Delivering security functions to distributed networks
First Claim
1. A method comprising:
- getting a security policy for a data network, the security policy allowing and/or prohibiting communications between a plurality of network assets and indicating groupings of the plurality of network assets using a common security characteristic corresponding to the respective grouping;
initiating compilation of the security policy to produce a rule set, the rule set blocking communication between specific ones of the plurality of network assets using at least one of a source address, source port, destination address, destination port, and an application protocol associated with the communication;
providing the rule set to at least one enforcement point;
receiving analytics corresponding to change in data traffic in the data network, the analytics produced by a logging module;
calculating a risk score corresponding to the analytics of the data network, the risk score being a measurement of relative security corresponding to the plurality of network assets;
initiating a re-compiling of the security policy to produce an updated rule set using the calculated risk score; and
disseminating the updated rule set to the at least one enforcement point.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
119 Citations
19 Claims
-
1. A method comprising:
-
getting a security policy for a data network, the security policy allowing and/or prohibiting communications between a plurality of network assets and indicating groupings of the plurality of network assets using a common security characteristic corresponding to the respective grouping; initiating compilation of the security policy to produce a rule set, the rule set blocking communication between specific ones of the plurality of network assets using at least one of a source address, source port, destination address, destination port, and an application protocol associated with the communication; providing the rule set to at least one enforcement point; receiving analytics corresponding to change in data traffic in the data network, the analytics produced by a logging module; calculating a risk score corresponding to the analytics of the data network, the risk score being a measurement of relative security corresponding to the plurality of network assets; initiating a re-compiling of the security policy to produce an updated rule set using the calculated risk score; and disseminating the updated rule set to the at least one enforcement point. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising:
-
a plurality of hardware network assets; at least one enforcement point; a policy engine communicatively coupled to the at least one enforcement point, the policy engine generating a security policy for a data network that allows and/or prohibits communications between the plurality of hardware network assets and indicating groupings of the plurality of hardware network assets using a common security characteristic corresponding to the respective grouping; a compiler communicatively coupled to the policy engine, the compiler producing a rule set, the rule set blocking communication between specific ones of the plurality of hardware network assets; a distributed security processor communicatively coupled to the policy engine, the compiler, and the at least one enforcement point, the distributed security processor providing the rule set to the at least one enforcement point; a logging module communicatively coupled to at least one of a switch, the at least one enforcement point, and the distributed security processor, the logging module generating analytics corresponding to change in data traffic in the data network; and an analytics module communicatively coupled to the logging module and the compiler, the analytics module calculating a risk score associated with the analytics of the data network, the risk score being a measurement of relative security corresponding to the plurality of hardware network assets, the compiler producing an updated rule set using the risk score and the distributed security processor disseminating the updated rule set to the at least one enforcement point. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method comprising:
-
generating, by a policy engine, a security policy for a data network, the security policy allowing and/or prohibiting communications between a plurality of network assets and indicating groupings of the plurality of network assets using a common security characteristic corresponding to the respective grouping; initiating, by a compiler, compilation of the security policy to produce a rule set, the rule set blocking communication between specific ones of the plurality of network assets using at least one of a source address, source port, destination address, destination port, and an application protocol associated with the communication; providing, by a distributed security processor, the rule set to at least one enforcement point; producing, by a logging module, analytics corresponding to change in data traffic in the data network; calculating, by an analytics module, a risk score corresponding to the analytics of the data network, the risk score being a measurement of relative security corresponding to the plurality of network asset; initiating, by the analytics module, a re-compiling of the security policy by the compiler to produce an updated rule set using the calculated risk score; and disseminating, by the distributed security processor, the updated rule set to the at least one enforcement point.
-
Specification