Methods and apparatus for controlling computing assets within a zero trust architecture
By receiving and analyzing access request messages from computing devices, and based on identifier matching and hierarchical assignment, the network integration challenges of unauthenticated devices under a zero-trust architecture are addressed, enabling secure multi-layered network access control and improving network security and management efficiency.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- THE BOEING CO
- Filing Date
- 2023-08-14
- Publication Date
- 2026-06-09
Smart Images

Figure CN117596006B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to computer networks. More specifically, this disclosure relates to multi-layered networks that implement a zero-trust architecture. Background Technology
[0002] The proliferation of Internet of Things (IoT) devices, corporate wireless devices, and smartphone wireless devices has created a substantial need for improved network security. One such improvement in network security has been the shift from implicit trust architectures to zero-trust architectures. In implicit trust architectures, network security is designed to implicitly trust new devices and authenticate them upon joining the network. In zero-trust architectures, the network does not trust new devices by default and must authenticate every digital interaction between the new device and the zero-trust network. Some considerations in building and designing these networks include securely enabling and facilitating the network integration of unauthenticated and non-standard devices (including mobile devices) within a reasonable timeframe to allow authorized users to join the network.
[0003] Therefore, methods and apparatus are needed to solve at least some of these problems. Summary of the Invention
[0004] The example implementations of this disclosure are dedicated to a method and apparatus for controlling a computing device's access to a multi-tiered network implementing a zero-trust architecture. The currently disclosed method includes the steps of: receiving a communication message including an access request message from a computing device (e.g., a mobile device) requesting access to the multi-tiered network. The access request message from the computing device is received by a switch and analyzed by a device communicating with the switch or a device co-located with the switch. Based on the content of the access request message and other parameters of the computing device, a hierarchical penetration level is assigned to the computing device, thereby indicating which hierarchical level of the multi-tiered network the computing device is allowed to access.
[0005] For example, consider a hypothetical multi-tiered network where a payroll server is in the third tier, a web server is in the second tier, and a DNS server is in the first tier. The third tier has higher security than both the second and first tiers, and the second tier has higher security than the first tier. Based on the content of an access request message from a computing device and other parameters associated with that computing device, the computing device is granted access to one or more of the tiers in the multi-tiered network. A first tier pass-through level is assigned to the computing device, granting it access only to the DNS server and not other devices. Alternatively, based on the network design, a third tier pass-through level is assigned to the computing device, granting it access to the payroll server, web server, and / or DNS server. However, due to the zero-trust architecture of the multi-tiered network, the computing device is denied any access to the network beyond its connected scope until a tier pass-through level is assigned to it.
[0006] Therefore, this disclosure includes, but is not limited to, the following example implementations.
[0007] Some example implementations provide a method for controlling access by a computing device to a multi-tiered network implementing a zero-trust architecture, the multi-tiered network including switches and devices for controlling access to multiple hierarchical levels of the multi-tiered network. The method includes the steps of: the device receiving an access request message from the computing device at the multi-tiered network, the access request message including one or more identifiers associated with the computing device requesting access to the multi-tiered network; the device determining, based on the one or more identifiers in the access request message, a hierarchical penetration level among the multiple hierarchical levels of the multi-tiered network to be assigned to the computing device, wherein the step of determining the hierarchical penetration level to be assigned includes: the device comparing the one or more identifiers of the access request message with a list of known identifiers and corresponding known hierarchical penetration levels associated with the known identifiers, the list being... The information is stored in a database; and the device determines whether one or more identifiers in the access request message match any known identifier in the list of known identifiers; if the one or more identifiers in the access request message match any known identifier in the list of known identifiers, the device assigns a corresponding known layer penetration level to the computing device as the computing device's layer penetration level, or if the one or more identifiers do not match any known identifier in the list of known identifiers, a default layer penetration level is assigned as the computing device's layer penetration level; and the multi-layer network grants the computing device access and control privileges to the multi-layer network, which allow access up to the permitted level in the layer of the multi-layer network, which corresponds to the layer penetration level assigned to the computing device.
[0008] In some example implementations of the methods implemented in any of the foregoing examples, or in any combination thereof, the layered penetration level is the highest available layered penetration level for a computing device based on the one or more identifiers in the layered network, and wherein the one or more identifiers include at least a MAC address associated with the computing device.
[0009] In some example implementations of the methods of any of the foregoing examples, or any combination thereof, the step of determining the highest available layered penetration level for a computing device includes: determining, based on analysis of MAC addresses, communication protocols used by the computing device, and authentication criteria associated with the computing device, a first layered penetration level that should be assigned to the computing device, the first layered penetration level corresponding to the lowest layered level of a multi-layer network.
[0010] In some example implementations of the method implemented in any of the foregoing examples, or in any combination thereof, the method further includes the step of: the device assigning a first layer penetration level to the computing device, thereby granting the computing device access and control privileges to an isolated network access and control area that is separated from and non-communicative to the rest of the multilayer network.
[0011] In some example implementations of the methods implemented in any of the foregoing examples, or in any combination thereof, the step of determining the highest available layered penetration level for the computing device includes: determining, based on analysis of MAC addresses, a second layered penetration level that should be assigned to the computing device, the second layered penetration level corresponding to the second lowest layered level of the multi-layer network, the analysis of MAC addresses including a first confirmation that the MAC address is in a computer inventory management database associated with an authentication management device of the multi-layer network, and wherein the authentication management device communicates with a switch and is configured to dynamically update the computer inventory management database using allowed MAC addresses.
[0012] In some example implementations of the method implemented in any of the foregoing examples, or in any combination thereof, the method further includes the steps of: the device assigning a second layer penetration level to the computing device, thereby allowing the computing device to access an isolated network access and control area isolated from the remainder of the multilayer network: the remainder of the isolated network access and control area other than other devices in the isolated network access and control area; and allowing the computing device to communicate with other computing devices in the isolated network access and control area that have also been assigned a second layer penetration level.
[0013] In some example implementations of the methods of any of the foregoing examples, or any combination thereof, the step of determining the highest available layered penetration level for the computing device includes: based on the communication established between the computing device and the proxy server, determining that a third layered penetration level should be assigned to the computing device, the third layered penetration level corresponding to the third lowest layered level of the multi-layer network.
[0014] In some example implementations of the method implemented in any of the foregoing examples, or in any combination thereof, the method further includes the steps of: assigning a third layer penetration level to a computing device by the device, thereby allowing the computing device to access an isolated network access and control area isolated from the remainder of the multilayer network: the remainder of the isolated network access and control area other than other devices in the isolated network access and control area; and allowing the computing device to communicate with: other computing devices in the isolated network access and control area that have also been assigned a third layer penetration level; and defined external endpoints located outside the isolated network access and control area.
[0015] In some example implementations of the methods of any of the foregoing example implementations, or any combination thereof, the step of determining the highest available layered penetration level for the computing device includes: determining, based on the operating system components of the computing device that are accepting network authentication certificates or tokens, that a fourth layered penetration level should be assigned to the computing device, the fourth layered penetration level corresponding to the second highest layered level of the multi-layer network.
[0016] In some example implementations of the method implemented in any of the foregoing examples, or in any combination thereof, the method further includes the steps of: assigning a fourth layer penetration level to a computing device by the device, thereby allowing the computing device to access an isolated network access and control area isolated from the remainder of the multi-layer network: the remainder of the multi-layer network other than other devices in the isolated network access and control area; and allowing the computing device to communicate with: other computing devices in the isolated network access and control area that have also been assigned a fourth layer penetration level; defined external endpoints located outside the isolated network access and control area; and infrastructure application services located in the multi-layer network and outside the isolated network access and control area.
[0017] In some example implementations of the methods of any of the foregoing examples, or any combination thereof, the step of determining the highest available layer pass-through level for the computing device includes: determining, based on a second confirmation that the MAC address of the computing device is in an internal database associated with an authentication management device of the multi-layer network, that a fifth layer pass-through level should be assigned to the computing device, the fifth layer pass-through level corresponding to the highest layer level of the multi-layer network, and wherein the authentication management device communicates with a switch and is configured to dynamically update the internal database using the MAC addresses of other computing devices allowed access to the multi-layer network.
[0018] In some example implementations of the method implemented in any of the foregoing examples, or in any combination thereof, the method further includes the step of: assigning a fifth layer penetration level to a computing device by the device, thereby allowing the computing device to access an isolated network access and control area isolated from the remainder of the multi-layer network: the remainder other than other devices in the isolated network access and control area; and allowing the computing device to communicate with: other computing devices that have also been assigned a fifth layer penetration level; defined external endpoints located outside the isolated network access and control area; infrastructure application services located in the multi-layer network and outside the isolated network access and control area; and services on the multi-layer network and at least one of the other computing devices.
[0019] Some other example implementations provide a device for controlling access by a computing device to a multi-tiered network implementing a zero-trust architecture. The multi-tiered network includes a switch and the device for controlling access to multiple hierarchical levels of the multi-tiered network. The device includes non-transitory memory storing executable instructions that, when executed by one or more processors of the device, cause the device to: receive an access request message from the computing device, the access request message including one or more identifiers associated with the computing device requesting access to the multi-tiered network; and determine, based on the one or more identifiers in the access request message, a hierarchical penetration level of the multi-tiered network to be assigned to the computing device, wherein determining the hierarchical penetration level to be assigned includes causing the device to: compare the one or more identifiers in the access request message with a list of known identifiers and the known identifiers... The identifier is associated with a corresponding known hierarchical penetration level, a list stored in a database; and it is determined whether one or more identifiers of the access request message match any known identifier in the list; and if the one or more identifiers of the access request message match any known identifier in the list, the corresponding known hierarchical penetration level is assigned as the hierarchical penetration level of the computing device, or if the one or more identifiers do not match any known identifier in the list, a default hierarchical penetration level is assigned as the hierarchical penetration level of the computing device, wherein the multi-layer network is configured to grant the computing device access and control privileges to the multi-layer network, which allow access up to the permitted level in the hierarchical level of the multi-layer network, the permitted level corresponding to the hierarchical penetration level assigned to the computing device.
[0020] In some example implementations of any of the aforementioned example implementations of the device, or any combination thereof, the layered penetration level is the highest available layered penetration level for a computing device based on the one or more identifiers in the layered network, and wherein the one or more identifiers include at least a MAC address associated with the computing device.
[0021] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, in order to determine the highest available layered pass-through level for the computing device, the device is configured to determine, based on analysis of MAC addresses, the communication protocols used by the computing device, and authentication standards associated with the computing device, to determine a first layered pass-through level that should be assigned to the computing device, the first layered pass-through level corresponding to the lowest layered level of a multi-layer network.
[0022] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, the device is further configured to assign a first layer penetration level to the computing device, thereby granting the computing device access and control privileges to an isolated network access and control area that is separated from and does not communicate with the remainder of the multilayer network.
[0023] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, in order to determine the highest available layered pass-through level for the computing device, the device is configured to determine, based on analysis of MAC addresses, a second layered pass-through level that should be assigned to the computing device, the second layered pass-through level corresponding to the second lowest layered level of the multi-layer network, the analysis of the MAC addresses including a first confirmation that the MAC address is in a computer inventory management database associated with an authentication management device of the multi-layer network, and wherein the authentication management device communicates with a switch and is configured to dynamically update the computer inventory management database using allowed MAC addresses.
[0024] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, the device is further configured to: assign a second layer penetration level to the computing device; and authorize the computing device to access an isolated network access and control area isolated from the remainder of the multilayer network, excluding other devices in the isolated network access and control area, thereby allowing the computing device to communicate with other computing devices in the isolated network access and control area that have also been assigned a second layer penetration level.
[0025] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, determining the highest available layered penetration level for the computing device includes: the device being configured to determine, based on communication established between the computing device and the proxy server, that a third layered penetration level should be assigned to the computing device, the third layered penetration level corresponding to the third lowest layered level of the multi-layer network.
[0026] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, the device is further configured to: assign a third layer penetration level to the computing device; and authorize the computing device to access an isolated network access and control area isolated from the remainder of the multilayer network, excluding other devices within the isolated network access and control area, thereby allowing the computing device to communicate with: other computing devices within the isolated network access and control area that have also been assigned a third layer penetration level; and defined external endpoints located outside the isolated network access and control area.
[0027] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, in order to determine the highest available layered penetration level for the computing device, the device is configured to determine, based on the operating system components of the computing device that are accepting network authentication certificates or tokens, that a fourth layered penetration level should be assigned to the computing device, which corresponds to the second highest layered level of the multi-layer network.
[0028] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, the device is further configured to: assign a fourth layer penetration level to the computing device; and authorize the computing device to access an isolated network access and control area isolated from the remainder of the multi-layer network, excluding other devices within the isolated network access and control area, thereby allowing the computing device to communicate with: other computing devices within the isolated network access and control area that have also been assigned a fourth layer penetration level; defined external endpoints located outside the isolated network access and control area; and infrastructure application services located in the multi-layer network and outside the isolated network access and control area.
[0029] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, in order to determine the highest available layered pass-through level for a computing device, the device is configured to determine that the computing device corresponds to a fifth layered pass-through level, which corresponds to the highest layered level of the multi-layered network, based on a second confirmation by a switch or device that the MAC address of the computing device is in an internal database associated with an authentication management device of the multi-layered network, and wherein the authentication management device communicates with the switch and is configured to dynamically update the internal database using the MAC addresses of other computing devices allowed to access the multi-layered network.
[0030] In some example implementations of any of the foregoing example implementations of the device, or any combination thereof, the device is further configured to: assign a fifth layer penetration level to the computing device; and authorize the computing device to access an isolated network access and control area isolated from the remainder of the multi-layer network, excluding other devices within the isolated network access and control area, thereby allowing the computing device to communicate with: other computing devices that have also been assigned a fifth layer penetration level; defined external endpoints located outside the isolated network access and control area; infrastructure application services located in the multi-layer network and outside the isolated network access and control area; and services on the multi-layer network and at least one of the other computing devices.
[0031] These and other features, aspects, and advantages of this disclosure will become apparent from the following detailed description and the accompanying drawings, which are briefly described below. This disclosure includes any combination of two, three, four, or more features or elements set forth herein, whether or not such features or elements are expressly combined or otherwise stated in the particular example implementation described herein. This disclosure is intended to be read in its entirety such that, unless the context of this disclosure clearly indicates otherwise, any individual feature or element of this disclosure in any aspect of this disclosure and in any example implementation shall be considered composable.
[0032] Therefore, it should be understood that the contents of this invention are provided only for the purpose of summarizing some exemplary implementations in order to provide a basic understanding of some aspects of this disclosure. Consequently, it should be understood that the exemplary implementations described above are merely examples and should not be construed as limiting the scope or spirit of this disclosure in any way. Other exemplary implementations, aspects, and advantages will become apparent from the following detailed description taken in conjunction with the accompanying drawings, which exemplify the principles of some of the described exemplary implementations by way of example. Attached Figure Description
[0033] Having already provided a general description of this disclosure, the accompanying drawings will now be described. The drawings are not necessarily drawn to scale, and in which:
[0034] Figure 1 Examples of multilayer wireless networks according to some embodiments of the present disclosure are illustrated;
[0035] Figure 2A Example devices co-located with a switch according to some embodiments of this disclosure are illustrated, while Figure 2B An example device separated from the switch is shown;
[0036] Figure 3A Example network layering diagrams according to some embodiments of this disclosure are illustrated, while Figure 3B An example multi-layer network with example devices co-located with a switch is illustrated;
[0037] Figure 4 Flowcharts illustrating the steps of example methods according to some embodiments of this disclosure are provided in detail; and
[0038] Figure 5 Example devices for performing the methods and other functions described herein are illustrated according to some embodiments of this disclosure. Detailed Implementation
[0039] In the following description, some examples of this disclosure will be given more fully with reference to the accompanying drawings, which illustrate some, but not all, aspects of this disclosure. In fact, various examples of this disclosure may be embodied in many different forms and should not be construed as limiting the examples set forth herein; rather, these examples are provided to make this disclosure thorough and complete, and to fully express the scope of this disclosure to those skilled in the art. For example, unless otherwise specified, referring to something as first, second, etc., should not be construed as implying a particular order. Furthermore, something described as being above something else (unless otherwise specified) may instead be described as being below, and vice versa; and similarly, something described as being to the left of something else may instead be described as being to the right of, and vice versa. Throughout the text, the same reference numerals refer to the same elements.
[0040] Figure 1 This disclosure illustrates a first example implementation of a hypothetical multi-layer network 100 found in many enterprises and organizations. The term "multi-layer network" is interchangeably used in this disclosure as "network." The network includes a switch 102, and one or more wireless access points (WAPs) 104 connected to the switch 102. The switch connects the WAPs to the remainder of the network, including devices such as printers 108 and one or more servers 110. In a typical network without a suitable security protocol, a computing device 112 wirelessly communicates with a WAP, which forwards network packets from the computing device to the remainder of the network via the switch. However, in some cases, the computing device is a security threat and compromise system within the network. In some example implementations, the following references are included. Figure 3B The computing device described in computing device 312 is any wired or wireless device attempting to connect to a network. For example, and without limitation, a computing device is a mobile smartphone, laptop, tablet computer, desktop computer, server, sensor, Internet of Things (IoT) device, or any other similar computing device capable of communicating via a network.
[0041] The methods and apparatus disclosed herein are example security implementations that help protect network 100 from unwanted intrusions by potentially malicious or unauthorized computing devices 112. Although Figure 1 The hypothetical network illustrated includes wireless computing devices communicating with that network; however, the devices and methods described herein are equally relevant and useful in protecting the network from wired devices (e.g., desktop computers plugged directly into switch 102 via Ethernet cables). That is, any discussion herein of computing devices attempting to communicate with the network can be readily interchanged with wireless or wired computing devices, so that the invention will still apply.
[0042] Figure 2AAn example implementation of security system 200A is shown, which can be as... Figure 1 The multi-layer network 100 shown is used to protect the network from computing devices such as computing device 112. This security system includes controls for... Figure 1 The computing device in the device 202A provides access to a multi-layered network that implements a zero-trust architecture. In devices such as... Figure 1 Security systems implemented in any suitable network, such as a multi-layered network, also include switches for controlling access to multiple hierarchical levels of the network.
[0043] like Figure 2A As shown, device 202A is placed alongside the switch and configured to operate as part of the switch. Figure 2B Examples of the same Figure 2A The security system shown is similar to security system 200B, except that... Figure 2B In this context, device 202B is separated from switch 102 and is configured to communicate and operate with the switch described herein. In the following description, the switch utilizes said device to perform various functions. In other words, in… Figure 2A In the case of security system 200A, all functions of device 202A described herein are performed within the switch, while for Figure 2B In the case of security system 200B, the functions of device 202B will be performed outside the switch.
[0044] Figure 3A The example is a network hierarchical diagram 300A, which includes five hierarchical levels of the network. This diagram shows the five hierarchical levels. These hierarchical levels indicate... Figure 3B The illustrated multi-layer network 300B illustrates the security levels of the devices. The devices in the multi-layer network are logically divided into the following hierarchical levels: first hierarchical level 302, second hierarchical level 304, third hierarchical level 306, fourth hierarchical level 308, and fifth hierarchical level 310. Various devices throughout the network are assigned to specific hierarchical levels. For example, a payroll server is at the fifth hierarchical level, while a printer is at the third hierarchical level. These different hierarchical levels enable different access and control privileges within the multi-layer network, ensuring that only the most trusted devices can access the highest hierarchical level, i.e., the fifth hierarchical level 310. Less trusted devices or those new to the environment will only be able to access lower hierarchical levels and therefore access a smaller portion of the network.
[0045] Each device in the multi-layer network 300B is assigned a layered penetration level. This layered penetration level corresponds to the highest layered level within the network that a device is permitted to penetrate or access. Each device assigned a layered penetration level is allowed to penetrate the highest layered level corresponding to its assigned level, as well as every layered level lower than its assigned level. For example, if a computing device is assigned a fifth layered penetration level, it will have permission to communicate with any appropriate device within the fifth layered level 310, and any device in the fourth layered level 308, third layered level 306, etc. However, when a layered penetration level is assigned, the computing device cannot penetrate to layered levels in the multi-layer network higher than its assigned layered penetration level.
[0046] Figure 3B An example multilayer network 300B according to some embodiments of this disclosure is illustrated. Similar to... Figure 1 The multilayer network 100 shown, Figure 3B An example multi-layer network includes a switch 102 having a device 202 co-located with the switch for controlling access to the multi-layer network, such as a first computing device 312, which is implementing a zero-trust architecture. Figure 3A Similar to the description, a multi-layer network comprises multiple hierarchical levels, in which various network components are assigned to each hierarchical level.
[0047] In some embodiments, device 202 includes a memory storing non-transitory executable instructions that, when executed by one or more processors of the device (or switch 102), cause the device to receive an access request message from a computing device (e.g., a first computing device 312, a second computing device 313, or any other wired or wireless computing device communicating with the switch). The access request message includes one or more identifiers associated with the computing device requesting access to the multilayer network 300B. In some examples, the one or more identifiers include at least a MAC address associated with the computing device.
[0048] Device 202 is also configured to determine, based on one or more identifiers within the access request message, the layer pass-through level to be assigned to the computing device among the plurality of layer levels of the multi-layer network 300B. To determine the layer pass-through level to be assigned to the computing device, the device is configured to compare the one or more identifiers of the access request message with a list of known identifiers and corresponding known layer pass-through levels associated with those known identifiers, which is stored in a database 322 communicating with switch 102 or stored in switch 102. For example, the one or more identifiers of the access request message may include a MAC address, and the device compares the received MAC address with a list of known MAC addresses having corresponding known layer pass-through levels associated with those known MAC addresses. Alternatively, the one or more identifiers of the access request message may include a manufacturing serial number of computing device 112 or any other data segment uniquely identifying the computing device.
[0049] Next, device 202 is further configured to determine, based on the comparison, whether one or more identifiers of the access request message (e.g., a received MAC address or any other suitable identifier received within the access request message) match any of the known identifiers in the list. Then, the device is configured to: if the one or more identifiers of the access request message match any of the known identifiers in the list, assign the corresponding known layer-by-layer pass-through level as the layer-by-layer pass-through level for the computing device. If the one or more identifiers of the access request message do not match any of the known identifiers in the list, the device is configured to assign a default layer-by-layer pass-through level as the layer-by-layer pass-through level for the computing device. The multi-layer network 300B, including switch 102, is configured to grant the computing device access and control privileges to the multi-layer network, allowing access up to the permitted level in the layer of the multi-layer network, which corresponds to the layer-by-layer pass-through level assigned to the computing device. In some examples, instead of assigning a default layer-by-layer pass-through level, no access to the multi-layer network 300B by the computing device is permitted.
[0050] The assigned layered pass-through level is the highest available layered pass-through level for the computing device among the layered levels of the multi-layer network 300B, based at least on the one or more identifiers. Furthermore, device 202 is configured to determine, based on analysis of the MAC address (i.e., the one or more identifiers), the communication protocol used by the computing device, and the authentication criteria associated with the computing device, to determine the first layered pass-through level to be assigned to the computing device, which corresponds to the lowest layered level of the multi-layer network. Some example communication protocols used by the computing device include: Ethernet 802 protocol, cellular protocol, or... Some example authentication standards associated with computing devices include: certificate-based authentication standards, token-based authentication standards, multi-factor authentication (e.g., badge or pin) standards, and access control list (ACL) standards. If it is determined that a first layer penetration level should be assigned to the computing device, the device is also configured to assign the first layer penetration level to the computing device, thereby granting the computing device access and control privileges to an isolated network access and control zone 320, which is separated from and does not communicate with the remainder of the multi-layer network 321.
[0051] Device 202 is also configured to determine, based on analysis of MAC addresses, to assign a second layered pass-through level to a computing device, corresponding to the second lowest layered level of the multilayer network 300B. The MAC address analysis includes a first confirmation by the device that the MAC address is in a computer inventory management database associated with the authentication management device 323 of the multilayer network. The authentication management device is a server, computer, or other suitable device that communicates with or includes a computer inventory management database that manages user authentication on the network. As a new user is allowed on the network, appropriate information about the user device is stored in the computer inventory management database. The computer inventory management database is separated from a list of known identifiers stored in database 322. In some embodiments, the authentication management device communicates with a switch and is configured to dynamically update the computer inventory management database using allowed MAC addresses.
[0052] If it is determined that a second layer pass-through level should be assigned to a computing device, the device is further configured to assign the second layer pass-through level to the computing device, thereby allowing the computing device to access an isolated network access and control area 320 isolated from the remainder 321 of the multi-layer network: the remainder of the network access and control area excluding other devices within the isolated network access and control area. For example, assigning the second layer pass-through level to the computing device allows the computing device to communicate with other computing devices (such as the second computing device 313) within the isolated network access and control area that have also been assigned the second layer pass-through level.
[0053] Device 202 is also configured to determine, based on communication established between the computing device and proxy server 324 (e.g., via Transmission Control Protocol / Internet Protocol (TCP / IP) communication protocol, resulting in one-way or two-way information transmission), that a third layer pass-through level should be assigned to the computing device, the third layer pass-through level corresponding to the third lowest layer level of the multi-layer network 300B. If it is determined that a third layer pass-through level should be assigned to the computing device, the device is further configured to assign the third layer pass-through level to the computing device, thereby allowing the computing device to access an isolated network access and control area 320 isolated from the rest of the multi-layer network 321, excluding other devices within the isolated network access and control area.
[0054] Furthermore, assigning a third layer penetration level to a computing device allows the computing device to communicate with: other computing devices within the isolated network access and control area that have also been assigned a third layer penetration level; and limited external endpoints (such as printer 325) located outside the isolated network access and control area.
[0055] Device 202 is also configured to determine, based on the operating system component of the computing device that is accepting a network authentication certificate or token, to assign a fourth layer penetration level to the computing device, which corresponds to the second highest layer level of the multi-layer network 300B. An example operating system component includes the operating system's cryptographic credentials. If it is determined that a fourth layer penetration level should be assigned to the computing device, the device is configured to assign the fourth layer penetration level to the computing device, thereby allowing the computing device to access an isolated network access and control area 320 isolated from the remainder 321 of the multi-layer network, excluding other devices within the isolated network access and control area.
[0056] Furthermore, assigning a fourth layer of penetration level to a computing device allows that computing device to communicate with: other computing devices (such as the second computing device 313) within the isolated network access and control zone 320 that have also been assigned a higher layer of penetration level; defined external endpoints (such as printer 325) located outside the isolated network access and control zone; and infrastructure application services 326 located in the multi-layer network and outside the isolated network access and control zone. Some example infrastructure application services include mobile device management application services and network management application services.
[0057] Device 202 is also configured to determine, based on a second confirmation that the MAC address of computing device 312 is located in an internal database associated with the authentication management device 323 of the multi-layer network, that a fifth layer pass-through level should be assigned to the computing device, the fifth layer pass-through level corresponding to the highest layer level of the multi-layer network 300B. The second confirmation that the MAC address of the computing device is located in the internal database includes comparing the computing device's authentication criteria with entries in the internal database, and then checking the Public Key Infrastructure (PKI) authentication certificate database that associates the certificate with the device. The authentication management device is configured to dynamically update the internal database using the MAC addresses of other computing devices allowed access to the multi-layer network. If it is determined that a fifth layer pass-through level should be assigned to the computing device, the device is configured to assign the fifth layer pass-through level to the computing device, thereby allowing the computing device to access an isolated network access and control area 320 isolated from the remainder of the multi-layer network, excluding other devices within the isolated network access and control area.
[0058] Furthermore, assigning a fifth layer of penetration level to a computing device allows that computing device to communicate with other computing devices that have also been assigned a fifth layer of penetration level (e.g., other computer devices within the isolated network access and control zone 320), such as the second computing device 313. After being assigned a fifth layer of penetration level, the computing device is also permitted to communicate with: defined external endpoints (such as printer 325) located outside the isolated network access and control zone; infrastructure application services 326 located in the multi-layer network and outside the isolated network access and control zone 320; and services on the multi-layer network 300B (such as virtual server 327) and at least one of the other computing devices.
[0059] Computing devices assigned the same pass-through level are permitted to communicate with each other. However, computing devices are not permitted to communicate with computing devices assigned a different pass-through level than themselves (for example, a smartphone assigned a pass-through level 1 cannot communicate with a tablet assigned a pass-through level 5, and vice versa).
[0060] Figure 4 This is a flowchart depicting an example method 400 for controlling access by a computing device to a multi-layer network implementing a zero-trust architecture, according to some embodiments of this disclosure. The method uses, for example... Figure 3B The method is performed by a device such as device 202. The multi-layer network includes a switch and devices for controlling access to multiple hierarchical levels of the multi-layer network, and the method includes the following steps: receiving an access request message from a computing device at the multi-layer network, the access request message including one or more identifiers associated with the computing device requesting access to the multi-layer network, as shown in box 402. The method includes the following steps: determining, based on the one or more identifiers in the access request message, a hierarchical penetration level of the multi-layer network to be assigned to the computing device, wherein the step of determining the hierarchical penetration level to be assigned includes: determining whether the one or more identifiers in the access request message match any known identifier in a list of known identifiers, as shown in box 404.
[0061] In some implementations of method 400, the step of determining the hierarchical pass-through level to be assigned includes: the device comparing the one or more identifiers of the access request message with a list of known identifiers and corresponding known hierarchical pass-through levels associated with the known identifiers, the list being stored in a database communicating with the switch or stored in the switch, as shown in box 406; and the device determining whether the one or more identifiers of the access request message match any of the known identifiers in the list, as shown in box 408.
[0062] The method 400 further includes the following steps: if one or more identifiers in the access request message match any known identifier in the list of known identifiers, the device assigns a corresponding known layer-by-layer penetration level to the computing device as the computing device's layer-by-layer penetration level; or if the one or more identifiers do not match any known identifier in the list of known identifiers, a default layer-by-layer penetration level is assigned as the computing device's layer-by-layer penetration level, as shown in box 410. Furthermore, the method includes the step of granting the computing device access and control privileges over the multi-layer network, which allow access up to the permitted level in the layer-by-layer network, corresponding to the layer-by-layer penetration level assigned to the computing device, as shown in box 412.
[0063] According to the exemplary implementations of this disclosure, device 202 is implemented by various means. Means for implementing said device, either alone or in the guidance of one or more computer programs from a computer-readable storage medium, include hardware. In some examples, one or more devices are configured to function as or otherwise implement the devices shown and described herein. In examples involving more than one device, the respective devices may be connected to or otherwise communicated with each other in many different ways, such as directly or indirectly via wired or wireless networks.
[0064] Figure 5 A device 500 is illustrated according to some example implementations of this disclosure, the device 500 being related to... Figure 3B The illustrated switch 102 is used to co-locate or separate device 500 to achieve the above-mentioned reference. Figure 2A , Figure 2B as well as Figure 3B The apparatus described in device 202 is an example apparatus for the methods and functions. Generally, an exemplary implementation of the apparatus of this disclosure may include, incorporate, or be embodied in one or more fixed or portable electronic devices. Examples of suitable electronic devices include: microcontrollers, controllers, smartphones, tablet computers, laptop computers, desktop computers, workstation computers, server computers, etc. The apparatus includes one or more of a variety of components, for example, such as processing circuitry 502 (e.g., a processing unit or computer processor) connected to memory 504 (e.g., a storage device).
[0065] Processing circuitry 502 comprises one or more processors, either alone or in combination with one or more memories. Processing circuitry is typically any computer hardware capable of processing information (e.g., data, computer programs, and / or other suitable electronic information). Processing circuitry consists of a collection of electronic circuits, some of which are packaged as integrated circuits or multiple interconnected integrated circuits (integrated circuits are sometimes more generally referred to as "chips"). Processing circuitry is configured to execute computer programs, which are stored on the processing circuitry or otherwise stored in memory 504 (on the same device or another device).
[0066] Depending on the specific implementation, the processing circuit 502 includes a plurality of processors, a multi-core processor, or another type of processor. Furthermore, the processing circuit can be implemented using a plurality of heterogeneous processor systems, wherein a main processor and one or more auxiliary processors reside on a single chip. As another illustrative example, the processing circuit is a symmetric multiprocessor system comprising multiple processors of the same type. In yet another example, the processing circuit is specifically implemented as or otherwise includes one or more ASICs, FPGAs, etc. Therefore, although the processing circuit is capable of executing a computer program to perform one or more functions, the processing circuits of the various examples can perform one or more functions without the aid of a computer program. In any case, the processing circuit can be suitably programmed to perform the functions or operations implemented according to the examples of this disclosure.
[0067] Memory 504 is typically any computer hardware capable of temporarily and / or permanently storing information (e.g., data, computer programs (e.g., computer-readable program code 506), and / or other suitable information). Memory includes volatile and / or non-volatile memory and can be fixed or removable. Examples of suitable memory include: random access memory (RAM), read-only memory (ROM), hard disk drive, flash memory, thumb drive, removable computer disk, optical disk, magnetic tape, or a combination thereof. Optical disks include: read-only optical disk (CD-ROM), rewritable optical disk (CD-R / W), DVD, etc. In various contexts, memory is referred to as a computer-readable storage medium. A computer-readable storage medium is a non-transitory device capable of storing information and can be distinguished from a computer-readable transmission medium, such as a transient electronic signal capable of transporting information from one location to another. The computer-readable medium described herein generally refers to a computer-readable storage medium or a computer-readable transmission medium.
[0068] All the processing circuits 502, memory 504, computer-readable program code 506, and other electronic devices discussed above are either separated from the electronics of the switch 102, but still located within the switch housing, integrated with the switch's electronics, or completely separated from the switch's computing devices (e.g., Figure 2B ).
[0069] In addition to memory 504, processing circuitry 502 is connected to one or more interfaces for displaying, sending, and / or receiving information. These interfaces include communication interface 508 (e.g., a communication unit) and / or one or more user interfaces. The communication interfaces are configured to, for example, send information to and / or receive information from other devices, networks, etc. The communication interfaces are configured to send and / or receive information via physical (wired) and / or wireless communication links. Examples of suitable communication interfaces include network interface controllers (NICs), wireless NICs (WNICs), etc.
[0070] The user interface includes a display 510 and / or one or more user input interfaces 512 (e.g., input / output units). The display is configured to present or otherwise display information to a user; suitable examples of displays include liquid crystal displays (LCDs), light-emitting diode displays (LEDs), plasma display panels (PDPs), etc. The user input interfaces may be wired or wireless and are configured to receive information from the user into the device, such as for processing, storage, and / or display. Suitable examples of user input interfaces include microphones, image or video capturing devices, keyboards or keypads, joysticks, touch-sensitive surfaces (separate from or integrated into the touchscreen), biometric sensors, etc. The user interface also includes one or more interfaces for communicating with peripheral devices, such as printers, scanners, etc.
[0071] As shown above, program code instructions are stored in memory (e.g., in the memory of a switch or in a separate memory) and executed by processing circuitry thus programmed to perform the functions of the systems, subsystems, tools, and their respective elements described herein. It will be appreciated that any suitable program code instructions can be loaded from a computer-readable storage medium onto a computer or other programmable device to generate a particular machine, such that particular machine becomes means for performing the functions specified herein. These program code instructions can also be stored in a computer-readable storage medium that can instruct a computer, processing circuitry, or other programmable device to function in a particular manner, thereby generating a particular machine or a particular article of manufacture. These instructions stored in a computer-readable storage medium can generate an article of manufacture, wherein the article of manufacture becomes means for performing the functions described herein. The program code instructions are retrieved from the computer-readable storage medium and loaded into a computer, processing circuitry, or other programmable device to configure the computer, processing circuitry, or other programmable device to perform or be performed on or by the computer, processing circuitry, or other programmable device.
[0072] The retrieval, loading, and execution of program code instructions are performed sequentially, one instruction at a time. In some example implementations, retrieval, loading, and / or execution are performed in parallel, such that multiple instructions are retrieved, loaded, and / or executed together. The execution of program code instructions can generate computer-implemented processing, such that instructions executed by a computer, processing circuitry, or other programmable device provide operations for implementing the functions described herein.
[0073] The processing circuitry executes instructions or stores instructions in a computer-readable storage medium to support a combination of operations for performing the specified function. In this way, device 500 includes processing circuitry 502 and a computer-readable storage medium or memory 504 coupled to the processing circuitry, wherein the processing circuitry is configured to execute computer-readable program code 506 stored in the memory. It should also be understood that one or more functions, and combinations of functions, can be implemented by a dedicated hardware-based computer system and / or processing circuitry, or a combination of dedicated hardware and program code instructions, to perform the specified function.
[0074] The sample content of this disclosure is also based on the following terms:
[0075] 1. A method (400) for controlling a computing device (312) to access a multi-layer network (300B) implementing a zero-trust architecture, the multi-layer network (300B) including a switch (102) and a device (202) for controlling access to multiple hierarchical levels of the multi-layer network (300B), the method (400) comprising the following steps:
[0076] The device (202) receives (402) an access request message from the computing device (312) at the multilayer network (300B), the access request message including one or more identifiers associated with the computing device (312) for requesting access to the multilayer network (300B);
[0077] The device (202) determines (404) the layer penetration level to be assigned to the computing device (312) among the plurality of layer levels of the multi-layer network (300B) based on one or more identifiers in the access request message, wherein the step of determining the layer penetration level to be assigned includes:
[0078] The device (202) compares (406) the one or more identifiers of the access request message with a list of known identifiers and the corresponding known hierarchical penetration levels associated with the known identifiers, the list being stored in a database (322); and
[0079] The device (202) determines (408) whether one or more identifiers of the access request message match any of the known identifiers in the list;
[0080] If one or more identifiers in the access request message match any known identifier in the list of known identifiers, then the device (202) assigns (410) the corresponding known layer penetration level to the computing device (312) as the layer penetration level of the computing device (312); or if one or more identifiers do not match any known identifier in the list of known identifiers, then a default layer penetration level is assigned as the layer penetration level of the computing device (312); and
[0081] The computing device (312) is granted (412) access and control privileges to the multi-layer network (300B), which allow access up to the permission level in the hierarchical level of the multi-layer network (300B), the permission level corresponding to the hierarchical penetration level assigned to the computing device (312).
[0082] 2. The method (400) according to Clause 1, wherein the layered penetration level is the highest available layered penetration level for the computing device (312) based on the one or more identifiers among the layered levels of the multilayer network (300B), and
[0083] The one or more identifiers include at least the MAC address associated with the computing device (312).
[0084] 3. The method (400) according to Clause 2, wherein the step of determining the highest available layered pass-through level for the computing device (312) comprises: determining, based on analysis of the MAC address, the communication protocol used by the computing device (312), and the authentication criteria associated with the computing device (312), a first layered pass-through level that should be assigned to the computing device (312), the first layered pass-through level corresponding to the lowest layered level of the multi-layer network (300B).
[0085] 4. The method (400) according to Clause 3, further comprising the step of: the device (202) assigning the first layer penetration level to the computing device (312), thereby granting the computing device (312) access and control privileges to an isolated network access and control area (320), the isolated network access and control area being separated from and not communicating with the rest of the multilayer network (300B).
[0086] 5. The method (400) according to Clause 2, wherein the step of determining the highest available tiered pass-through level for the computing device (312) comprises: determining, based on analysis of the MAC address, that a second tiered pass-through level should be assigned to the computing device (312), the second tiered pass-through level corresponding to the second lowest tiered level of the multi-layer network (300B), the analysis of the MAC address comprising a first confirmation that the MAC address is in a computer inventory management database (322) associated with the authentication management device of the multi-layer network (300B), and
[0087] The authentication management device communicates with the switch (102) and is configured to dynamically update the computer inventory management database (322) using an authorized MAC address.
[0088] 6. The method (400) according to Clause 5, further comprising the following steps:
[0089] The device (202) assigns the second layer penetration level to the computing device (312), thereby allowing the computing device (312) to access an isolated network access and control area (320) isolated from the remainder of the multi-layer network (300B): the remainder of the isolated network access and control area (320) excluding other devices in the isolated network access and control area (320); and
[0090] The computing device (312) is permitted to communicate with other computing devices (313) within the isolated network access and control area (320) that have also been assigned the second layer penetration level.
[0091] 7. The method (400) according to Clause 2, wherein the step of determining the highest available layered penetration level for the computing device (312) comprises: determining, based on the communication established between the computing device (312) and the proxy server (324), that a third layered penetration level should be assigned to the computing device (312), the third layered penetration level corresponding to the third lowest layered level of the multi-layer network (300B).
[0092] 8. The method (400) according to Clause 7, further comprising the step of:
[0093] The device (202) assigns the third layer penetration level to the computing device (312), thereby allowing the computing device (312) to access an isolated network access and control area (320) isolated from the remainder of the multi-layer network (300B): the remainder of the isolated network access and control area (320) excluding other devices in the isolated network access and control area (320); and
[0094] The computing device (312) is permitted to communicate with the following:
[0095] Other computing devices (313) of the third layer penetration level have also been assigned within the isolated network access and control zone (320); and
[0096] A defined external endpoint (325) located outside the isolated network access and control zone (320).
[0097] 9. The method (400) according to Clause 2, wherein the step of determining the highest available layered penetration level for the computing device (312) comprises: determining, based on an operating system component of the computing device (312) that is accepting a network authentication certificate or token, that a fourth layered penetration level should be assigned to the computing device (312), the fourth layered penetration level corresponding to the second highest layered level of the multi-layer network (300B).
[0098] 10. The method (400) according to Clause 9, further comprising the step of:
[0099] The device (202) assigns the fourth layer penetration level to the computing device (312), thereby allowing the computing device (312) to access an isolated network access and control area (320) isolated from the remainder of the multi-layer network (300B): the remainder of the isolated network access and control area (320) excluding other devices in the isolated network access and control area (320); and
[0100] The computing device (312) is permitted to communicate with the following:
[0101] Other computing devices (313) of the fourth layer of penetration level have also been assigned within the isolated network access and control zone (320);
[0102] A defined external endpoint (325) located outside the isolated network access and control zone (320); and
[0103] Infrastructure application services (326) that are located in the multi-layer network (300B) and outside the isolated network access and control zone (320).
[0104] 11. The method (400) according to Clause 2, wherein the step of determining the highest available tiered pass-through level for the computing device (312) comprises: determining, based on a second confirmation that the MAC address of the computing device (312) is in an internal database (322) associated with the authentication management device of the multi-layer network (300B), that a fifth tiered pass-through level should be assigned to the computing device (312), the fifth tiered pass-through level corresponding to the highest tiered level of the multi-layer network (300B), and
[0105] The authentication management device communicates with the switch (102) and is configured to dynamically update the internal database (322) using the MAC addresses of other computing devices (313) that are allowed to access the multilayer network (300B).
[0106] 12. The method (400) according to Clause 11, the method further comprising the following steps:
[0107] The device (202) assigns the fifth layer penetration level to the computing device (312), thereby allowing the computing device (312) to access an isolated network access and control area (320) isolated from the remainder of the multi-layer network (300B): the remainder of the isolated network access and control area (320) excluding other devices in the isolated network access and control area (320); and
[0108] The computing device (312) is permitted to communicate with the following:
[0109] Other computing devices (313) for the fifth layer of penetration level have also been assigned;
[0110] A defined external endpoint (325) located outside the isolated network access and control zone (320);
[0111] Infrastructure application services (326) located within the multi-layer network (300B) and outside the isolated network access and control zone (320); and
[0112] The services on the multilayer network (300B) and at least one of the other computing devices (327).
[0113] 13. A device (202) for controlling a computing device (312) to access a multi-layer network (300B) implementing a zero-trust architecture, the multi-layer network (300B) including a switch (102) and the device (202) for controlling access to multiple hierarchical levels of the multi-layer network (300B), the device (202) including a non-transitory memory storing executable instructions that, when executed by one or more processors of the device (202), cause the device (202) to perform the following operations:
[0114] The computing device (312) receives an access request message, the access request message including one or more identifiers associated with the computing device (312) for requesting access to the multilayer network (300B);
[0115] Based on one or more identifiers within the access request message, a layer penetration level to be assigned to the computing device (312) is determined from among the plurality of layer levels of the multi-layer network (300B), wherein determining the layer penetration level to be assigned includes causing the device (202) to perform the following operations:
[0116] The access request message's one or more identifiers are compared with a list of known identifiers and their corresponding known hierarchical penetration levels, the list being stored in a database (322); and
[0117] Determine whether the one or more identifiers of the access request message match any of the known identifiers in the list; and
[0118] If one or more identifiers in the access request message match any of the known identifiers in the list, the corresponding known layer-by-layer penetration level is assigned as the layer-by-layer penetration level of the computing device (312); or if the one or more identifiers do not match any of the known identifiers in the list, a default layer-by-layer penetration level is assigned as the layer-by-layer penetration level of the computing device (312).
[0119] The multilayer network (300B) is configured to grant the computing device (312) access and control privileges to the multilayer network (300B), the access and control privileges allowing access up to the permission level in the hierarchical level of the multilayer network (300B), the permission level corresponding to the hierarchical penetration level assigned to the computing device (312).
[0120] 14. The device (202) according to Clause 13, wherein the hierarchical penetration level is the highest available hierarchical penetration level for the computing device (312) based on the one or more identifiers in the hierarchical levels of the multi-layer network (300B), and
[0121] The one or more identifiers include at least the MAC address associated with the computing device (312).
[0122] 15. The device (202) according to Clause 14, wherein, in order to determine the highest available tiered pass-through level for the computing device (312), the device (202) is configured to determine, based on analysis of the MAC address, the communication protocol used by the computing device (312), and the authentication criteria associated with the computing device (312), a first tiered pass-through level corresponding to the lowest tiered level of the multi-layer network (300B).
[0123] 16. The device (202) according to Clause 15 is further configured to assign the first layer penetration level to the computing device (312), thereby granting the computing device (312) access and control privileges to an isolated network access and control area (320) that is separated from and does not communicate with the rest of the multilayer network (300B).
[0124] 17. The device (202) according to Clause 14, wherein, in order to determine the highest available tiered pass-through level for the computing device (312), the device (202) is configured to determine, based on analysis of the MAC address, to determine that a second tiered pass-through level should be assigned to the computing device (312), the second tiered pass-through level corresponding to the second lowest tiered level of the multi-layer network (300B), the analysis of the MAC address including a first confirmation that the MAC address is in a computer inventory management database (322) associated with the authentication management device of the multi-layer network (300B), and
[0125] The authentication management device communicates with the switch (102) and is configured to dynamically update the computer inventory management database (322) using an authorized MAC address.
[0126] 18. The device (202) pursuant to Clause 17, the device is further configured to:
[0127] Assign the second layer penetration level to the computing device (312); and
[0128] The computing device (312) is authorized to access an isolated network access and control area (320) isolated from the remainder of the multilayer network (300B): the remainder of the isolated network access and control area (320) excluding other devices within it.
[0129] This allows the computing device (312) to communicate with other computing devices (313) within the isolated network access and control area (320) that have also been assigned the second layer penetration level.
[0130] 19. The device (202) according to Clause 14, wherein, in order to determine the highest available layered penetration level for the computing device (312), the device (202) is configured to determine, based on the communication established between the computing device (312) and the proxy server (324), that a third layered penetration level should be assigned to the computing device (312), the third layered penetration level corresponding to the third lowest layered level of the multi-layer network (300B).
[0131] 20. The device (202) pursuant to Clause 19, the device is further configured to:
[0132] The third layer penetration level is assigned to the computing device (312); and the computing device (312) is authorized to access an isolated network access and control area (320) isolated from the remainder of the multi-layer network (300B): the remainder of the isolated network access and control area (320) excluding other devices in the isolated network access and control area (320).
[0133] This allows the computing device (312) to communicate with:
[0134] Other computing devices (313) of the third layer penetration level have also been assigned within the isolated network access and control zone (320); and
[0135] A defined external endpoint (325) located outside the isolated network access and control zone (320).
[0136] 21. The device (202) according to Clause 14, wherein, in order to determine the highest available layered pass-through level for the computing device (312), the device (202) is configured to determine, based on the operating system component of the computing device (312) that is accepting a network authentication certificate or token, a fourth layered pass-through level that should be assigned to the computing device (312), the fourth layered pass-through level corresponding to the second highest layered level of the multi-layer network (300B).
[0137] 22. The device (202) pursuant to Clause 21, the device is further configured to:
[0138] The fourth layer penetration level is assigned to the computing device (312); and the computing device (312) is authorized to access an isolated network access and control area (320) isolated from the remainder of the multi-layer network (300B): the remainder of the isolated network access and control area (320) excluding other devices in the isolated network access and control area (320).
[0139] This allows the computing device (312) to communicate with:
[0140] Other computing devices (313) of the fourth layer of penetration level have also been assigned within the isolated network access and control zone (320);
[0141] A defined external endpoint (325) located outside the isolated network access and control zone (320); and
[0142] Infrastructure application services (326) that are located in the multi-layer network (300B) and outside the isolated network access and control zone (320).
[0143] 23. The device (202) according to Clause 14, wherein, in order to determine the highest available tiered pass-through level for the computing device (312), the device (202) is configured to determine, based on a second confirmation by the switch (102) or the device (202) that the MAC address of the computing device (312) is in an internal database (322) associated with the authentication management device of the multi-layer network (300B), that the computing device (312) corresponds to a fifth tiered pass-through level, the fifth tiered pass-through level corresponding to the highest tiered level of the multi-layer network (300B), and
[0144] The authentication management device communicates with the switch (102) and is configured to dynamically update the internal database (322) using the MAC addresses of other computing devices (313) that are allowed to access the multilayer network (300B).
[0145] 24. The device (202) pursuant to Clause 23, the device is further configured to:
[0146] The fifth layer penetration level is assigned to the computing device (312); and the computing device (312) is authorized to access an isolated network access and control area (320) isolated from the remainder of the multi-layer network (300B): the remainder of the isolated network access and control area (320) excluding other devices in the isolated network access and control area (320).
[0147] This allows the computing device (312) to communicate with:
[0148] Other computing devices (313) for the fifth layer of penetration level have also been assigned;
[0149] A defined external endpoint (325) located outside the isolated network access and control zone (320);
[0150] Infrastructure application services (326) located within the multi-layer network (300B) and outside the isolated network access and control zone (320); and
[0151] The services on the multilayer network (300B) and at least one of the other computing devices (327).
[0152] Those skilled in the art to which these disclosed implementations pertain will conceive of many modifications and other implementations of the invention set forth herein, benefiting from the teachings presented in the foregoing description and associated drawings. Therefore, it is to be understood that implementations of the invention are not limited to the specific implementations disclosed, and modifications and other implementations are intended to be included within the scope of the invention. Moreover, although the foregoing description and associated drawings describe example implementations in the context of certain exemplary combinations of elements and / or functions, it should be appreciated that different combinations of elements and / or functions can be provided by alternative implementations without departing from the scope of this disclosure. In this regard, for example, combinations of elements and / or functions different from those explicitly described above are also contemplated within the scope of this disclosure. Although specific terminology is used herein, it is used only in a general and descriptive sense and not for limiting purposes.
[0153] It should be understood that although the terms first, second, etc., may be used herein to describe various steps or calculations, these steps or calculations should not be limited by these terms. These terms are used only to distinguish one operation or calculation from another. For example, without departing from the scope of this disclosure, a first calculation may be referred to as a second calculation, and similarly, a second step may be referred to as a first step. As used herein, the terms “and / or” and “ / ” include any one or more of the associated enumerated entries and all combinations thereof.
[0154] As used herein, unless the context explicitly indicates otherwise, the singular form of the description is intended to include the plural form. It should also be understood that the terms “comprise”, “comprising”, and “include” and / or “including”, when used herein, specify the presence of a defined feature, requirement, step, operation, element, and / or component, and do not exclude the presence or addition of one or more other features, requirements, steps, operations, elements, components, and / or combinations thereof. Therefore, the terminology used herein is for the purpose of describing a particular implementation only and is not intended to be restrictive.
Claims
1. A method (400) for controlling a computing device (312) to access a multi-layer network (300B) implementing a zero-trust architecture, the multi-layer network (300B) including a switch (102) and a device (202) for controlling access to multiple hierarchical levels of the multi-layer network (300B), the method (400) comprising the following steps: The device (202) receives (402) an access request message from the computing device (312) at the multilayer network (300B), the access request message including one or more identifiers associated with the computing device (312) for requesting access to the multilayer network (300B); The device (202) determines (404) the layer penetration level to be assigned to the computing device (312) among the plurality of layer levels of the multi-layer network (300B) based on one or more identifiers in the access request message, wherein the step of determining the layer penetration level to be assigned includes: The device (202) compares (406) the one or more identifiers of the access request message with a list of known identifiers and the corresponding known hierarchical penetration levels associated with the known identifiers, the list being stored in a database (322); and The device (202) determines (408) whether one or more identifiers of the access request message match any of the known identifiers in the list; If one or more identifiers in the access request message match any of the known identifiers in the list, then the device (202) assigns (410) the corresponding known layer penetration level to the computing device (312) as the layer penetration level of the computing device (312); or if one or more identifiers do not match any of the known identifiers in the list, then a default layer penetration level is assigned as the layer penetration level of the computing device (312); and The computing device (312) is granted (412) access and control privileges to the multi-layer network (300B), which allow access up to the permissible level in the hierarchical level of the multi-layer network (300B), the permissible level corresponding to the hierarchical penetration level assigned to the computing device (312). Wherein, the layered penetration level is the highest available layered penetration level for the computing device (312) based on the one or more identifiers among the layered levels of the multilayer network (300B), and The one or more identifiers include at least the MAC address associated with the computing device (312).
2. The method (400) according to claim 1, wherein, The step of determining the highest available layered pass-through level for the computing device (312) includes: determining, based on analysis of the MAC address, the communication protocol used by the computing device (312), and the authentication criteria associated with the computing device (312), a first layered pass-through level that should be assigned to the computing device (312), the first layered pass-through level corresponding to the lowest layered level of the multi-layer network (300B).
3. The method (400) according to claim 2, further comprising the following step: The device (202) assigns the first layer penetration level to the computing device (312), thereby granting the computing device (312) access and control privileges to an isolated network access and control area (320), which is separated from and does not communicate with the rest of the multilayer network (300B).
4. The method (400) according to claim 1, wherein, The step of determining the highest available tiered pass-through level for the computing device (312) includes: determining, based on analysis of the MAC address, that a second tiered pass-through level should be assigned to the computing device (312), the second tiered pass-through level corresponding to the second lowest tiered level of the multi-layer network (300B), the analysis of the MAC address including a first confirmation that the MAC address is in a computer inventory management database (322) associated with the authentication management device of the multi-layer network (300B), and The authentication management device communicates with the switch (102) and is configured to dynamically update the computer inventory management database (322) using an authorized MAC address.
5. The method (400) according to claim 4, further comprising the following step: The device (202) assigns the second layer penetration level to the computing device (312), thereby allowing the computing device (312) to access an isolated network access and control area (320) that is isolated from the rest of the multilayer network (300B): the rest of the isolated network access and control area (320) except for other devices in the isolated network access and control area (320); as well as The computing device (312) is permitted to communicate with other computing devices (313) within the isolated network access and control area (320) that have also been assigned the second layer penetration level.
6. The method (400) according to claim 1, wherein, The step of determining the highest available layered penetration level for the computing device (312) includes: based on the communication established between the computing device (312) and the proxy server (324), determining that a third layered penetration level should be assigned to the computing device (312), the third layered penetration level corresponding to the third lowest layered level of the multi-layer network (300B).
7. The method (400) according to claim 6, further comprising the step of: The device (202) assigns the third layer penetration level to the computing device (312), thereby allowing the computing device (312) to access the isolated network access and control area (320) which is isolated from the rest of the multilayer network (300B): the rest of the isolated network access and control area (320) except for other devices in the isolated network access and control area (320); as well as The computing device (312) is permitted to communicate with the following: Other computing devices (313) of the third layer penetration level have also been assigned within the isolated network access and control zone (320); and A defined external endpoint (325) located outside the isolated network access and control zone (320).
8. The method (400) according to claim 1, wherein, The step of determining the highest available layered penetration level for the computing device (312) includes: determining, based on the operating system component of the computing device (312) that is accepting network authentication certificates or tokens, that a fourth layered penetration level should be assigned to the computing device (312), the fourth layered penetration level corresponding to the second highest layered level of the multi-layer network (300B).
9. The method (400) according to claim 8, further comprising the step of: The device (202) assigns the fourth layer penetration level to the computing device (312), thereby allowing the computing device (312) to access the isolated network access and control area (320) which is isolated from the rest of the multilayer network (300B): the rest of the isolated network access and control area (320) except for other devices in the isolated network access and control area (320); as well as The computing device (312) is permitted to communicate with the following: Other computing devices (313) of the fourth layer of penetration level have also been assigned within the isolated network access and control zone (320). A defined external endpoint (325) located outside the isolated network access and control zone (320); and Infrastructure application services (326) that are located in the multi-layer network (300B) and outside the isolated network access and control zone (320).
10. The method (400) according to claim 1, wherein, The step of determining the highest available layered pass-through level for the computing device (312) includes: determining, based on a second confirmation that the MAC address of the computing device (312) is in an internal database (322) associated with the authentication management device of the multi-layer network (300B), that a fifth layered pass-through level should be assigned to the computing device (312), the fifth layered pass-through level corresponding to the highest layered level of the multi-layer network (300B), and The authentication management device communicates with the switch (102) and is configured to dynamically update the internal database (322) using the MAC addresses of other computing devices (313) that are allowed to access the multilayer network (300B).
11. The method (400) according to claim 10, further comprising the step of: The device (202) assigns the fifth layer penetration level to the computing device (312), thereby allowing the computing device (312) to access the isolated network access and control area (320) which is isolated from the rest of the multilayer network (300B): the rest of the isolated network access and control area (320) except for other devices in the isolated network access and control area (320); as well as The computing device (312) is permitted to communicate with the following: Other computing devices (313) for the fifth layer of penetration level have also been assigned. A defined external endpoint (325) located outside the isolated network access and control zone (320); Infrastructure application services (326) located within the multi-layer network (300B) and outside the isolated network access and control zone (320); and The services on the multilayer network (300B) and at least one of the other computing devices (327).
12. A device (202) for controlling a computing device (312) to access a multi-layer network (300B) implementing a zero-trust architecture, the multi-layer network (300B) including a switch (102) and the device (202) for controlling access to multiple hierarchical levels of the multi-layer network (300B), the device (202) including a non-transitory memory storing executable instructions that, when executed by one or more processors of the device (202), cause the device (202) to perform the following operations: The computing device (312) receives an access request message, the access request message including one or more identifiers associated with the computing device (312) for requesting access to the multilayer network (300B); Based on one or more identifiers within the access request message, the layer penetration level to be assigned to the computing device (312) among the plurality of layer levels of the multi-layer network (300B) is determined, wherein, Determining the layered penetration level to be assigned includes causing the device (202) to perform the following operations: The one or more identifiers of the access request message are compared with a list of known identifiers and the corresponding known hierarchical penetration levels associated with the known identifiers, the list being stored in a database (322); as well as Determine whether the one or more identifiers in the access request message match any of the known identifiers in the list; as well as If one or more identifiers in the access request message match any of the known identifiers in the list, the corresponding known layer penetration level is assigned as the layer penetration level of the computing device (312); or if one or more identifiers do not match any of the known identifiers in the list, a default layer penetration level is assigned as the layer penetration level of the computing device (312). The multi-layer network (300B) is configured to grant the computing device (312) access and control privileges to the multi-layer network (300B), the access and control privileges allowing access up to the permission level in the hierarchical level of the multi-layer network (300B), the permission level corresponding to the hierarchical penetration level assigned to the computing device (312). Wherein, the layered penetration level is the highest available layered penetration level for the computing device (312) based on the one or more identifiers among the layered levels of the multilayer network (300B), and The one or more identifiers include at least the MAC address associated with the computing device (312).
13. The device (202) according to claim 12, wherein, In order to determine the highest available layered pass-through level for the computing device (312), the device (202) is configured to determine, based on analysis of the MAC address, the communication protocol used by the computing device (312), and the authentication criteria associated with the computing device (312), a first layered pass-through level that should be assigned to the computing device (312), the first layered pass-through level corresponding to the lowest layered level of the multi-layer network (300B).
14. The device (202) of claim 13, further configured to assign the first layer penetration level to the computing device (312), thereby granting the computing device (312) access and control privileges to an isolated network access and control area (320), which is separated from and does not communicate with the rest of the multilayer network (300B).
15. The device (202) according to claim 12, wherein, To determine the highest available tiered pass-through level for the computing device (312), the device (202) is configured to determine, based on analysis of the MAC address, that a second tiered pass-through level should be assigned to the computing device (312), the second tiered pass-through level corresponding to the second lowest tiered level of the multi-layer network (300B), the analysis of the MAC address including a first confirmation that the MAC address is in a computer inventory management database (322) associated with the authentication management device of the multi-layer network (300B), and The authentication management device communicates with the switch (102) and is configured to dynamically update the computer inventory management database (322) using an authorized MAC address.
16. The device (202) according to claim 15, further configured to: The second layer of penetration level is assigned to the computing device (312); and The computing device (312) is authorized to access an isolated network access and control area (320) isolated from the remainder of the multilayer network (300B): the remainder of the isolated network access and control area (320) excluding other devices within it. This allows the computing device (312) to communicate with other computing devices (313) within the isolated network access and control area (320) that have also been assigned the second layer penetration level.
17. The device (202) according to claim 12, wherein, In order to determine the highest available layered penetration level for the computing device (312), the device (202) is configured to determine, based on the communication established between the computing device (312) and the proxy server (324), that a third layered penetration level should be assigned to the computing device (312), the third layered penetration level corresponding to the third lowest layered level of the multi-layer network (300B).
18. The device (202) according to claim 17, further configured to: The third layer penetration level is assigned to the computing device (312); and the computing device (312) is authorized to access an isolated network access and control area (320) isolated from the rest of the multilayer network (300B): the rest of the isolated network access and control area (320) excluding other devices in the isolated network access and control area (320). This allows the computing device (312) to communicate with: Other computing devices (313) of the third layer penetration level have also been assigned within the isolated network access and control zone (320); and A defined external endpoint (325) located outside the isolated network access and control zone (320).
19. The device (202) according to claim 12, wherein, In order to determine the highest available layered pass-through level for the computing device (312), the device (202) is configured to determine, based on the operating system component of the computing device (312) that is accepting network authentication certificates or tokens, that a fourth layered pass-through level should be assigned to the computing device (312), the fourth layered pass-through level corresponding to the second highest layered level of the multi-layer network (300B).
20. The device (202) according to claim 19, further configured to: The fourth layer penetration level is assigned to the computing device (312); and the computing device (312) is authorized to access an isolated network access and control area (320) isolated from the rest of the multilayer network (300B): the rest of the isolated network access and control area (320) excluding other devices in the isolated network access and control area (320). This allows the computing device (312) to communicate with: Other computing devices (313) of the fourth layer of penetration level have also been assigned within the isolated network access and control zone (320). A defined external endpoint (325) located outside the isolated network access and control zone (320); and Infrastructure application services (326) that are located in the multi-layer network (300B) and outside the isolated network access and control zone (320).
21. The device (202) according to claim 12, wherein, To determine the highest available tiered pass-through level for the computing device (312), the device (202) is configured to determine, based on a second confirmation by the switch (102) or the device (202) that the MAC address of the computing device (312) is in an internal database (322) associated with the authentication management device of the multi-layer network (300B), that the computing device (312) corresponds to a fifth tiered pass-through level, which corresponds to the highest tiered level of the multi-layer network (300B). The authentication management device communicates with the switch (102) and is configured to dynamically update the internal database (322) using the MAC addresses of other computing devices (313) that are allowed to access the multilayer network (300B).
22. The device (202) according to claim 21, further configured to: The fifth layer penetration level is assigned to the computing device (312); and the computing device (312) is authorized to access an isolated network access and control area (320) isolated from the rest of the multilayer network (300B): the rest of the isolated network access and control area (320) except for other devices in the isolated network access and control area (320). This allows the computing device (312) to communicate with: Other computing devices (313) for the fifth layer of penetration level have also been assigned. A defined external endpoint (325) located outside the isolated network access and control zone (320); Infrastructure application services (326) located within the multi-layer network (300B) and outside the isolated network access and control zone (320); and The services on the multilayer network (300B) and at least one of the other computing devices (327).