Search

US-20260129029-A1 - MULTI-LAYERED SECURE EQUIPMENT ACCESS

US20260129029A1US 20260129029 A1US20260129029 A1US 20260129029A1US-20260129029-A1

Abstract

In one embodiment, a device receives discovery data generated by a plurality of networking devices in a network. The device determines, based on the discovery data, a hierarchy of layers of the network. The device receives a request by a client that is external to the network to access remotely a particular endpoint in the network. The device configures, and in response to the request, a proxy chain of remote access agents executed by a subset of networking devices from the plurality of networking devices to allow the client to access remotely the particular endpoint, each of those networking devices proxying traffic between different layers of the network.

Inventors

  • Robert E. BARTON
  • Flemming Stig Andreasen
  • Jerome Henry
  • Elango Ganesan

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260507
Application Date
20251230

Claims (20)

  1. 1 . A method, comprising: receiving discovery data generated by a plurality of networking devices, wherein the discovery data identifies, for respective ones of the plurality of networking devices: a layer assignment within a hierarchical security zone architecture; and capability to execute remote access agents; determining, based on the discovery data, a network topology indicating that the plurality of networking devices are organized into a first layer associated with a first networking policy and a second layer associated with a second networking policy, wherein the first networking policy manages communication between devices in the first layer and devices outside the first layer; receiving a request from a client external to the network to access a particular endpoint located in the second layer; selecting, based on the network topology, a first networking device in the first layer and a second networking device in the second layer to form a proxy chain; and configuring the proxy chain by: configuring a first remote access agent on the first networking device to receive traffic from the client and forward it to the second networking device in accordance with the first networking policy; and configuring a second remote access agent on the second networking device to receive traffic from the first networking device and forward it to the particular endpoint in accordance with the second networking policy, wherein each remote access agent proxies traffic between adjacent layers to enable end-to-end communication while maintaining compliance with layer policies.
  2. 2 . The method of claim 1 , wherein the hierarchical security zone architecture comprises IEC 62443 zones.
  3. 3 . The method of claim 1 , wherein the first layer comprises a demilitarized zone layer positioned between an enterprise zone layer and an industrial zone layer.
  4. 4 . The method of claim 1 , wherein the plurality of networking devices generates the discovery data using a Layer-2 discovery protocol.
  5. 5 . The method of claim 4 , wherein the Layer-2 discovery protocol comprises at least one of Cisco Discovery Protocol or Link Layer Discovery Protocol.
  6. 6 . The method of claim 1 , wherein configuring the proxy chain further comprises establishing at least one tunnel between the first networking device and the second networking device.
  7. 7 . The method of claim 1 , further comprising providing visual indicia of the plurality of networking devices and the network topology for display to an administrator.
  8. 8 . The method of claim 1 , wherein the discovery data further identifies contextual information indicating a cell or zone designation for respective ones of the plurality of networking devices.
  9. 9 . The method of claim 1 , wherein the first networking policy restricts communication to adjacent layers such that the first networking device communicates only with devices in the first layer and devices in a layer immediately adjacent to the first layer.
  10. 10 . The method of claim 1 , wherein the particular endpoint comprises an Industrial Internet of Things device executing a web application server.
  11. 11 . An apparatus, comprising: one or more network interfaces; a processor coupled to the one or more network interfaces; and a memory storing instructions that, when executed by the processor, cause the apparatus to: receive discovery data generated by a plurality of networking devices, wherein the discovery data identifies, for respective ones of the plurality of networking devices: a layer assignment within a hierarchical security zone architecture; and capability to execute remote access agents; determine, based on the discovery data, a network topology indicating that the plurality of networking devices are organized into a first layer associated with a first networking policy and a second layer associated with a second networking policy, wherein the first networking policy manages communication between devices in the first layer and devices outside the first layer; receive a request from a client external to the network to access a particular endpoint located in the second layer; select, based on the network topology, a first networking device in the first layer and a second networking device in the second layer to form a proxy chain; and configure the proxy chain by: configuring a first remote access agent on the first networking device to receive traffic from the client and forward it to the second networking device in accordance with the first networking policy; and configuring a second remote access agent on the second networking device to receive traffic from the first networking device and forward it to the particular endpoint in accordance with the second networking policy, wherein each remote access agent proxies traffic between adjacent layers to enable end-to-end communication while maintaining compliance with layer policies.
  12. 12 . The apparatus of claim 11 , wherein the hierarchical security zone architecture comprises IEC 62443 zones.
  13. 13 . The apparatus of claim 11 , wherein the first layer comprises a demilitarized zone layer positioned between an enterprise zone layer and an industrial zone layer.
  14. 14 . The apparatus of claim 11 , wherein the plurality of networking devices generates the discovery data using a Layer-2 discovery protocol.
  15. 15 . The apparatus of claim 14 , wherein the Layer-2 discovery protocol comprises at least one of Cisco Discovery Protocol or Link Layer Discovery Protocol.
  16. 16 . The apparatus of claim 11 , wherein the instructions, when executed by the processor, further cause the apparatus to establish at least one tunnel between the first networking device and the second networking device as part of configuring the proxy chain.
  17. 17 . The apparatus of claim 11 , wherein the particular endpoint comprises an Industrial Internet of Things device executing a web application server.
  18. 18 . A non-transitory computer-readable medium storing instructions that, when executed by a processor, cause the processor to: receive discovery data generated by a plurality of networking devices in a network, wherein the discovery data indicates layer assignments of the plurality of networking devices within a hierarchical security zone architecture; determine, based on the discovery data, a hierarchy of layers of the network, wherein each layer of the hierarchy is associated with a respective networking policy that governs communication across layer boundaries; receive a request from a client external to the network to remotely access a particular endpoint in the network; and configure, in response to the request, a proxy chain comprising remote access agents executed by a subset of the plurality of networking devices, wherein each networking device in the subset proxies traffic between different layers of the network to enable the client to remotely access the particular endpoint while maintaining compliance with the respective networking policies of the layers.
  19. 19 . The non-transitory computer-readable medium of claim 18 , wherein the hierarchical security zone architecture comprises an enterprise zone layer, a demilitarized zone layer, an industrial zone layer, and a cell/area zone layer.
  20. 20 . The non-transitory computer-readable medium of claim 19 , wherein the proxy chain comprises at least one tunnel established between networking devices in adjacent layers of the hierarchy.

Description

RELATED APPLICATIONS This application is a continuation of and claims priority to U.S. application Ser. No. 17/971,285, filed on Oct. 21, 2022, the entire contents of which are incorporated herein by reference. TECHNICAL FIELD The present disclosure relates generally to computer networks, and, more particularly, to multi-layered, secure equipment access. BACKGROUND The Internet of Things, or “IoT” for short, represents an evolution of computer networks that seeks to connect many everyday objects to the Internet. Notably, there has been a recent proliferation of ‘smart’ devices that are Internet-capable such as thermostats, lighting, televisions, cameras, and the like. In many implementations, these devices may also communicate with one another, such as an IoT motion sensor communicating with a smart lightbulb, to turn the lights on when a person enters a room. The IoT has also expanded to industrial settings as part of the so-called “Industrial IoT” (IIoT) to control manufacturing processes and other operations in industrial settings (e.g., factories, mines, oil rigs, etc.). As devices are increasingly added to the IoT and IIoT, the number of external users and services that require access to them has also increased. For instance, a remote technician may wish to connect to a particular IoT device so that they can perform maintenance on it (e.g., updating its firmware, running diagnostics, etc.). While this is a relatively straightforward task in simple network deployments, many IoT and IIoT deployments are multi-layered. Thus, configuring a secure connection between an external client and a particular device also requires configuring the connection to span multiple layers of a given network. For instance, in the context of a factory, the remote connection may need to span an enterprise zone, a demilitarized zone (DMZ), an industrial zone, or the like. Simply exposing the target device to the Internet would also present a significant security risk, potentially allowing malicious entities to take control over the device. BRIEF DESCRIPTION OF THE DRAWINGS The embodiments herein may be better understood by referring to the following description in conjunction with the accompanying drawings in which like reference numerals indicate identically or functionally similar elements, of which: FIG. 1 illustrate an example network; FIG. 2 illustrates an example network device/node; FIG. 3 illustrates an example of a remote access manager configuring remote access to an endpoint in a network; FIGS. 4A-4C illustrate an example of multi-layered secure equipment access; and FIG. 5 illustrates an example simplified procedure for providing multi-layered secure equipment access. DESCRIPTION OF EXAMPLE EMBODIMENTS Overview According to one or more embodiments of the disclosure, a device receives discovery data generated by a plurality of networking devices in a network. The device determines, based on the discovery data, a hierarchy of layers of the network. The device receives a request by a client that is external to the network to access remotely a particular endpoint in the network. The device configures, and in response to the request, a proxy chain of remote access agents executed by a subset of networking devices from the plurality of networking devices to allow the client to access remotely the particular endpoint, each of those networking devices proxying traffic between different layers of the network. Description A computer network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc. Many types of networks are available, ranging from local area networks (LANs) to wide area networks (WANs). LANs typically connect the nodes over dedicated private communications links located in the same general physical location, such as a building or campus. WANs, on the other hand, typically connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), synchronous digital hierarchy (SDH) links, and others. Other types of networks, such as field area networks (FANs), neighborhood area networks (NANs), personal area networks (PANs), etc. may also make up the components of any given computer network. In various embodiments, computer networks may include an Internet of Things network. Loosely, the term “Internet of Things” or “IoT” (or “Internet of Everything” or “IoE”) refers to uniquely identifiable objects (things) and their virtual representations in a network-based architecture. In particular, the IoT involves the ability to connect more than just computers and communications devices, but rather the ability to connect “objects” in general, such as lights, appliances, vehicles, heating, ventilating, and air-conditioning (HVAC), windows and window