Search

US-12627667-B2 - Systems and methods for resilient ZTNA micro-segmentation policy generation

US12627667B2US 12627667 B2US12627667 B2US 12627667B2US-12627667-B2

Abstract

Systems, devices, and methods are discussed for determining zero trust network access policy based upon intent defined groups of workloads.

Inventors

  • Rajiv Sreedhar
  • Manuel Nedbal
  • Damodar K. Hegde
  • Jitendra B. Gaitonde
  • Manoj Ahluwalia
  • LATHA KRISHNAMURTHI
  • RAJESHWARI RAO

Assignees

  • FORTINET, INC.

Dates

Publication Date
20260512
Application Date
20210809

Claims (20)

  1. 1 . A method for resilient access control list development, the method comprising: identifying, by a processing resource, a first set of workloads in a set of network traffic that share at least a first trait, and a second set of workloads in the set of network traffic that share at least a second trait; identifying, by the processing resource, a first suggested intent of the first set of workloads based upon metadata associated with the first set of workloads; identifying, by the processing resource, a second suggested intent of the second set of workloads based upon metadata associated with the second set of workloads; consolidating, by the processing resource, a plurality of network ports of the first set of workloads based at least in part on a network element associated with the first set of workloads into a set of network ports, wherein a given network port of the plurality of network ports is associated with a particular network protocol that transmits communication for a specific service between a traffic source and a traffic destination; consolidating further, by the processing resource, ports from the plurality of network ports into ranges of ports used for an application, wherein ports from the plurality of network ports are consolidated with similar workloads; receiving, by the processing resource, an access control list including at least a first access control rule allowing defined activity over multiple network ports, and second access control rule allowing defined activity for workloads having the first suggested intent, and a third access control rule allowing defined activity for workloads having the second suggested intent; and forward testing, by the processing resource, the access control list comprising the first access control rule, the second access control rule, and the third access control rule, at an application-level of granularity, wherein the access control list is forward tested after the addition of each application and only the most recently added application has not been fully secured.
  2. 2 . The method of claim 1 , wherein identifying the first set of workloads in the set of network traffic and the second set of workloads in the set of network traffic includes eliminating network traffic corresponding to a scanner.
  3. 3 . The method of claim 1 , wherein identifying the first set of workloads in the set of network traffic and the second set of workloads in the set of network traffic includes eliminating incomplete workflows.
  4. 4 . The method of claim 3 , wherein the incomplete workflows are associated with a scanner accessing a closed port.
  5. 5 . The method of claim 3 , wherein the incomplete workflows are associated with a scanner accessing an open port and failing to respond to an acknowledgment returned from the open port.
  6. 6 . The method of claim 1 , the method further comprising: monitoring, by the processing resource, network activity to yield the set of network traffic.
  7. 7 . The method of claim 6 , wherein monitoring network activity to yield the set of network traffic is done such that the network traffic does not include any traffic corresponding to a scanner or any incomplete workflows.
  8. 8 . The method of claim 1 , wherein the multiple network ports are selected from a group consisting of: a set of continuous network ports, and a set of discontinuous network ports.
  9. 9 . The method of claim 1 , the method further comprising: modifying, by the processing resource, a default rule of the access control list from allow to block; and deploying, by the processing resource, the access control list.
  10. 10 . The method of claim 1 , wherein the method further comprises: dynamically adding one of the plurality of network ports of the first set of workloads based upon a negotiation of a control channel.
  11. 11 . A network appliance, the network appliance comprising: a processing resource; a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: identify a first set of workloads in a set of network traffic that share at least a first trait, and a second set of workloads in the set of network traffic that share at least a second trait; identify a first suggested intent of the first set of workloads based upon metadata associated with the first set of workloads; identify a second suggested intent of the second set of workloads based upon metadata associated with the second set of workloads; consolidate a plurality of network ports of the first set of workloads based at least in part on a network element associated with the first set of workloads into a set of network ports, wherein a given network port of the plurality of network ports is associated with a particular network protocol that transmits communication for a specific service between a traffic source and a traffic destination; consolidate further ports from the plurality of network ports into ranges of ports used for an application, wherein ports from the plurality of network ports are consolidated with similar workloads; receive an access control list including at least a first access control rule allowing defined activity over multiple network ports, and second access control rule allowing defined activity for workloads having the first suggested intent, and a third access control rule allowing defined activity for workloads having the second suggested intent; and forward test the access control list comprising the first access control rule, the second access control rule, and the third access control rule at an application-level of granularity, wherein the access control list is forward tested after the addition of each application and only the most recently added application has not been fully secured.
  12. 12 . The network appliance of claim 11 , wherein identifying the first set of workloads in the set of network traffic and the second set of workloads in the set of network traffic includes eliminating network traffic corresponding to a scanner.
  13. 13 . The network appliance of claim 11 , wherein identifying the first set of workloads in the set of network traffic and the second set of workloads in the set of network traffic includes eliminating incomplete workflows.
  14. 14 . The network appliance of claim 13 , wherein the incomplete workflows are associated with a scanner accessing a closed port.
  15. 15 . The network appliance of claim 13 , wherein the incomplete workflows are associated with a scanner accessing an open port and failing to respond to an acknowledgement returned from the open port.
  16. 16 . The network appliance of claim 11 , wherein the instructions, that when executed by the processing resource, cause the processing resource further to: monitoring network activity to yield the set of network traffic.
  17. 17 . The network appliance of claim 16 , wherein monitoring network activity to yield the set of network traffic is done such that the network traffic does not include any traffic corresponding to a scanner or any incomplete workflows.
  18. 18 . The network appliance of claim 11 , wherein the instructions, that when executed by the processing resource, cause the processing resource further to: dynamically add one of the plurality of network ports of the first set of workloads based upon a negotiation of a control channel.
  19. 19 . A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by a processing resource, causes the processing resource to: identify a first set of workloads in a set of network traffic that share at least a first trait, and a second set of workloads in the set of network traffic that share at least a second trait; identify a first suggested intent of the first set of workloads based upon metadata associated with the first set of workloads; identify a second suggested intent of the second set of workloads based upon metadata associated with the second set of workloads; and consolidate a plurality of network ports of the first set of workloads based at least in part on a network element associated with the first set of workloads into a set of network ports, wherein a given network port of the plurality of network ports is associated with a particular network protocol that transmits communication for a specific service between a traffic source and a traffic destination; consolidate further ports from the plurality of network ports into ranges of ports used for an application, wherein ports from the plurality of network ports are consolidated with similar workloads; receive an access control list including at least a first access control rule allowing defined activity over multiple network ports, and second access control rule allowing defined activity for workloads having the first suggested intent, and a third access control rule allowing defined activity for workloads having the second suggested intent; and forward test the access control list comprising the first access control rule, the second access control rule, and the third access control rule at an application-level of granularity, wherein the access control list is forward tested after the addition of each application and only the most recently added application has not been fully secured.
  20. 20 . The non-transitory computer-readable storage medium of claim 19 , wherein the multiple network ports are selected from a group consisting of: a set of continuous network ports, and a set of discontinuous network ports.

Description

COPYRIGHT NOTICE Contained herein is material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction of the patent disclosure by any person as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights to the copyright whatsoever. Copyright © 2021, Fortinet, Inc. FIELD Embodiments discussed generally relate to securing network environments, and more particularly to systems and methods for determining zero trust network access policy based upon intent defined groups of workloads. BACKGROUND It is not uncommon for network environments to support hundreds of applications that all need to be secured. In some approaches, an operator is tasked with identifying allowed workloads, and manually modifying one or more firewalls with rules that allow identified workloads and disallow unidentified workloads. Then, the operator must forward test the implemented rules. This can become time consuming and is often subject to error due to the complexity of workloads and the impact of security measures on other applications in the network environment. Thus, there exists a need in the art for more advanced approaches, devices and systems for developing and implementing security measures in a network environment. SUMMARY Various embodiments provide systems and methods for determining zero trust network access policy based upon intent defined groups of workloads. This summary provides only a general outline of some embodiments. Many other objects, features, advantages and other embodiments will become more fully apparent from the following detailed description, the appended claims and the accompanying drawings and figures. BRIEF DESCRIPTION OF THE DRAWINGS A further understanding of the various embodiments may be realized by reference to the figures which are described in remaining portions of the specification. In the figures, similar reference numerals are used throughout several drawings to refer to similar components. In some instances, a sub-label consisting of a lower-case letter is associated with a reference numeral to denote one of multiple similar components. When reference is made to a reference numeral without specification to an existing sub-label, it is intended to refer to all such multiple similar components. FIGS. 1A-1D illustrate a network architecture including a security orchestration system in accordance with some embodiments; FIG. 2 is a flow diagram showing a method in accordance with various embodiments for performing forward testing at an application level granularity; FIG. 3 is a graphical representation of an example access control list designed for zero trust network access in a network environment with a single application; FIGS. 4A-4F graphically represent generation of an access control list using forward testing at an application granularity and providing zero trust network access for a network environment running three applications in accordance with some embodiments; FIG. 5 is a flow diagram showing a method in accordance with various embodiments for forward testing an access control list on an application granularity; FIGS. 6A-6B are flow diagrams showing a method in accordance with some embodiments for developing a zero trust network access from the perspective of one or more identified network elements; FIG. 7 is a flow diagram showing a method in accordance with one or more embodiments for developing a zero trust network access for specifically identified network elements; FIGS. 8A-8C show example workloads and corresponding access control lists that may be identified and formed in accordance with various embodiments; and FIG. 9 is a flow diagram showing a method in accordance with various embodiments for developing a resilient zero trust network access policy based upon intent defined groups of workloads; and FIGS. 10A-10B graphically depict access control lists having multi-port access control rules in accordance with some embodiments. DETAILED DESCRIPTION Various embodiments provide systems and methods for determining zero trust network access policy based upon intent defined groups of workloads. An example enterprise network may have hundreds of applications, and each of the hundreds of applications may consist of several interconnected tiers having workloads communicating between each other. Such workloads utilize common network infrastructure including, but not limited to, domain name system (DNS), dynamic host configuration protocol (DHCP), network time protocol (NTP), the internet, and/or management software (e.g., performance and/or health monitoring software. At the same time groups of clients (e.g., administrators, developers, testers, or the like) may desire access to the aforementioned workloads to perform their various tasks. In addition, network scanners and other administrative tools add complexity by connecting to each asset over a range of ports. In such an environment, determ