Policy management system with proactive and reactive monitoring and enforcement

US 10,044,570 B2
Filed: 09/30/2014
Issued: 08/07/2018
Est. Priority Date: 08/22/2014
Status: Active Grant

First Claim

Patent Images

1. A method to monitor a network to prevent violations of network policies, the method comprising:

simulating, by executing an instruction with a processor, application of a change to a first set of network state data in temporary memory to generate simulated network state data by determining at least one of (A) a first set of data tuples that will be added or (B) a second set of data tuples that will be removed when the change to the first set of network state data occurs in a first cloud management application, the change identified in a request received from the first cloud management application;

analyzing, by executing an instruction with the processor, the simulated network state data stored in the temporary memory to determine if the change violates a network policy declared for the network;

enforcing the network policy proactively by;

issuing, by executing an instruction with the processor, a first command to the first cloud management application to permit the change in the first cloud management application when the simulated network state data does not violate the network policy;

issuing, by executing an instruction with the processor, a second command to the first cloud management application to prevent the change in the first cloud management application when the simulated network state data violates the network policy; and

enforcing the network policy reactively by;

determining, by executing an instruction with the processor, that a third set of data tuples of updated network state data corresponding to a storage network match a violation condition specified by the network policy; and

issuing, by executing an instruction with the processor, a third command to a second cloud management application to modify the network state data corresponding to the storage network into modified network state data that does not violate the network policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a method for a system that monitors a network to prevent violations of network policies. The method stores network state data that describes the network. The method identifies that a first set of stored network state data violates a particular policy declared for the network. The method issues a command to a first cloud management application to modify the network state data such that the modified network state data does not violate the particular policy. The method determines whether a requested action that modifies a second set of network state data, received from a second cloud management application, violates any policies. The method responds to the second cloud management application to permit the requested change when the modified second set of network state data does not violate any policies and deny the requested change when the modified second set of network state data violates the particular policy.

Citations

17 Claims

1. A method to monitor a network to prevent violations of network policies, the method comprising:
- simulating, by executing an instruction with a processor, application of a change to a first set of network state data in temporary memory to generate simulated network state data by determining at least one of (A) a first set of data tuples that will be added or (B) a second set of data tuples that will be removed when the change to the first set of network state data occurs in a first cloud management application, the change identified in a request received from the first cloud management application;
  
  analyzing, by executing an instruction with the processor, the simulated network state data stored in the temporary memory to determine if the change violates a network policy declared for the network;
  
  enforcing the network policy proactively by;
  
  issuing, by executing an instruction with the processor, a first command to the first cloud management application to permit the change in the first cloud management application when the simulated network state data does not violate the network policy;
  
  issuing, by executing an instruction with the processor, a second command to the first cloud management application to prevent the change in the first cloud management application when the simulated network state data violates the network policy; and
  
  enforcing the network policy reactively by;
  
  determining, by executing an instruction with the processor, that a third set of data tuples of updated network state data corresponding to a storage network match a violation condition specified by the network policy; and
  
  issuing, by executing an instruction with the processor, a third command to a second cloud management application to modify the network state data corresponding to the storage network into modified network state data that does not violate the network policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the network policy is represented by a set of conditions describing data tuples in the network state data.
  - 3. The method of claim 1, wherein the network state data includes a plurality of data tuples corresponding to resources accessing the network.
  - 4. The method of claim 1, wherein the issuing of the third command includes:
    - identifying a second policy declared for the network that specifies (1) actions that the first and second cloud management applications can take, and (2) effects on the network state of the specified actions;
      
      calculating, based on the second policy, a set of actions that will remove the violation; and
      
      issuing the third command to the second cloud management application to perform the set of actions.
  - 5. The method of claim 4, wherein the set of actions is the only set of actions calculated.
  - 6. The method of claim 4, wherein the set of actions includes a plurality of actions, the method further including issuing a fourth command to a third cloud management application to modify the network state data based on the set of actions.
  - 7. The method of claim 4, further including:
    - calculating a plurality of different sets of actions;
      
      presenting the plurality of sets of actions to a user through a user interface; and
      
      receiving a selection through the user interface of one of the different sets of actions.
  - 8. The method of claim 7, further including presenting (1) an explanation of the violation and (2) the different sets of actions possible to remedy the violation.
  - 9. The method of claim 7, wherein the user is a network administrator.
  - 10. The method of claim 7, further including caching the selected one of the sets of actions to use automatically for future violations.

11. A machine readable medium comprising instructions that, when executed, cause a processor to at least:
- simulate application of a change to a first set of network state data in temporary memory to generate simulated network state data by determining at least one of (A) a first set of data tuples that will be added or (B) a second set of data tuples that will be removed when the change to the first set of network state data occurs in a first cloud management application, the change identified in a request received from the first cloud management application;
  
  analyze the simulated network state data stored in the temporary memory to determine if the change violates a network policy declared for the network;
  
  enforce the network policy proactively by;
  
  issuing a first command to the first cloud management application to permit the change in the first cloud management application when the simulated network state data does not violate the network policy;
  
  issuing a second command to the first cloud management application to prevent the change in the first cloud management application when the simulated network state data violates the network policy; and
  
  enforce the network policy reactively by;
  
  determining that a third set of data tuples of updated network state data corresponding to a storage network match a violation condition specified by the network policy; and
  
  issuing a third command to a second cloud management application to modify the network state data corresponding to a storage network into modified network state data that does not violate the network policy.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The machine readable medium of claim 11, wherein the network policy is represented by a set of conditions describing data tuples in the network state data.
  - 13. The machine readable medium of claim 11, wherein the network state data includes a plurality of data tuples corresponding to resources accessing the network.
  - 14. The machine readable medium of claim 11, wherein the instructions cause the processor to:
    - identify a second policy declared for the network that specifies (1) actions that the first and second cloud management applications can take, and (2) effects on the network state of the specified actions;
      
      calculate, based on the second policy, a set of actions that will remove the violation; and
      
      issue the third command to the second cloud management application to perform the set of actions.
  - 15. The machine readable medium of claim 14, wherein the instructions cause the processor to:
    - calculate a plurality of different sets of actions;
      
      present the plurality of sets of actions to a user through a user interface; and
      
      receive a selection through the user interface of one of the different sets of actions.
  - 16. The machine readable medium of claim 15, wherein the instructions cause the processor to cache the selected one of the sets of actions to use automatically for future violations.
  - 17. The machine readable medium of claim 14, wherein the set of actions includes a plurality of actions, the instructions to cause the processor to issue a fourth command to a third cloud management application to modify the network state data based on the set of actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Hinrichs, Timothy, Balland, III, Peter J., Casado, Martin, Ettori, Pierre-Emmanuel
Primary Examiner(s)
Whipple, Brian
Assistant Examiner(s)
Rotolo, Anthony T

Application Number

US14/503,122
Publication Number

US 20160057026A1
Time in Patent Office

1,407 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 15/173   using an interconnection ne...

G06F 16/2379   Updates performed during on...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/145   involving simulating, desig...

H04L 41/5009   Determining service level p...

H04L 41/5022   by giving priorities, e.g. ...

H04L 41/5025   by proactively reacting to ...

H04L 43/062   related to network traffic

H04L 47/70   Admission control; Resource...

Policy management system with proactive and reactive monitoring and enforcement

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Policy management system with proactive and reactive monitoring and enforcement

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links