Method and apparatus for centralized policy programming and distributive policy enforcement

US 10,044,765 B2
Filed: 07/13/2016
Issued: 08/07/2018
Est. Priority Date: 03/25/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method for generating distributable network policy definitions, the method comprising:

executing instructions stored at a memory, wherein the execution of the instructions by a hardware processor;

receives a first network policy parameter from a user, the first network policy parameter including one or more rules that govern network activity,receives a second network policy parameter from the user, the second network policy parameter including information about a first set of one or more network devices to which the one or more rules of the first network policy parameter apply,receives a third network policy parameter from the user, the third network policy parameter including a rule trigger event, the rule trigger event indicating to a network policy generator that a network policy configuration should be generated based on the first, second, and third network policy parameters, wherein the network policy configuration associates a plurality of different vendors with one or more software program versions to be installed on the first set of one or more network devices,identifies the first, second, and third network policy parameters as collectively forming a network policy definition associated with a first subscriber and stored at a globally accessible server, wherein the network policy definition requires the one or more software versions to be consistent with the network policy configuration that associates the plurality of different vendors with the one or more software program versions, andstoring the second network policy definition in the globally accessible server, wherein the second network policy definition is associated with a configuration associated with a second set of one or more network devices and at least a second subscriber that is different from the first subscriber.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for centralized policy programming and distributive policy enforcement is described. A method comprises centrally maintaining a plurality of policy definitions for one or more subscribers, generating policy configurations using the plurality of policy definitions, each of the policy configurations being specific to one of the plurality of policy definitions, and disseminating the policy configurations to the appropriate ones of the subscribers'"'"' networks.

16 Citations

View as Search Results

20 Claims

1. A method for generating distributable network policy definitions, the method comprising:
- executing instructions stored at a memory, wherein the execution of the instructions by a hardware processor;
  
  receives a first network policy parameter from a user, the first network policy parameter including one or more rules that govern network activity,receives a second network policy parameter from the user, the second network policy parameter including information about a first set of one or more network devices to which the one or more rules of the first network policy parameter apply,receives a third network policy parameter from the user, the third network policy parameter including a rule trigger event, the rule trigger event indicating to a network policy generator that a network policy configuration should be generated based on the first, second, and third network policy parameters, wherein the network policy configuration associates a plurality of different vendors with one or more software program versions to be installed on the first set of one or more network devices,identifies the first, second, and third network policy parameters as collectively forming a network policy definition associated with a first subscriber and stored at a globally accessible server, wherein the network policy definition requires the one or more software versions to be consistent with the network policy configuration that associates the plurality of different vendors with the one or more software program versions, andstoring the second network policy definition in the globally accessible server, wherein the second network policy definition is associated with a configuration associated with a second set of one or more network devices and at least a second subscriber that is different from the first subscriber.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein a security function is associated with at least one of the first, the second, and the third policy network parameter according to a rule of the one or more rules identifies that a message be provided for display at a computer associated with a first user group.
  - 3. The method of claim 2, wherein a first access request is received from the computer associated with the first user group before the message is provided to the computer associated with the first user group, and the message displayed at the computer associated with the first user group identifies that a software configuration at the computer associated with the first user group must be updated before the access request will be allowed.
  - 4. The method of claim 3, wherein the software configuration at the computer associated with the first user group is updated after the message is displayed at the computer associated with the first user group, and the first access request is allowed after the software configuration at the computer is updated.
  - 5. The method of claim 1, wherein a security function associated with a rule of the one or more rules includes denying access to an access request from a computer associated with a first user group after the access request is received from the computer associated with the first user group.
  - 6. The method of claim 1, wherein the execution of the instructions by the computer processor identifies that a software configuration at a computer associated with a first user group should be updated according to the network policy definition, the network policy definition identifying that access requests from the computer associated with the first user group can be allowed for a first period of time after a first access request is received from the computer associated with the user group, and the first access request is allowed for the first period of time according to the network policy definition.
  - 7. The method of claim 1, wherein the network policy definition is stored at a computing device implementing the function of a choke point that controls the allowance of access requests associated from computers attempting to access resources in a computer network, and the choke point enforces the network policy definition according to at least one rule of the one or more rules.
  - 8. The method of claim 7, wherein the computing device implementing the function of the choke point is a host computer at the computer network.
  - 9. The method of claim 1, wherein the network policy definition is associated with a first local area network (LAN) and the second network policy definition is associated with a second local area network (LAN).
  - 10. The method of claim 1, wherein at least one of the network policy definition and the second network policy definition stored at the globally accessible server are accessible to a first user group and the second network policy definition cannot be configured by a user of the second user group.
  - 11. The method of claim 10, wherein one or more users associated with the first user group and one or more users associated with the second user group are each associated with a single organization.

12. An apparatus for generating distributable network policy definitions, the apparatus comprising:
- a network interface that;
  
  receives a first network policy parameter from a user, the first network policy parameter including one or more rules that govern network activity,receives a second network policy parameter from the user, the second network policy parameter including information about a first set of one or more network devices to which the one or more rules of the first network policy parameter apply, andreceives a third network policy parameter from the user, the third network policy parameter including a rule trigger event, the rule trigger event indicating to a network policy generator that a network policy configuration should be generated based on the first, second, and third network policy parameters, wherein the network policy configuration associates a plurality of different vendors associated with one or more specific software program versions that should be installed on the first set of one or more network devices;
  
  a memory; and
  
  a computer processor executing instructions out of the memory, wherein the execution of the instructions by the computer processor identifies that the first, second, and third network policy parameters as collectively forming a network policy definition associated with a first subscriber and stored at a globally accessible server, wherein the network policy definition requires the one or more software versions to be consistent with the network policy configuration that associates the plurality of different vendors with the one or more software program versions, and wherein the second network policy definition is also stored in the globally accessible server, wherein the second network policy definition is associated with a configuration associated with a second set of one or more network devices and at least a second subscriber that is different from the first subscriber.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The apparatus of claim 12, wherein a security function is associated with at least one of the first, the second, and the third policy network parameter according to a rule of the one or more rules identifies that a message be provided for display at a computer associated with a first user group.
  - 14. The apparatus of claim 13, wherein a first access request is received from the computer associated with the first user group before the message is provided to the computer associated with the first user group, and the message displayed at the computer associated with the first user group identifies that a software configuration at the computer associated with the first user group must be updated before the access request will be allowed.
  - 15. The apparatus of claim 14, wherein the software configuration at the computer associated with the first user group is updated after the message is displayed at the computer associated with the first user group, and the first access request is allowed after the software configuration at the computer is updated.
  - 16. The apparatus of claim 12, wherein a security function associated with a rule of the one or more rules includes denying access to an access request from a computer associated with a first user group after the access request is received from the computer associated with the first user group.
  - 17. The apparatus of claim 12, wherein the execution of the instructions by the computer processor identifies that a software configuration at a computer associated with a first user group should be updated according to the network policy definition, the network policy definition identifying that access requests from the computer associated with the first user group can be allowed for a first period of time after a first access request is received from the computer associated with the user group, and the first access request is allowed for the first period of time according to the network policy definition.
  - 18. The apparatus of claim 12, wherein the network policy definition is stored at a computing device implementing the function of a choke point that controls the allowance of access requests associated from computers attempting to access resources in a computer network, and the choke point enforces the network policy definition according to at least one rule of the one or more rules.
  - 19. The apparatus of claim 18, wherein the computing device implementing the function of the choke point is a host computer at the computer network.
  - 20. The apparatus of claim 12, wherein the network policy definition and a second network policy definition are stored at a server globally accessible to a first user group and to a second user group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SonicWALL US Holdings, Inc. (SonicWall Holdings Ltd.)
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Yanovsky, Boris, Yanovsky, Roman
Primary Examiner(s)
Madamba, Glenford

Application Number

US15/209,125
Publication Number

US 20160323323A1
Time in Patent Office

755 Days
Field of Search

709224
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Method and apparatus for centralized policy programming and distributive policy enforcement

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for centralized policy programming and distributive policy enforcement

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links