentication information back to the peer authentication driver for delivery to the endpoint's TCP/IP stack. The authentication device may use Statistical Object Identification (SOI) or Transport Access Control (TAC) to perform the authentication. All subsequent IP packets belonging to the same TCP session are delivered directly to the endpoint's TCP/IP stack.
-
FIG. 1 is an illustration of three buildings and three security officers. -
FIG. 2 is an analogy of the present invention. -
FIG. 3 is an analogy of the present invention. -
FIG. 4 is an illustration of an IP packet. -
FIG. 5 is an illustration of a TCP header. -
FIG. 6 is Flowchart 1 of the present invention, which describes the processing of an IP packet received from a remote network device. -
FIG. 7 isFlowchart 2 of the present invention, which describes the processing of an IP packet by an authentication device. -
FIG. 8 is Flowchart 3 of the present invention, which describes the processing of an IP packet from an authentication device. -
FIG. 9 is Flowchart 4 of the present invention, which describes the processing of an IP packet received from the network endpoint device's TCP/IP protocol stack. -
FIG. 10 isFlowchart 5 of the present invention, which describes the processing of a rule received from the authentication device. -
FIG. 11 is an architectural depiction of the present invention in a network endpoint device. -
FIG. 12 is an architectural depiction of the present invention in a network endpoint device, showing the flow of an IP packet with a TCP header containing TCP SYN bit coming from a remote network device and being sent to an authentication device. -
FIG. 13 is an architectural depiction of the present invention in a network endpoint device, showing an alternate flow of an IP packet with a TCP header containing TCP SYN bit coming from a remote network device and being sent to an authentication device. -
FIG. 14 is an architectural depiction of the present invention in a network endpoint device, showing the flow of an IP packet with a TCP header matching a session descriptor coming from a remote network device and being delivered to the TCP/IP protocol stack. -
FIG. 15 is an architectural depiction of the present invention in a network endpoint device, showing the flow of a rule coming from an authentication device and being delivered to the peer authentication driver. -
FIG. 16 is an architectural depiction of the present invention in a network endpoint device, showing an alternate flow of a rule coming from an authentication device and being delivered to the peer authentication driver. -
FIG. 17 is an architectural depiction of the present invention in a network endpoint device, showing the flow of an IP packet coming from the TCP/IP protocol stack and being sent to a remote network device. -
FIG. 18 is a topological depiction of the present invention in an operating context. -
FIG. 19 is a topological depiction of the present invention in an operating context, showing the flow of an IP packet with a TCP header containing TCP SYN bit coming from a remote network device. -
FIG. 20 is a topological depiction of the present invention in an operating context, showing the flow of an IP packet with a TCP header containing TCP SYN bit being sent from a network endpoint device to an authentication device. -
FIG. 21 is a topological depiction of the present invention in an operating context, showing the flow of an IP packet with a TCP header containing TCP SYN bit being sent from an authentication device back to a network endpoint device. -
FIG. 22 is a topological depiction of the present invention in an operating context, showing the flow of IP packets with their TCP headers matching a session descriptor between a remote network device and the network endpoint device. -
FIG. 23 is a topological depiction of the present invention in an operating context, showing the authentication device sending log information to a logging device. - An analogy of the present invention is a set of
buildings 2 protected by asecurity office 4, which is shown inFIG. 1 . The security officer's 4 job is to inspect the driver's license, the identity, of each person that enters thebuilding 2 and determine if they have business in thebuilding 2 before letting them proceed. If thebuilding 2 does not get many visitors, then thesecurity officer 4 will not be very busy. To get better use from thesecurity officer 2, security camera's 5 are placed at the entrance of some of thebuildings 2, as shown inFIG. 2 . Asecurity officer 4 is no longer needed at thebuildings 2 with the security camera. Thesecurity officer 4 can see a person arriving at thebuilding 4 and the identity in the form of a driver's license as animage 7 on asecurity monitor 6. Once the person has proven who they are and thesecurity officer 4 has determined that they have business in thebuilding 2, thesecurity officer 4 sends adoor unlock signal 8 to open the door and let the person in, as shown inFIG. 3 . Although different in the identities used, the authentication mechanisms employed and the resources protected, this is analogous to the present invention. - The present invention provides a mechanism to enforce network policy based on identity authentication at a
network endpoint device 10 by offloading the authentication process to aremote authentication device 18. An IP packet is shown inFIG. 4 . By only sending thoseIP packets 12 that may contain identity 22 information to theauthentication device 18, the network traffic flow between theremote network device 11 and thenetwork endpoint device 10 is maintained once the TCP session initiation has been authenticated. This is particularly important when both thenetwork endpoint device 10 and theremote network device 11 are located on the same LAN segment or network subnet, as traffic between two devices on the same LAN or subnet often directly communicate with each other, their traffic being processed by a local network switch. In this environment, known as a peering environment, it is often not possible to have a network appliance performing security functions such as authentication in the traffic path. The present invention allows the use of anauthentication device 18 without requiring that it is inserted directly into the network traffic path between two peering devices, hence the name of Peer Authentication. - When a
network endpoint 10 receives anIP packet 12 with aTCP header 14 with the TCP SYN bit set 16, this indicates that aremote network device 11 is requesting the establishment of a TCP session. ATCP header 14 is shown inFIG. 5 . The sender, in this case theremote network device 11, can be authenticated using a process called Transport Access Control (TAC). When a large number of identities 22 are in use, the TAC process may consume a large number of compute and memory resources. To prevent the TAC process from consuming a large number of compute and memory resources on everynetwork endpoint device 10, the TAC process can be offloaded to anauthentication device 18. Thisauthentication device 18 can process authorization requests from manynetwork endpoint devices 10. - Other authentication mechanisms may employ statistical object identification (SOI) to perform the authentication. Similarly to TAC, when large numbers of identities 22 are in use, the SOI process may consume a large number of compute and memory resources. The SOI processes can be offloaded to an
authentication device 18 which performs authentication on behalf of manynetwork endpoint devices 10. - When a
network endpoint 10 receives anIP packet 12 requesting the establishment if a TCP session, the request is sent to anauthentication device 18. After authenticating theIP packet 12, theauthentication device 18 returns the IP packet with any additional information needed for processing and theIP packet 12 is delivered to the TCP/IP protocol stack 32, establishing the TCP session.Subsequent IP packets 12 that are part of the same TCP session are delivered directly to the TCP/IP protocol stack 32. - In a preferred embodiment, which is illustrated in
FIG. 6 , thepeer authentication driver 46, which resides between the TCP/IP protocol stack 32 and thenetwork device driver 48, may be assisted by a peerauthentication management application 44. The peerauthentication management application 44 is an application that establishes secured communications between thenetwork endpoint device 10, theauthentication device 18, and thepeer authentication driver 46. The peerauthentication management application 44 conveys the network endpoint's Identity to the authentication device. A preferred mechanism for conveying this Identity is to establish a secure tunnel to theauthentication device 18 and using the network endpoint's 10 X.509 certificate to establish the secure tunnel. The peerauthentication management application 44 is responsible for communicatingIP packets 12, policy rules 26 and other information between these entities. - Statistical Object Identity (SOI) is described in U.S. Pat. No. 8,572,697, entitled Method for Statistical Object Identification, and in U.S. Ser. No. 13/987,747, entitled Method for Statistical Object Identification. The Applicants hereby incorporate both of these documents by reference.
- One limitation of current information networks is that it is difficult to verify or approve a communication before the communication has been allowed to penetrate a network. One reason for this difficulty is that the means of verification, which is called a “certificate,” is too large to send to the network in the initial set of digital information which initiates the communication, and which ultimately leads to an authentication.
- Statistical Object Identity (SOI) solves this problem by reducing the information in the certificate which is used to authenticate the communication before it is allowed to proceed by converting the certificate to a much smaller “statistical object.” SOI allows the network to determine the identity of the initiator of the communication before the communication is given access to the network. This method provides a security feature that substantially eliminates potentially detrimental and malicious attacks that could be perpetrated on the network using conventional technology.
- SOI operates by using an identity certificate as an original object and using a sender to communicate a stream of statistical objects, based on the original object, to a communications receiver. The communications receiver aggregates the received statistical objects until an original object is unambiguously determined and the calculated probability satisfies a trusted probability threshold. If the communications receiver fails to unambiguously determine the original object or if the calculated probability fails to satisfy the probability threshold, the original object, the identity, is not recognized. An indication is made to communicate the identity determined by SOI or an indication is made to communicate of the lack of identity.
- Transport Access Control (TAC) is described in U.S. Pat. No. 8,346,951, entitled Method for First Packet Authentication. The Applicants hereby incorporate this document by reference.
- TAC provides a mechanism to authenticate a network connected device on the first packet of a TCP session request. TAC enables a network connected device to authorize a received TCP connection request without relying solely on a initiator's IP address. If the authorization is successful, then the connection establishment process is continued. If the authorization fails, the request is “black-holed,” even though there is an application associated with the TCP port in the connection request. This protects against TCP port scanning and network reconnaissance.
- The authentication mechanism uses various fields in the IP and TCP headers in the TCP connection request. All of these fields have a primary function that is defined in the IP and TCP specifications. The use of existing fields to pass an authorization key is necessary because the TCP protocol specification does not provide a mechanism to pass user data on a TCP connection request.
- The goal of TAC is to enable an authentication mechanism that functions using only the fields in the IP and TCP headers that are normally present in the TCP connection establishment request. Within the IP and TCP headers there are fields that have strictly defined meanings that do not allow any additional encoding because this would alter the functionality of the IP and/or TCP protocols. Examples of such fields are the Source Address, Destination Address, Checksum, Source Port and Destination Port fields.
- Within the TCP header, on a connection request (TCP-SYN), the Sequence Number (SEQ) field specifies the starting sequence number for which subsequent data octets are numbered. Additional TCP specifications recommend that this number be randomly generated.
- A remote network device 11 (TCP session initiator) generates an authorization key, now called an identity token. The initiator then sends a TCP connection request, inserting the authorization key in the SEQ field of the
TCP header 14, to the desired network connected device. The receiving device, upon receiving the connection request, extracts the authorization key. The receiving device then processes the authorization key to authenticate it. - TAC provides methods for concealing the existence of a device connected to a computer network or concealing the existence of certain applications running on a device connected to a computer network. This concealment works by authorizing a TCP connection request using an authorization key embedded within the TCP connection request.
- Arbitrary Network Topology—Without regard to the layout of devices on a network.
- Authentication—The process of verifying the authenticity of a presented identity credential.
- Authentication Device—A device that performs authentication.
- Authentication Processing Information—Information provided by an authentication device to a second entity which enables the second entity to complete the authentication process. In the case of TAC, the authentication device provides a second Identity token which is used for bidirectional authentication on the TCP SYN/ACK transaction.
- Authenticated Session Table—A table containing session descriptors of TCP sessions that have been authenticated.
- Authenticated Session Processing—Authenticated session processing uses authentication processing information to properly respond to authenticated sessions. In the case of TAC, the authentication session processing inserts a bidirectional identity token into TCP SYN/ACK transaction.
- Bidirectional Authentication—Authentication that occurs between two parties where each party is authenticated. This is in contrast to unidirectional authentication where only one party is authenticated.
- Connection—A logical pairing of two devices that enable them to communicate. A connection utilizes a series of packets to accomplish this. A TCP connection is an example of a connection.
- Connection Request—A request by one device to another device to create a connection.
- Context Information—Information that allows the peer authentication driver to process the response from the authentication device without requiring the peer authentication driver to save any state regarding the IP packet. Context information will be returned by the authentication device with the IP packet once the IP packet has been authenticated.
- Device—A device is any object that is capable of being attached or connected to and communicating on a network. Examples of devices include computers, servers, clients, laptops, PDAs, cell phones, smart phones, network appliances, storage systems, virtual appliances, switches, routers, load balancers, caches, intrusion detection systems, VPNs, authentication devices, intrusion prevention systems, and firewalls.
- Endpoint—Any network device that has an IP address and the ability to perform TCP/IP protocol processing.
- Endpoint Security—Security processing performed on an endpoint. This may include identity credential authentication, access authorization, policy enforcement, behavioral analysis, logging and other security related actions and behaviors.
- Hypervisor—In virtualization technology, hypervisor is a software program that manages multiple operating systems (or multiple instances of the same operating system) on a single computer system.
- Identity—The fact of being who or what a person or thing is.
- Identity Credential—An object that is verified when presented to the verifier in an authentication transaction. Identity Credentials may be bound in some way to the individual or device to whom they were issued.
- IP—IP is the Internet Protocol. The Internet Protocol is a data oriented protocol used by devices to communicate across a packet switched network. IP information is carried by an IP header in an IP packet. The IP header contains device address information, protocol control information and user data information.
- Logging Device—A device that receives and processes logs from other devices, often for purposes of aggregation, storage, display, data mining or analytics.
- Network—A network is a collection of computers, servers, clients, routers and devices that are connected together such that they can communicate with each other. The Internet is an example of a network.
- Network Appliance—A fixed function device attached to a network for the purpose of performing set of functions such as computational, storage, networking or security.
- Network Device Driver—A software module that communicates with a network interface. A network device driver is responsible for customizing the interactions to and from a specific network interface,
- Network Interface—The physical or logical boundary between a network and a device. A network interface is responsible for formatting the network frames or packets as appropriate for the network medium. Many devices have multiple network interfaces.
- Network Policy—The rules governing network and network connected device access. A network policy describes what network devices can access other networks and network devices. Network policy is often applied at policy enforcement points or at an endpoint.
- Network Topology—The physical or logical layout of devices on a network. Every network has a topology, or the way that the devices on a network are arranged and how they communicate.
- Peer authentication driver—A software module that enables the authentication of network traffic using an authentication appliance.
- Peering Environment—A network environment where two endpoints communicate with each other without traversing a common policy enforcement point.
- Peer Authentication Management Application—A software module that assists the peer authentication driver. The peer authentication management application is usually instantiated as an application and communicates with an authentication device on behalf of the peer authentication driver. The peer authentication management application provides management and communications services for the peer authentication driver.
- Physical Appliance—A network appliance where the appliance functionality is rendered in physical hardware and software. Compare against a virtual appliance where the appliance functionality is rendered solely in software.
- Policy Enforcement Point (PEP)—In networking, a chokepoint where network policy is enforced.
- Remote Network Device—A device, of a pair of devices that forms a connection. Connections involve pairs of devices, the remote network device is half of the connection pair, indicating the remote device.
- Session Descriptor—A data structure that describes the TCP session (source IP address, source TCP port, destination IP address, destination TCP port), context information and authentication processing information.
- SOI—Statistical Object Identification. A method of communicating a statistical representation of an original object.
- SSL—Secure Sockets Layer. A security protocol defined by the Internet Engineering Task Force (IETF).
- TAC—Transport Access Control. A method of determining identity on the first packet of a TCP session.
- TAC Bidirectional Identity Token—A TAC Identity token that is communicated during TCP SYN/ACK processing.
- TCP—TCP is the Transmission Control Protocol. Using TCP, networked devices can create connections to one another, over which they can send data. The TCP protocol insures that data sent by one endpoint will be received in the same order by the other, and without any pieces missing. The TCP protocol also distinguishes data for different applications (such as a Web server and an email server) on the same device.
- TCP SYN/ACK Processing—The response by a TCP/IP protocol stack upon receiving a TCP SYN to establish a TCP session. This is performed in accordance with the TCP specification.
- TCP SYN Bit—A control bit within the TCP header that indicates a request for TCP session establishment.
- TCP Session Initiation—The process of establishing a TCP session. This is performed in accordance with the TCP protocol specification.
- TLS—Transport Layer Security. A security protocol defined by the Internet Engineering Task Force (IETF).
- Virtual Appliance—A network appliance where the appliance functionality is rendered solely in software. Compare against a virtual appliance where the appliance functionality is rendered in physical hardware and software.
-
FIGS. 1, 2 and 3 depict prior art which is used as an analogy to help explain the present invention. -
FIG. 1 is an illustration of threebuildings 2, each protected by asecurity officer 4. -
FIG. 2 is an analogy of the present invention, showing twobuildings 2 withsecurity cameras 5, and abuilding 2 with asecurity officer 4 and asecurity monitor 6. Animage 7 from thesecurity camera 5 is shown on thesecurity monitor 6. -
FIG. 3 is an analogy of the present invention, showing twobuildings 2 withsecurity cameras 5, and abuilding 2 with asecurity officer 4 and asecurity monitor 6. Thesecurity officer 4 is sending adoor unlock signal 8 to one of thebuildings 2.FIG. 1 is an illustration of anIP packet 12, including aTCP header 14. -
FIG. 4 is an illustration of anIP packet 12, including aTCP header 14. -
FIG. 5 is an illustration of aTCP header 14 and shows the location of theTCP SYN bit 16. -
FIG. 6 is a flowchart of the present invention which describes processing of anIP packet 12 by apeer authentication driver 46. -
FIG. 7 is a flowchart of the present invention which describes processing of anIP packet 12 by anauthentication device 18. -
FIG. 8 is a flowchart of the present invention which describes processing of an authenticatedIP packet 12 containingTCP SYN bit 16 by apeer authentication driver 46. -
FIG. 9 is a flowchart of the present invention which describes processing of anIP packet 12 received from a TCP/IP protocol stack 32 by apeer authentication driver 46. -
FIG. 10 is a flowchart of the present invention which describes processing of apolicy rule 26 received from anauthentication device 18 by apeer authentication driver 46. -
FIG. 11 is an architectural depiction of the present invention in anetwork endpoint device 10. Anetwork interface 49 conveys packets between a network (not shown) and thenetwork device driver 48. Thenetwork device driver 48 processes packets and conveys packets and information between thenetwork interface 49 and thepeer authentication driver 46. Thepeer authentication driver 46 performs authentication or causes authentication to be performed. Thepeer authentication driver 46 conveys packets and information between thenetwork device driver 48, the TCP/IP protocol stack 32 and the PeerAuthentication Management Application 44. The TCP/IP protocol stack 32 performs TCP/IP processing and conveys packets and information between thepeer authentication driver 46, the PeerAuthentication Management Application 44 and other applications. The PeerAuthentication Management Application 44 provides management and communications services for thepeer authentication driver 46. The PeerAuthentication Management Application 44 conveys packets and information between thepeer authentication driver 46 and the TCP/IP protocol stack 32. -
FIG. 12 is an architectural depiction of the present invention in anetwork endpoint device 10, showing the flow of anIP packet 12 with aTCP header 14 containingTCP SYN bit 16 being received by anetwork interface 49, being conveyed to anetwork device driver 48 and being subsequently conveyed to apeer authentication driver 46. Thepeer authentication driver 46 sends theIP packet 12 to an authentication device 18 (not shown) by conveying theIP packet 12 to thenetwork device driver 48 which subsequently conveys theIP packet 12 to thenetwork interface 49. -
FIG. 13 is an architectural depiction of the present invention in anetwork endpoint device 10, showing an alternate flow of anIP packet 12 with aTCP header 14 containingTCP SYN bit 16 being received by anetwork interface 49, being conveyed to anetwork device driver 48 and being subsequently conveyed to apeer authentication driver 46. Thepeer authentication driver 46 sends theIP packet 12 to an authentication device 18 (not shown) by conveying theIP packet 12 to a PeerAuthentication Management Application 44 which subsequently conveys theIP packet 12 via an established TCP session to the TCP/IP protocol stack 32. The TCP/IP protocol stack conveys theIP packet 12 to thepeer authentication driver 46 which subsequently conveys theIP packet 12 to thenetwork device driver 48 which subsequently conveys theIP packet 12 to thenetwork interface 49. -
FIG. 14 is an architectural depiction of the present invention in anetwork endpoint device 10, showing the flow of anIP packet 12 with aTCP header 14 being received by anetwork interface 49, being conveyed to anetwork device driver 48 and being subsequently conveyed to apeer authentication driver 46. Thepeer authentication driver 46 upon locating a matching session descriptor 28 conveys theIP packet 12 to the TCP/IP protocol stack 32 for processing. -
FIG. 15 is an architectural depiction of the present invention in anetwork endpoint device 10, showing the flow of apolicy rule 26 being received by anetwork interface 49, being conveyed to anetwork device driver 48 and being subsequently conveyed to apeer authentication driver 46 for processing. -
FIG. 16 is an architectural depiction of the present invention in anetwork endpoint device 10, showing an alternate flow of apolicy rule 26 being transported within a previously established TCP session. AnIP packet 12 containing andTCP header 14 and thepolicy rule 26 is received by anetwork interface 49, being conveyed to anetwork device driver 48 and being subsequently conveyed to apeer authentication driver 46. Thepeer authentication driver 46 upon locating a matching session descriptor 28 conveys theIP packet 12 to the TCP/IP protocol stack 32 for processing. The TCP/IP protocol stack 32 performs the protocol processing and conveys thepolicy rule 26 to the PeerAuthentication Management Application 44. The PeerAuthentication Management Application 44 conveys thepolicy rule 26 to thepeer authentication driver 46. -
FIG. 17 is an architectural depiction of the present invention in anetwork endpoint device 10, showing the flow of anIP packet 12 being generated from the TCP/IP protocol stack 32 and being conveyed to thepeer authentication driver 46. Thepeer authentication driver 46 performs authentication processing and conveys theIP packet 12 to thenetwork device driver 48 which subsequently conveys theIP packet 12 to thenetwork interface 49 to send to its destination. -
FIG. 18 is a topological depiction of the present invention in an operating context. Tworemote network devices 11 are connected to anetwork 20. Also connected to thenetwork 20 are twonetwork endpoint devices 10, alogging device 42 and anauthentication device 18. -
FIG. 19 is a topological depiction of the present invention in an operating context, showing aremote network device 11 conveying anIP packet 12 with aTCP header 14 containingTCP SYN bit 16 via anetwork 20 to anetwork endpoint device 10. -
FIG. 20 is a topological depiction of the present invention in an operating context, showing anetwork endpoint device 10 conveying anIP packet 12 with aTCP header 14 containingTCP SYN bit 16 via anetwork 20 to anauthentication device 18 performing authentication. -
FIG. 21 is a topological depiction of the present invention in an operating context, showing anauthentication device 18 conveying an IP packet with aTCP header 14 containingTCP SYN bit 16 after being authenticated to anetwork endpoint device 10 via anetwork 20. -
FIG. 22 is a topological depiction of the present invention in an operating context, showing the flow ofIP packets 12 withTCP headers 14 not containingTCP SYN bit 16 and matching a session descriptor 28 between aremote network device 11 and thenetwork endpoint device 10 via anetwork 20. -
FIG. 23 is a topological depiction of the present invention in an operating context, showing theauthentication device 18 sendinglog information 50 to alogging device 42 via anetwork 20. - There are two components in endpoint peering; the
peer authentication driver 46 and theauthentication device 18. Thepeer authentication driver 46 is installed in anetwork endpoint device 10, logically inserted between thenetwork device driver 48 and the TCP/IP protocol stack 32. When anIP packet 12 containing aTCP header 14 is received by anetwork interface 49 it is conveyed to anetwork device driver 48 which subsequently conveys it to thepeer authentication driver 46. At 100, theIP packet 12 is received by thepeer authentication driver 46. At 102 theIP packet 12 is compared against a second table of policy rules 36. - The second table of policy rules 36 allows the
authentication device 18 to define policy rules that are implemented by thepeering device driver 46. An example of apolicy rule 26 in the second table of policy rules 36 is a source IP address that are being blocked and thusIP packets 12 matching the source IP address will be discarded. A second example of apolicy rule 26 in the second table of policy rules 36 is a destination IP address for which Identity is not being authenticated and thusIP packets 12 matching the destination IP address will be forwarded without requiring authentication by theauthentication device 18. Anetwork interface 49 can also be specified in apolicy rule 26. This allows different policies to be enforced depending upon whichnetwork interface 49 anIP packet 12 is received on. An example second table of policy rules 36 is shown below: -
Source IP Source Dest IP Dest Network Address Port Address Port Interface Protocol VLAN Rule 17.23.21.2 any any any any any any drop any any 21.44.2.11 any eth0 TCP any allow any any 21.44.2.45 any eth2 TCP 100 redirect to 21.4.2.47 121.32.4.2 any any any any any any drop - After any policy rules have been enforced at 110, the
TCP header 14 of theIP packet 12 is checked forTCP SYN bit 16 at 104. IfTCP SYN bit 16 is set, then theIP packet 12 is sent to theauthentication device 18 at 112 for authentication. - The
IP packet 12 being sent to theauthentication device 18 may be sent directly by thepeer authentication driver 46, or in an alternate embodiment, theIP packet 12 may be sent to a peerauthentication management application 44. The peerauthentication management application 44 maintains pre-established TCP/IP sessions with one ormore authentication devices 18. The TCP/IP sessions maintained by the peerauthentication management application 44 should be protected by using the SSL, TLS or other cryptographic security protection to protect information conveyed between the peerauthentication management application 44 and theauthentication device 18. - At 112, in addition to sending the
IP packet 12 to theauthentication device 18, context information may be included with theIP packet 12. Context information is information that allows thepeer authentication driver 46 to process the response from theauthentication device 18 without requiring thepeer authentication driver 46 to save any state regarding theIP packet 12. This context information will be returned by theauthentication device 18 with theIP packet 12 once theIP packet 12 has been authenticated. - At 112, in addition to sending the
IP packet 12 to theauthentication device 18, information about thenetwork interface 49 may be included with theIP packet 12. - At 104, if
TCP SYN bit 16 is not set in theTCP header 14 of theIP packet 12, theIP packet 12 then compared against an authenticated session table 30 at 106. The authenticated session table 30 contains session descriptors 28. Each session descriptor 28 contains session information for each active TCP session. Each session descriptor 28 also contains the identity 22 that was authenticated to establish the TCP session. The session descriptor 28 also contains authentication processing information that enables thepeer authentication driver 46 to properly respond to authenticated sessions. In one embodiment, the authentication processing information includes the TAC bidirectional identity token used to communicate bidirectional authentication. The TAC bidirectional identity token is provided to thepeer authentication driver 46 by theauthentication device 18. If a session descriptor 28 matching the TCP session in theIP packet 12 is found, at 114, the IP packet is sent to the TCP/IP protocol stack 32. - If a session descriptor 28 matching the TCP session in the
IP packet 12 is not found, at 108, the IP packet is discarded. - When an
authentication device 18 receives anIP packet 12 from apeer authentication driver 46, at 116, it determines, at 118, the identity 22 of the sender of theIP packet 12. A preferred embodiment of determining the identity of the sender on the first packet of a TCP session is by using Transport Access Control (TAC). A second preferred embodiment of determining the identity of the sender on the first packet of a TCP session is by using statistical object identification (SOT). Once the identity 22 has been determined, apolicy rule 26 in a first table of policy rules 27 is located that matches the identity 22. - The first table of policy rules 27 allows the
authentication device 18 to define and maintainpolicy rules 26 based on identity 22. An example of apolicy rule 26 in the first table of policy rules 27 is an identity 22 that is allowed to access a specified destination IP address. A second example of apolicy rule 26 in the first table of policy rules 27 is a, identity 22 matching a specified destination IP address that will be redirected to an alternate IP address. A third example of apolicy rule 26 in the first table of policy rules 27 is a wildcard rule that matches any identity 22 and instructs that anIP packet 12 will be discarded. An example first table of policy rules 27 is shown below: -
Dest IP Identity Address Dest Port Protocol Group Rule John 121.34.22.15 any any eng allow Mark 121.34.21.100 any any corp redirect to 121.34.21.200 any 121.34.22.120 any any any drop none any any any none drop - Once the identity 22 and the matched
policy rule 26 has been determined, thepolicy rule 26, at 120 is enforced. For example, if thepolicy rule 26 is “Allow”, then theIP packet 12, at 128, is sent back to thepeer authentication driver 46. - In addition to sending back the
IP packet 12 to thepeer authentication driver 46, if context information was received with theIP packet 12, then context information should be returned with theIP packet 12. Additionally, if thepeer authentication driver 46 requires additional information to complete the authentication processing, then authentication processing information should also be sent to thepeer authentication driver 46. - At 120, if the policy is “Discard”, then the
IP packet 12 is discarded, at 122. The identity 22, the lack of identity and the associated policy may also be recorded inlog information 50 that is sent to alogging device 42. - A
logging device 42 can be any device used for the purpose of collecting, aggregating, processing, analyzing and storing log records. Commonly alogging device 42 is a network connected device with a large storage capacity and the ability to perform advanced analytics, such as a HADOOP cluster. Lesssophisticated logging devices 42 can simply aggregate and store logs set to them across the network. Splunk is a common software package that runs on alogging devices 42. - At 118, as part of determining identity 22, the receipt of the
IP packet 12 in conjunction with the identity determination process may producepolicy rules 26 that must be communicated to thepeer authentication driver 46. For example, if during SOI processing, an attack threshold is reached, theauthentication device 18 may want to block allIP packets 12 originating from a certain source EP address for a period of time. Sending apolicy rule 26 to thepeer authentication driver 46, at 130, allows this to happen without requiring that theauthentication device 18 discard all of the correspondingIP packets 12 directly. Thepolicy rule 26 should include an expiration so that it will expire automatically and not require additional coordination or management from theauthentication device 18. If no new rules are generated, then no additional processing occurs at 126. - When the
peer authentication driver 46 receives an authenticatedIP packet 12 from theauthentication device 18 at 132, it creates a session descriptor 28 at 134. A session descriptor 28 contains session information from theTCP header 14 in theIP packet 12. A session descriptor 28 also contains the identity 22 that was authenticated. The session descriptor 28 also contains authentication processing information that enables thepeer authentication driver 46 to properly respond to authenticated sessions. The session descriptor 28 may also contain context information and information about thenetwork interface 49 on which theIP packet 12 was originally received. - At 136, the peer authentication driver adds the session descriptor 28 to an authenticated session table 30 and then sends the
IP packet 12 to the TCP/IP protocol stack 32 at 138. An example authenticated session table 30 containing session descriptors 28 is shown below: -
Auth Network Context Processing Source Destination Protocol Interface Identity Info Info 17.20.3.22: 46.18.2.201: TCP eth0 Mike 0x1243 bi-token = 34566 443 0xd54a2113 11.17.2.34: 46.18.2.201: TCP eth1 John 0xcd1a bi-token = 16775 443 0x5bc32a14 17.20.3.22: 46.18.2.220: TCP eth0 Mike 0xdc32 bi-token = 34576 80 0x12cba435 11.17.2.66: 46.18.2.100: TCP eth0 Dave 0xbba3 bi-token = 23241 443 0xcb34ad56 - When the TCP/
IP protocol stack 32 sends anIP packet 12, it is received by thepeer authentication driver 46 at 140. At 142, theIP packet 12 is compared against an authenticated session table 30. - If a session descriptor 28 matching the TCP session in the
IP packet 12 is found, at 144, authenticated session processing is performed at 148. Authenticated session processing uses authentication processing information in the session descriptor 28 to properly respond to authenticated sessions. In one embodiment, the authentication processing information includes the TAC bidirectional identity token used to communicate bidirectional authentication. The TAC bidirectional identity token is provided to thepeer authentication driver 46 by theauthentication device 18. After authenticated session processing has been performed, theIP packet 12 is sent to thenetwork device driver 48 at 146. - If a session descriptor 28 matching the TCP session in the
IP packet 12 is not found, at 144, theIP packet 12 is sent to thenetwork device driver 48 at 146. - When an
authentication device 18 sends apolicy rule 26 to thepeer authentication driver 46, it is received by thepeer authentication driver 46 at 150. Thepeer authentication driver 46 then inserts thepolicy rule 26 into the second table of policy rules 36 at 152. - The apparatus that performs peer authentication is varied and diverse. The
peer authentication driver 46 is usually implemented as a software module that is loaded or linked into an operating system. Thepeer authentication driver 46 may be created using software or firmware and may also be offloaded to a separate processing module where the functionality is provided by software, firmware, hardware or a combination of these. Thepeer authentication driver 46 may also reside within a hypervisor, providing authentication services to multiple operating system instances. The hypervisor functionality may also be implemented as software or firmware and may also be implemented as a separate processing module where the functionality of the hyper visor and thepeer authentication driver 46 is provided by software, firmware, hardware or a combination of these. - The
authentication device 18 is a network connected device that may be created as a physically separate physical appliance. Theauthentication device 18 may also be created as a virtual appliance that operates within a hypervisor environment. Both the physical appliance and the virtual appliance may be constructed using software, firmware or hardware or a combination of these. In the case of a virtual appliance and hardware offload, some functions provided by theauthentication appliance 18 may be offloaded to hardware offload devices available within the virtual environment. - The apparatus that performs peer authentication may be used in communications devices, security devices, network routing devices, application routing devices, service delivery devices and other devices that are enabled by the addition of the efficient authentication of identity 22 and the application of network policy based on that identity 22.
- Although the present invention has been described in detail with reference to one or more preferred embodiments, persons possessing ordinary skill in the art to which this invention pertains will appreciate that various modifications and enhancements may be made without departing from the spirit and scope of the claims that follow. The various alternatives for providing an efficient means for peer authentication that have been disclosed above are intended to educate the reader about preferred embodiments of the invention, and are not intended to constrain the limits of the invention or the scope of Claims. The List of Reference Characters which follows is intended to provide the reader with a convenient means of identifying elements of the invention in the Specification and Drawings. This list is not intended to delineate or narrow the scope of the Claims.
-
- 2 Building
- 4 Security Officer
- 5 Security Camera
- 6 Security Monitor
- 7 Image
- 8 Door Unlock Signal
- 10 Network endpoint device
- 11 Remote network device
- 12 IP packet
- 14 TCP header
- 16 TCP SYN bit
- 18 Authentication device
- 20 Network
- 22 Identity
- 26 Policy rule
- 27 First table of policy rules
- 28 Session descriptor
- 30 Authenticated session table
- 32 TCP/IP protocol stack
- 36 Second table of policy rules
- 42 Logging device
- 44 Peer authentication management application
- 46 Peer authentication driver
- 48 Network device driver
- 49 Network interface
- 50 Log information
- 100 Flowchart 1, Step 1
- 102 Flowchart 1,
Step 2 - 104 Flowchart 1, Step 3
- 106 Flowchart 1,
Step 4 - 108 Flowchart 1,
Step 5 - 110 Flowchart 1, Step 2 a
- 112 Flowchart 1, Step 3 a
- 114 Flowchart 1, Step 4 a
- 116
Flowchart 2, Step 1 - 118
Flowchart 2,Step 2 - 120
Flowchart 2, Step 3 - 122
Flowchart 2,Step 4 - 124
Flowchart 2,Step 5 - 126
Flowchart 2,Step 6 - 128
Flowchart 2, Step 3 a - 130
Flowchart 2, Step 5 a - 132 Flowchart 3, Step 1
- 134 Flowchart 3,
Step 2 - 136 Flowchart 3, Step 3
- 138 Flowchart 3,
Step 4 - 140
Flowchart 4, Step 1 - 142
Flowchart 4,Step 2 - 144
Flowchart 4, Step 3 - 146
Flowchart 4,Step 4 - 148
Flowchart 4, Step 3 a - 150
Flowchart 5, Step 1 - 152
Flowchart 5,Step 2
Claims (29)
1. A method comprising the steps of:
providing a network endpoint device (10), a remote network device (11), an authentication device (18) and a network (20);
providing at least one network interface (49) at said network endpoint device (10);
receiving an IP packet (12) from said remote network device (11) by said network endpoint device (10) using said network interface (49);
said IP packet (12) including a TCP header (14);
said TCP header (14) including a TCP SYN bit (16);
conveying said IP packet (12) to said authentication device (18) via said network (20);
determining the identity (22) of said IP packet (12) at said authentication device (18);
selecting a policy rule (26);
matching said identity (22) from a first table of policy rules (27);
applying said policy rule (26) to said IP packet (12).
2. A method as recited in claim 1 , in which
conveying context information to said authentication device (18) along with said IP packet (12).
3. A method as recited in claim 1 , in which
conveying said network interface (49) information to said authentication device (18) along with said IP packet (12).
4. A method as recited in claim 1 , in which
said authentication device (18) can be used by a plurality of said network endpoint devices (10) concurrently.
5. A method as recited in claim 1 , in which
said network endpoint device (10) does not save context information regarding said IP packet (12);
6. A method as recited in claim 1 , further comprising the steps of
providing an authenticated session table (30) and a TCP/IP protocol stack (32) at said network endpoint device (10);
conveying said IP packet (12) from said authentication device (18) to said network endpoint device (10) via said network (20);
creating a session descriptor (28) in said authenticated session table (30); and
conveying said IP packet (12) to said TCP/IP protocol stack (32).
7. A method as recited in claim 6 , further comprising the steps of:
conveying context information and said network interface (49) information to said network endpoint device (10) by said authentication device (18) with said IP packet (12); and
storing said context information and said network interface information (49) in said session descriptor (28).
8. A method as recited in claim 6 , further comprising the steps of:
conveying authentication processing information to said network endpoint device (10) with said IP packet (12); and
storing said authentication processing information in said session descriptor (28).
9. A method as recited in claim 1 , further comprising the steps of
conveying a policy rule (26) to said network endpoint device (10) from said authentication device (18) via said network (20); and
adding said policy rule (26) to a second table of policy rules (36) by said network endpoint device (10).
10. A method as recited in claim 9 , in which
expiring said policy rule (26) after a period of time.
11. A method as recited in claim 9 , in which
said step of adding said policy rule (26) to said second table of policy rules (36) is performed by a peer authentication management application (44).
12. A method as recited in claim 1 , in which
said authentication device (18) uses transport access control to perform authentication.
13. A method as recited in claim 1 , in which
said authentication device (18) uses statistical object identification to perform authentication.
14. A method as recited in claim 1 , in which
said authentication device (18) does not share with said network endpoint device (10) cryptographic keys necessary to perform said authentication.
15. A method as recited in claim 1 , in which said step of receiving of said IP packet (12) by said network endpoint device (10) further includes the steps of:
selecting a matching policy rule (26) that matches some portion of said IP packet (12) from a second table of policy rules (36); and
applying said policy rule (26) to said IP packet (12).
16. A method as recited in claim 1 , in which said step of receiving of said IP packet (12) by said network endpoint device (10) further includes the steps of:
selecting a policy rule (26) that matches said network interface (49) information from a second table of policy rules (36); and
applying said policy rule (26) to said IP packet (12).
17. A method as recited in claim 1 , further including the steps of:
providing a logging device (42);
conveying log information (50) to said logging device (42) by said authentication device (18); and
including TCP/IP session information from said IP packet (12) and said network interface (49) said IP packet was received on in said log information (50).
18. A method as recited in claim 1 , further including the steps of:
providing a logging device (42);
conveying log information (50) to said logging device (42) by said authentication device (18); and
including said identity (22) from said IP packet (12) in said log information (50).
19. A method as recited in claim 1 , further comprising the steps of:
providing a logging device (42);
conveying log information (50) to said logging device (42) by said authentication device (18); and
including said policy rule (26) identity applied to said IP packet (12) in said log information (50).
20. A method as recited in claim 1 , in which
said step of conveying of said IP packet (12) to said authentication device (18) is performed by a peer authentication management application (44).
21. A method as recited in claim 15 , in which
said network endpoint device (10), upon receiving said IP Packet (12) from said remote network device (11), compares said IP packet (12) against entries in a second table of policy rules (36);
failing to select a matching policy rule (26); and
continuing with said determination the identity (22).
22. A method comprising the steps of:
providing a TCP/IP protocol stack (32) and an authenticated session table (30) at a network endpoint device (10);
receiving an IP packet (12) by said network endpoint device (10);
said IP packet (12) including a TCP header (14);
said TCP header (14) not including a TCP SYN bit (16);
matching said IP packet (12) to a session descriptor (28) in said authenticated session table (30); and
conveying said IP packet (12) to said TCP/IP protocol stack (32).
23. A method as recited in claim 22 , in which
information in said session descriptor (28) in said authenticated session table (30) was created by an authentication device (18); and
said authentication device (18) using transport access control to perform authentication.
24. A method as recited in claim 22 , in which
information in said session descriptor (28) in said authenticated session table (30) was created by an authentication device (18); and
said authentication device (18) using statistical object identification to perform authentication.
25. A method as recited in claim 22 , in which said step of receiving of said IP packet (12) by said network endpoint device (10) further includes the steps of:
selecting a matching policy rule (26) that matches some portion of said IP packet (12) from a second table of policy rules (36); and
applying said policy rule (26) to said IP packet (12).
26. A method as recited in claim 22 , in which said step of receiving of said IP packet (12) by said network endpoint device (10) further includes the steps of:
selecting a policy rule (26) that matches said network interface (49) information from a second table of policy rules (36); and
applying said policy rule (26) to said IP packet (12).
27. A method comprising the steps of:
providing a peer authentication driver (46), a TCP/IP protocol stack (32), a network device driver (48), a network interface (49) and an authenticated session table (30) at a network endpoint device (10);
said peer authentication driver (46) receiving an IP packet (12) from a TCP/IP protocol stack (32);
locating a session descriptor (28) corresponding to said IP packet (12) in said authenticated session table (30);
processing said IP packet (12) in accordance with said session descriptor (28);
sending said IP packet (12) to said network device driver (48); and
sending said IP packet (12) to said network interface (49).
28. A method as recited in claim 27 , in which
said session descriptor (28) in said authenticated session table (30) was created by an authentication device (18); and
said authentication device (18) using transport access control to perform authentication.
29. A method as recited in claim 27 , in which
said session descriptor (28) in said authenticated session table (30) was created by an authentication device (18); and
said authentication device (18) using statistical object identification to perform authentication.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/998,262 US11095687B2 (en) | 2011-11-18 | 2018-07-24 | Network security system using statistical object identification |
US17/353,117 US11503079B2 (en) | 2011-11-18 | 2021-06-21 | Network security system using statistical object identification |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/373,586 US8572697B2 (en) | 2011-11-18 | 2011-11-18 | Method for statistical object identification |
US13/987,747 US20150067796A1 (en) | 2011-11-18 | 2013-08-27 | Method for statistical object identification |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/987,747 Continuation-In-Part US20150067796A1 (en) | 2011-11-18 | 2013-08-27 | Method for statistical object identification |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/998,262 Continuation-In-Part US11095687B2 (en) | 2011-11-18 | 2018-07-24 | Network security system using statistical object identification |
Publications (1)
Publication Number | Publication Date |
---|---|
US20160269421A1 true US20160269421A1 (en) | 2016-09-15 |
Family
ID=48428269
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/373,586 Active 2031-11-25 US8572697B2 (en) | 2005-09-30 | 2011-11-18 | Method for statistical object identification |
US13/987,747 Abandoned US20150067796A1 (en) | 2011-11-18 | 2013-08-27 | Method for statistical object identification |
US14/544,987 Abandoned US20160269421A1 (en) | 2011-11-18 | 2015-03-11 | Method for network security using statistical object identification |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/373,586 Active 2031-11-25 US8572697B2 (en) | 2005-09-30 | 2011-11-18 | Method for statistical object identification |
US13/987,747 Abandoned US20150067796A1 (en) | 2011-11-18 | 2013-08-27 | Method for statistical object identification |
Country Status (1)
Country | Link |
---|---|
US (3) | US8572697B2 (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170090971A1 (en) * | 2014-12-11 | 2017-03-30 | Amazon Technologies, Inc. | Managing virtual machine instances utilizing an offload device |
US10361859B2 (en) | 2017-10-06 | 2019-07-23 | Stealthpath, Inc. | Methods for internet communication security |
US10360061B2 (en) | 2014-12-11 | 2019-07-23 | Amazon Technologies, Inc. | Systems and methods for loading a virtual machine monitor during a boot process |
US10367811B2 (en) | 2017-10-06 | 2019-07-30 | Stealthpath, Inc. | Methods for internet communication security |
US10375019B2 (en) | 2017-10-06 | 2019-08-06 | Stealthpath, Inc. | Methods for internet communication security |
US10374803B2 (en) | 2017-10-06 | 2019-08-06 | Stealthpath, Inc. | Methods for internet communication security |
US10382195B2 (en) | 2015-03-30 | 2019-08-13 | Amazon Technologies, Inc. | Validating using an offload device security component |
US10397186B2 (en) | 2017-10-06 | 2019-08-27 | Stealthpath, Inc. | Methods for internet communication security |
US10416967B2 (en) * | 2017-10-13 | 2019-09-17 | Internationa Business Machines Corporation | Method of optimizing vargs in object-oriented programming languages |
US10585662B2 (en) | 2014-12-11 | 2020-03-10 | Amazon Technologies, Inc. | Live updates for virtual machine monitor |
US10630642B2 (en) | 2017-10-06 | 2020-04-21 | Stealthpath, Inc. | Methods for internet communication security |
US10768972B2 (en) | 2014-12-11 | 2020-09-08 | Amazon Technologies, Inc. | Managing virtual machine instances utilizing a virtual offload device |
US11068355B2 (en) | 2014-12-19 | 2021-07-20 | Amazon Technologies, Inc. | Systems and methods for maintaining virtual component checkpoints on an offload device |
US11558423B2 (en) | 2019-09-27 | 2023-01-17 | Stealthpath, Inc. | Methods for zero trust security with high quality of service |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10187299B2 (en) * | 2016-04-22 | 2019-01-22 | Blackridge Technology Holdings, Inc. | Method for using authenticated requests to select network routes |
CN107480544A (en) * | 2017-08-07 | 2017-12-15 | 成都牵牛草信息技术有限公司 | Count list operation permission grant method |
US11093638B2 (en) | 2019-04-05 | 2021-08-17 | Online Media Holdings Ltd | Distributed management of user privacy information |
US11140170B2 (en) | 2019-04-05 | 2021-10-05 | Online Media Holdings Ltd | Network-based partial and full user identification techniques |
US11757649B2 (en) * | 2021-08-16 | 2023-09-12 | Bank Of America Corporation | Enhanced authentication framework using multi-dimensional hashing |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020029260A1 (en) * | 2000-07-31 | 2002-03-07 | Dobbins Kurt A. | Directory-enabled intelligent broadband service switch |
US20020178410A1 (en) * | 2001-02-12 | 2002-11-28 | Haitsma Jaap Andre | Generating and matching hashes of multimedia content |
US20020191600A1 (en) * | 2001-05-09 | 2002-12-19 | Shah Hemal V. | Method and apparatus for communicating using labeled data packets in a network |
US20050094637A1 (en) * | 2003-09-25 | 2005-05-05 | Kentaro Umesawa | Communication connection method, authentication method, server computer, client computer and program |
US20050226250A1 (en) * | 2002-06-18 | 2005-10-13 | Ntt Docome, Inc. | Gateway apparatus, and method for processsing signals in the gateway apparatus |
US20070078978A1 (en) * | 1998-06-01 | 2007-04-05 | Sri International | Method and apparatus for updating information in a low-bandwidth client/server object-oriented system |
US20070233877A1 (en) * | 2006-03-30 | 2007-10-04 | Diheng Qu | Transparently proxying transport protocol connections using an external server |
US20080031171A1 (en) * | 2006-08-04 | 2008-02-07 | Innowireless Co., Ltd. | Method of extracting wap data using mobile identification number |
US20100153715A1 (en) * | 2006-11-30 | 2010-06-17 | Tero Kauppinen | Packet handling in a mobile ip architecture |
US20140298021A1 (en) * | 2011-10-10 | 2014-10-02 | Korea University Research And Business Foundation | Method and system for storing information by using tcp communication |
US9294389B2 (en) * | 2011-06-23 | 2016-03-22 | Cisco Technology, Inc. | Method to select interface for IP packets when destination subnet is reachable on multiple interfaces |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6807632B1 (en) * | 1999-01-21 | 2004-10-19 | Emc Corporation | Content addressable information encapsulation, representation, and transfer |
US6754662B1 (en) * | 2000-08-01 | 2004-06-22 | Nortel Networks Limited | Method and apparatus for fast and consistent packet classification via efficient hash-caching |
JP2003030145A (en) * | 2001-07-16 | 2003-01-31 | Fujitsu Ltd | Information processing method and program |
US6889225B2 (en) * | 2001-08-09 | 2005-05-03 | Integrated Silicon Solution, Inc. | Large database search using content addressable memory and hash |
US20040221158A1 (en) * | 2003-05-02 | 2004-11-04 | Secure Data In Motion, Inc. | Digital signature and verification system for conversational messages |
US8086860B2 (en) * | 2007-10-01 | 2011-12-27 | Tata Consultancy Services Limited | Method for preventing and detecting hash collisions of data during the data transmission |
-
2011
- 2011-11-18 US US13/373,586 patent/US8572697B2/en active Active
-
2013
- 2013-08-27 US US13/987,747 patent/US20150067796A1/en not_active Abandoned
-
2015
- 2015-03-11 US US14/544,987 patent/US20160269421A1/en not_active Abandoned
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070078978A1 (en) * | 1998-06-01 | 2007-04-05 | Sri International | Method and apparatus for updating information in a low-bandwidth client/server object-oriented system |
US20020029260A1 (en) * | 2000-07-31 | 2002-03-07 | Dobbins Kurt A. | Directory-enabled intelligent broadband service switch |
US20020178410A1 (en) * | 2001-02-12 | 2002-11-28 | Haitsma Jaap Andre | Generating and matching hashes of multimedia content |
US20020191600A1 (en) * | 2001-05-09 | 2002-12-19 | Shah Hemal V. | Method and apparatus for communicating using labeled data packets in a network |
US20050226250A1 (en) * | 2002-06-18 | 2005-10-13 | Ntt Docome, Inc. | Gateway apparatus, and method for processsing signals in the gateway apparatus |
US20050094637A1 (en) * | 2003-09-25 | 2005-05-05 | Kentaro Umesawa | Communication connection method, authentication method, server computer, client computer and program |
US20070233877A1 (en) * | 2006-03-30 | 2007-10-04 | Diheng Qu | Transparently proxying transport protocol connections using an external server |
US20080031171A1 (en) * | 2006-08-04 | 2008-02-07 | Innowireless Co., Ltd. | Method of extracting wap data using mobile identification number |
US20100153715A1 (en) * | 2006-11-30 | 2010-06-17 | Tero Kauppinen | Packet handling in a mobile ip architecture |
US9294389B2 (en) * | 2011-06-23 | 2016-03-22 | Cisco Technology, Inc. | Method to select interface for IP packets when destination subnet is reachable on multiple interfaces |
US20140298021A1 (en) * | 2011-10-10 | 2014-10-02 | Korea University Research And Business Foundation | Method and system for storing information by using tcp communication |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11106456B2 (en) | 2014-12-11 | 2021-08-31 | Amazon Technologies, Inc. | Live updates for virtual machine monitor |
US10409628B2 (en) * | 2014-12-11 | 2019-09-10 | Amazon Technologies, Inc. | Managing virtual machine instances utilizing an offload device |
US10585662B2 (en) | 2014-12-11 | 2020-03-10 | Amazon Technologies, Inc. | Live updates for virtual machine monitor |
US10768972B2 (en) | 2014-12-11 | 2020-09-08 | Amazon Technologies, Inc. | Managing virtual machine instances utilizing a virtual offload device |
US20170090971A1 (en) * | 2014-12-11 | 2017-03-30 | Amazon Technologies, Inc. | Managing virtual machine instances utilizing an offload device |
US10360061B2 (en) | 2014-12-11 | 2019-07-23 | Amazon Technologies, Inc. | Systems and methods for loading a virtual machine monitor during a boot process |
US11068355B2 (en) | 2014-12-19 | 2021-07-20 | Amazon Technologies, Inc. | Systems and methods for maintaining virtual component checkpoints on an offload device |
US10382195B2 (en) | 2015-03-30 | 2019-08-13 | Amazon Technologies, Inc. | Validating using an offload device security component |
US10375019B2 (en) | 2017-10-06 | 2019-08-06 | Stealthpath, Inc. | Methods for internet communication security |
US10397186B2 (en) | 2017-10-06 | 2019-08-27 | Stealthpath, Inc. | Methods for internet communication security |
US10361859B2 (en) | 2017-10-06 | 2019-07-23 | Stealthpath, Inc. | Methods for internet communication security |
US10367811B2 (en) | 2017-10-06 | 2019-07-30 | Stealthpath, Inc. | Methods for internet communication security |
US10965646B2 (en) | 2017-10-06 | 2021-03-30 | Stealthpath, Inc. | Methods for internet communication security |
US10374803B2 (en) | 2017-10-06 | 2019-08-06 | Stealthpath, Inc. | Methods for internet communication security |
US10630642B2 (en) | 2017-10-06 | 2020-04-21 | Stealthpath, Inc. | Methods for internet communication security |
US11245529B2 (en) | 2017-10-06 | 2022-02-08 | Stealthpath, Inc. | Methods for internet communication security |
US11463256B2 (en) | 2017-10-06 | 2022-10-04 | Stealthpath, Inc. | Methods for internet communication security |
US11729143B2 (en) | 2017-10-06 | 2023-08-15 | Stealthpath, Inc. | Methods for internet communication security |
US11930007B2 (en) | 2017-10-06 | 2024-03-12 | Stealthpath, Inc. | Methods for internet communication security |
US10416967B2 (en) * | 2017-10-13 | 2019-09-17 | Internationa Business Machines Corporation | Method of optimizing vargs in object-oriented programming languages |
US11558423B2 (en) | 2019-09-27 | 2023-01-17 | Stealthpath, Inc. | Methods for zero trust security with high quality of service |
Also Published As
Publication number | Publication date |
---|---|
US20130133039A1 (en) | 2013-05-23 |
US20150067796A1 (en) | 2015-03-05 |
US8572697B2 (en) | 2013-10-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20160269421A1 (en) | Method for network security using statistical object identification | |
US7823194B2 (en) | System and methods for identification and tracking of user and/or source initiating communication in a computer network | |
US9438592B1 (en) | System and method for providing unified transport and security protocols | |
US10187299B2 (en) | Method for using authenticated requests to select network routes | |
US7644436B2 (en) | Intelligent firewall | |
CN1640090B (en) | An apparatus and method for secure, automated response to distributed denial of service attacks | |
US10375118B2 (en) | Method for attribution security system | |
US9118644B2 (en) | Method for directing requests to trusted resources | |
WO2007019803A1 (en) | Authentic device admission scheme for a secure communication network, especially a secure ip telephony network | |
US11178108B2 (en) | Filtering for network traffic to block denial of service attacks | |
CA2506418C (en) | Systems and apparatuses using identification data in network communication | |
KR101020470B1 (en) | Methods and apparatus for blocking network intrusion | |
US11503079B2 (en) | Network security system using statistical object identification | |
CN115603932A (en) | Access control method, access control system and related equipment | |
US11265249B2 (en) | Method for using authenticated requests to select network routes | |
US11095687B2 (en) | Network security system using statistical object identification | |
US20060225141A1 (en) | Unauthorized access searching method and device | |
Tsudik | Datagram authentication in internet gateways: implications of fragmentation and dynamic routing | |
KR102027440B1 (en) | Apparatus and method for blocking ddos attack | |
Prasetijo et al. | Firewalling a Secure Shell Service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: BLACKRIDGE TECHNOLOGY HOLDINGS, INC., NEVADA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GRAM, CHARLES ANDREW;HAYES, JOHN W.;REEL/FRAME:036333/0599 Effective date: 20150504 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |