Policy management system with proactive and reactive monitoring and enforcement
First Claim
1. A method to monitor a network to prevent violations of network policies, the method comprising:
- simulating, by executing an instruction with a processor, application of a change to a first set of network state data in temporary memory to generate simulated network state data by determining at least one of (A) a first set of data tuples that will be added or (B) a second set of data tuples that will be removed when the change to the first set of network state data occurs in a first cloud management application, the change identified in a request received from the first cloud management application;
analyzing, by executing an instruction with the processor, the simulated network state data stored in the temporary memory to determine if the change violates a network policy declared for the network;
enforcing the network policy proactively by;
issuing, by executing an instruction with the processor, a first command to the first cloud management application to permit the change in the first cloud management application when the simulated network state data does not violate the network policy;
issuing, by executing an instruction with the processor, a second command to the first cloud management application to prevent the change in the first cloud management application when the simulated network state data violates the network policy; and
enforcing the network policy reactively by;
determining, by executing an instruction with the processor, that a third set of data tuples of updated network state data corresponding to a storage network match a violation condition specified by the network policy; and
issuing, by executing an instruction with the processor, a third command to a second cloud management application to modify the network state data corresponding to the storage network into modified network state data that does not violate the network policy.
2 Assignments
0 Petitions
Accused Products
Abstract
Some embodiments provide a method for a system that monitors a network to prevent violations of network policies. The method stores network state data that describes the network. The method identifies that a first set of stored network state data violates a particular policy declared for the network. The method issues a command to a first cloud management application to modify the network state data such that the modified network state data does not violate the particular policy. The method determines whether a requested action that modifies a second set of network state data, received from a second cloud management application, violates any policies. The method responds to the second cloud management application to permit the requested change when the modified second set of network state data does not violate any policies and deny the requested change when the modified second set of network state data violates the particular policy.
-
Citations
17 Claims
-
1. A method to monitor a network to prevent violations of network policies, the method comprising:
- simulating, by executing an instruction with a processor, application of a change to a first set of network state data in temporary memory to generate simulated network state data by determining at least one of (A) a first set of data tuples that will be added or (B) a second set of data tuples that will be removed when the change to the first set of network state data occurs in a first cloud management application, the change identified in a request received from the first cloud management application;
analyzing, by executing an instruction with the processor, the simulated network state data stored in the temporary memory to determine if the change violates a network policy declared for the network;
enforcing the network policy proactively by;
issuing, by executing an instruction with the processor, a first command to the first cloud management application to permit the change in the first cloud management application when the simulated network state data does not violate the network policy;
issuing, by executing an instruction with the processor, a second command to the first cloud management application to prevent the change in the first cloud management application when the simulated network state data violates the network policy; and
enforcing the network policy reactively by;
determining, by executing an instruction with the processor, that a third set of data tuples of updated network state data corresponding to a storage network match a violation condition specified by the network policy; and
issuing, by executing an instruction with the processor, a third command to a second cloud management application to modify the network state data corresponding to the storage network into modified network state data that does not violate the network policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- simulating, by executing an instruction with a processor, application of a change to a first set of network state data in temporary memory to generate simulated network state data by determining at least one of (A) a first set of data tuples that will be added or (B) a second set of data tuples that will be removed when the change to the first set of network state data occurs in a first cloud management application, the change identified in a request received from the first cloud management application;
-
11. A machine readable medium comprising instructions that, when executed, cause a processor to at least:
- simulate application of a change to a first set of network state data in temporary memory to generate simulated network state data by determining at least one of (A) a first set of data tuples that will be added or (B) a second set of data tuples that will be removed when the change to the first set of network state data occurs in a first cloud management application, the change identified in a request received from the first cloud management application;
analyze the simulated network state data stored in the temporary memory to determine if the change violates a network policy declared for the network;
enforce the network policy proactively by;
issuing a first command to the first cloud management application to permit the change in the first cloud management application when the simulated network state data does not violate the network policy;
issuing a second command to the first cloud management application to prevent the change in the first cloud management application when the simulated network state data violates the network policy; and
enforce the network policy reactively by;
determining that a third set of data tuples of updated network state data corresponding to a storage network match a violation condition specified by the network policy; and
issuing a third command to a second cloud management application to modify the network state data corresponding to a storage network into modified network state data that does not violate the network policy. - View Dependent Claims (12, 13, 14, 15, 16, 17)
- simulate application of a change to a first set of network state data in temporary memory to generate simulated network state data by determining at least one of (A) a first set of data tuples that will be added or (B) a second set of data tuples that will be removed when the change to the first set of network state data occurs in a first cloud management application, the change identified in a request received from the first cloud management application;
Specification