Methods and systems for managing security policies

US 10,110,632 B2
Filed: 03/31/2003
Issued: 10/23/2018
Est. Priority Date: 03/31/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

dynamically detecting, on a first security device, security information obtained from a second security-enabled device over a network connection between the first security device and the second security-enabled device, wherein the security information is related to activity occurring on the second security-enabled device detected by a security mechanism of the second security-enabled device and produced in a first data format specific to the security mechanism that is already processing on the second security-enabled device;

normalizing the security information from the first data format into an intermediate data format before being processed by the first security device;

recording the normalized security information in a data repository; and

dynamically pushing from the first security device a security policy in response to the normalized security information to the second security-enabled device over the network in the first data format for enforcement on the second security-enabled device, and wherein enforcement occurs on the second security-enabled device, and wherein the security policy is an executable script and the security-enabled device automatically and dynamically executes the executable script to provide adaptive and dynamic security policy detection and enforcement.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, machines, and systems manage security policies of heterogeneous infrastructure and computing devices of a network. Security policy repository houses security policies that are pushed over the network by a policy decision point PDP to appropriate security-enabled devices (policy enforcement points (PEPs)) for enforcement. Using a closed feedback loop, a policy feedback point (PFP) collects and processes data from intrusions, alerts, violations, and other abnormal behaviors from a variety of PEPs or logs produced from PEPs. This data is sent as feedback to the policy repository. The PDP detects the data and analyzes it to determine if policy updates (which can be dynamic and automatic) need to be adaptively made and dynamically pushed to PEPs. The PDP can also send console messages or alerts to consoles or administrators.

25 Citations

View as Search Results

24 Claims

1. A method comprising:
- dynamically detecting, on a first security device, security information obtained from a second security-enabled device over a network connection between the first security device and the second security-enabled device, wherein the security information is related to activity occurring on the second security-enabled device detected by a security mechanism of the second security-enabled device and produced in a first data format specific to the security mechanism that is already processing on the second security-enabled device;
  
  normalizing the security information from the first data format into an intermediate data format before being processed by the first security device;
  
  recording the normalized security information in a data repository; and
  
  dynamically pushing from the first security device a security policy in response to the normalized security information to the second security-enabled device over the network in the first data format for enforcement on the second security-enabled device, and wherein enforcement occurs on the second security-enabled device, and wherein the security policy is an executable script and the security-enabled device automatically and dynamically executes the executable script to provide adaptive and dynamic security policy detection and enforcement.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising triggering a security policy change associated with a security policy based on at least a portion of the recorded normalized security information.
  - 3. The method of claim 1 further comprising evaluating the security policy based on at least a portion of the recorded normalized security information.
  - 4. The method of claim 1 wherein in detecting, the security information is detected using at least one of a security transaction protocol and a security transaction command line interface.
  - 5. The method of claim 1 wherein in detecting, the security information is associated with at least one of security intrusions, security alerts, security violations, and abnormal behaviors occurring on the second security-enabled device.
  - 6. The method of claim 1 wherein in recording, the normalized security information provides dynamic policy feedback to one or more security policies.

7. A method, comprising:
- dynamically and centrally distributing security policies from a policy repository on a first device to one or more security-enabled devices, wherein the policy is distributed as a file or parameters and in specific recognized formats by existing security mechanisms processing on the one or more security enabled devices;
  
  dynamically enforcing a number of the security policies on one or more of the security-enabled devices;
  
  dynamically tracking security transactions on each of the one or more security-enabled devices, wherein each of the one or more security-enabled devices use its own security mechanism to record its security transactions in its own specific data format and normalizing security information associated with the security transactions before processing the security transactions;
  
  updating the policy repository on the first device based on the tracked security transactions; and
  
  dynamically pushing a dynamically created or dynamically altered security policy to one or more of the security-enabled device from the first device in response to the updated policy repository in the specific formats recognized by the one or more security-enabled devices, the altered security policy is a script and each of the one or more security-enabled devices automatically and dynamically execute the script to provide adaptive and dynamic security policy enforcement.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7 wherein in distributing, the policy repository is at least one of a data warehouse, a database, and an electronic file.
  - 9. The method of claim 7 wherein in distributing, the one or more security-enabled devices include at least one of a firewall, a router, a switch, a network bridge, a gateway, a network hub, a client, a peripheral device, a security resource, an intrusion detection system, and a server.
  - 10. The method of claim 7 wherein in tracking, one or more automated applications detect when a security violation occurs on one or more of the security-enabled devices and traps security information for the security violation.
  - 11. The method of claim 7 wherein in updating, the recorded security transactions are translated into a normalized data format before being updated to the policy repository.

12. A system, comprising:
- a policy repository having one or more security policies for a network and administered from a first device over a network;
  
  a security-enabled device to enforce one or more of the security policies dynamically provided from the policy repository via the first device, the security policies are scripts and the security-enabled device automatically and dynamically is to execute the scripts to provide adaptive and dynamic security policy enforcement, wherein the security enabled device is externally accessed over the network from the first device, and wherein the security-enabled device uses its own security mechanism to monitor and capture information about security transactions occurring on the security-enabled device and has its own specific data format for monitoring and capturing the information and wherein the security policies are supplied in that specific data format to the security mechanism;
  
  a feedback application to dynamically monitor security transactions on the security-enabled device and to dynamically update the policy repository on the first device with security information based on the security transactions, and wherein security information associated with the security transactions are normalized into a normalized data format before the feedback application processes the security transactions.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12 further comprising one or more policy decision point translators to push the one or more security policies from the policy repository to the security-enabled device for enforcement.
  - 14. The system of claim 13 wherein the one or more policy decision point translators retrieve the one or more security policies from the policy repository in an intermediate data format and use translator applications to translate the one or more security policies to a desired data format used by the security-enabled device for enforcement.
  - 15. The system of claim 12 wherein the policy repository is a collection of data stores logically assembled as the policy repository based on a specific schema.
  - 16. The system of claim 15 wherein a number of the data stores are remote from other ones of the data stores.
  - 17. The system of claim 12 wherein feedback application utilizes security protocols of the security-enabled device to monitor security events on the network.
  - 18. The system of claim 12 wherein the feedback application normalizes the security information into a data format used by the policy repository before updating the policy repository with the security information.

19. A non-transitory machine-readable medium having executable instructions that when executed by a machine, perform a method to:
- dynamically push security policies from a policy repository on a first device to one or more security-enabled devices over a network in data formats specifically recognized and used by the one or more security-enabled devices, the policy is a script and each of the one or more security-enabled devices is to automatically and dynamically execute the script to provide adaptive and dynamic security policy enforcement;
  
  dynamically enforce, by the one or more security-enabled devices, the security policies in each of the data formats recognized and used;
  
  dynamically monitor security events occurring on the managed network from the first device, wherein the security events are independently captured by each of the one or more security-enabled devices in each of the one or more security-enabled device'"'"'s data format;
  
  dynamically normalize security information associated with the security events on the first device before the security information is processed, wherein the each independent data format for the security events are normalized to a intermediate format before being processing by the first device; and
  
  dynamically update the policy repository with the normalized security information on the first device, and wherein in response to the normalized security information a policy decision translator sends an alert with policy change information included within the alert when no change occurs in existing policy and when an end-user is to be notified of a suggested policy change via the policy change information, wherein the end-user is associated with the first device.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The non-transitory machine-readable medium of claim 19 further comprising, instructions to:
    - use at least a portion of the updated normalized security information to adjust a number of the security policies.
  - 21. The non-transitory machine-readable medium of claim 20 further comprising, instructions to:
    - trigger from the policy repository a number of security-related applications for execution based on at least a portion of the updated normalized security information.
  - 22. The non-transitory machine-readable medium of claim 19 wherein in the push instruction, the policy repository interfaces with security editing applications.
  - 23. The non-transitory machine-readable medium of claim 19 wherein in the monitor instruction, native security protocols and commands used by the security-enabled devices are used to acquire the security information associated with security events occurring on the managed network.
  - 24. The non-transitory machine-readable medium of claim 19 wherein in the normalize instruction, the security information is translated from a native data format to an intermediate data format used by the policy repository.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Li, Hong C., Sahita, Ravi, Yadav, Satyendra
Primary Examiner(s)
Kyle, Tamara T

Application Number

US10/404,978
Publication Number

US 20040193912A1
Time in Patent Office

5,685 Days
Field of Search

713200-202, 709224-229
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 41/08   Configuration management of...

H04L 41/0816   the condition being an adap...

H04L 41/085   Retrieval of network config...

H04L 41/0856   by backing up or archiving ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Methods and systems for managing security policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for managing security policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links