Security policy unification across different security products

US 10,116,702 B2
Filed: 04/27/2017
Issued: 10/30/2018
Est. Priority Date: 01/20/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

displaying multiple icons, each icon representing an actor or a resource in a networking environment;

defining a generic security policy by receiving user input in the form of a line drawn between a first icon representing an actor and a second icon representing a resource to control abilities between the actor and the resource, wherein the line represents;

that abilities between the actor and the resource are allowed or denied when the line has a first characteristic and a second characteristic, respectively;

that traffic between the actor and the resource is to be monitored or is not to be monitored when the line has a third characteristic and a fourth characteristic that include respective colors of the line that indicate that the traffic is to be monitored or is not to be monitored, respectively; and

a level of security risk when the line has a fifth characteristic that includes a color of the line that represents the level of the security risk;

translating the generic security policy to multiple native security policies each of which is based on a corresponding one of multiple native policy models associated with corresponding ones of multiple security devices; and

supplying data descriptive of the multiple native security policies to the corresponding ones of the security devices to configure the corresponding ones of the security devices to implement the native security policies.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management entity generates for display multiple icons, each icon representing an actor or a resource in a networking environment, and defines a generic security policy by receiving user input in the form of a line drawn between a first icon representing an actor and a second icon representing a resource to control abilities between the actor and the resource. The management entity translates the generic security policy to multiple native security policies each of which is based on a corresponding one of multiple native policy models associated with corresponding ones of multiple security devices, and supply data descriptive of the multiple native security policies to the corresponding ones of the security devices to configure the corresponding ones of the security devices to implement the native security policies.

Citations

20 Claims

1. A computer-implemented method comprising:
- displaying multiple icons, each icon representing an actor or a resource in a networking environment;
  
  defining a generic security policy by receiving user input in the form of a line drawn between a first icon representing an actor and a second icon representing a resource to control abilities between the actor and the resource, wherein the line represents;
  
  that abilities between the actor and the resource are allowed or denied when the line has a first characteristic and a second characteristic, respectively;
  
  that traffic between the actor and the resource is to be monitored or is not to be monitored when the line has a third characteristic and a fourth characteristic that include respective colors of the line that indicate that the traffic is to be monitored or is not to be monitored, respectively; and
  
  a level of security risk when the line has a fifth characteristic that includes a color of the line that represents the level of the security risk;
  
  translating the generic security policy to multiple native security policies each of which is based on a corresponding one of multiple native policy models associated with corresponding ones of multiple security devices; and
  
  supplying data descriptive of the multiple native security policies to the corresponding ones of the security devices to configure the corresponding ones of the security devices to implement the native security policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the second characteristic includes a color of the line that represents that the abilities between the actor and the resource are denied.
  - 3. The method of claim 1, wherein the respective colors of the third characteristic and the fourth characteristic include blue and green.
  - 4. The method of claim 1, further comprising determining whether access between the actor and the resource is permitted based on whether there is an arrow on the line drawn between the first icon representing the actor and the second icon representing the resource.
  - 5. The method of claim 1, wherein the defining includes receiving user input in which the line intersects a third icon representing a network security device between the actor and the resource, and the line representing:
    - whether to allow or block abilities between the actor and the resource;
      
      whether traffic between the actor and the resource is to be monitored;
      
      or whether access between the actor and the resource is permitted.
  - 6. The method of claim 1, wherein:
    - the displaying includes displaying a visualization of a network environment including network icons representing respective visualized network zones at corresponding locations, and device icons representing one or more actors and one or more resources in corresponding ones of the visualized network domains, and one or more network security devices; and
      
      the receiving includes receiving the user input in the form of the line drawn between the first icon representing the actor in a first visualized network zone and the second icon representing the resource in a second visualized network zone.
  - 7. The method of claim 1, wherein:
    - the defining the generic security policy comprises interpreting the line drawn between the first icon representing the actor and the second icon representing the resource so as to generate in accordance with a generic policy model one or more generic security rules for configuring one or more security devices in a path between the actor and the resource; and
      
      the translating includes converting the one or more generic security rules to one or more native rules of a native rule set based on a native rule policy model associated with the one or more security devices.
  - 8. The method of claim 7, wherein:
    - the one or more generic security rules each includes generic rule components in the form;
      
      if {principal} tries to perform an {action} on {resource} then {result}; and
      
      the translating includes mapping the generic rule components to native rule parameters of native security rules including a network protocol and at least one of a source address and a destination address.
  - 9. The method of claim 1, further comprising:
    - displaying delineated regions in which the multiple icons may reside to indicate whether an actor or a resource is located within or outside a network zone.
  - 10. The method of claim 1, wherein the generic security policy includes rule parameters to control the access based on representations of a network protocol and at least one of a source address and a destination address.

11. An apparatus comprising:
- a network interface unit to connect with a network; and
  
  a processor coupled to the network interface unit to;
  
  generate for display multiple icons, each icon representing an actor or a resource in a networking environment;
  
  define a generic security policy by receiving user input in the form of a line drawn between a first icon representing an actor and a second icon representing a resource to control abilities between the actor and the resource, wherein the line represents;
  
  that abilities between the actor and the resource are allowed or denied when the line has a first characteristic and a second characteristic, respectively;
  
  that traffic between the actor and the resource is to be monitored or is not to be monitored when the line has a third characteristic and a fourth characteristic that include respective colors of the line that indicate that the traffic is to be monitored or is not to be monitored, respectively; and
  
  a level of security risk when the line has a fifth characteristic that includes a color of the line that represents the level of the security risk;
  
  translate the generic security policy to multiple native security policies each of which is based on a corresponding one of multiple native policy models associated with corresponding ones of multiple security devices; and
  
  supply data descriptive of the multiple native security policies to the corresponding ones of the security devices to configure the corresponding ones of the security devices to implement the native security policies.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the second characteristic includes a color of the line that represents that the abilities between the actor and the resource are denied.
  - 13. The apparatus of claim 11, wherein the processor is configured to define by receiving user input in which the line intersects a third icon representing a network security device between the actor and the resource, and the line represents:
    - whether to allow or block abilities between the actor and the resource;
      
      whether traffic between the actor and the resource is to be monitored;
      
      or whether access between the actor and the resource is permitted.
  - 14. The apparatus of claim 11, wherein:
    - the processor is configured to define the generic security policy by interpreting the line drawn between the first icon representing the actor and the second icon representing the resource so as to generate in accordance with a generic policy model one or more generic security rules for configuring one or more security devices in a path between the actor and the resource; and
      
      the processor is configured to translate by converting the one or more generic security rules to one or more native rules of a native rule set based on a native rule policy model associated with the one or more security devices.
  - 15. The apparatus of claim 14, wherein:
    - the one or more generic security rules each includes generic rule components in the form;
      
      if {principal} tries to perform an {action} on {resource} then {result}; and
      
      the processor is configured to translate by mapping the generic rule components to native rule parameters of native security rules including a network protocol and at least one of a source address and a destination address.

16. A non-transitory computer readable storage medium encoded with instructions that, when executed by a processor of a management device including a network interface unit to communicate with a network, cause the processor to perform operations including:
- displaying multiple icons, each icon representing an actor or a resource in a networking environment;
  
  defining a generic security policy by receiving user input in the form of a line drawn between a first icon representing an actor and a second icon representing a resource to control abilities between the actor and the resource, wherein the line represents;
  
  that abilities between the actor and the resource are allowed or denied when the line has a first characteristic and a second characteristic, respectively;
  
  that traffic between the actor and the resource is to be monitored or is not to be monitored when the line has a third characteristic and a fourth characteristic that include respective colors of the line that indicate that the traffic is to be monitored or is not to be monitored, respectively; and
  
  a level of security risk when the line has a fifth characteristic that includes a color of the line that represents the level of the security risk;
  
  translating the generic security policy to multiple native security policies each of which is based on a corresponding one of multiple native policy models associated with corresponding ones of multiple security devices; and
  
  supplying data descriptive of the multiple native security policies to the corresponding ones of the security devices to configure the corresponding ones of the security devices to implement the native security policies.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the second characteristic includes a color of the line that represents that the abilities between the actor and the resource are denied.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein the instructions to cause the processor to perform the defining include instructions to cause the processor to receive user input in which the line intersects a third icon representing a network security device between the actor and the resource, and the line representing:
    - whether to allow or block abilities between the actor and the resource;
      
      whether traffic between the actor and the resource is to be monitored;
      
      or whether access between the actor and the resource is permitted.
  - 19. The non-transitory computer readable storage medium of claim 16, wherein:
    - the instructions to cause the processor to perform the defining the generic security policy comprise instructions to cause the processor to interpret the line drawn between the first icon representing the actor and the second icon representing the resource so as to generate in accordance with a generic policy model one or more generic security rules for configuring one or more security devices in a path between the actor and the resource; and
      
      the instructions to cause the processor to perform the translating include instructions to cause the processor to convert the one or more generic security rules to one or more native rules of a native rule set based on a native rule policy model associated with the one or more security devices.
  - 20. The non-transitory computer readable storage medium of claim 19, wherein:
    - the one or more generic security rules each includes generic rule components in the form;
      
      if {principal} tries to perform an {action} on {resource} then {result}; and
      
      the instructions to cause the processor to perform the translating include instructions to cause the processor to map the generic rule components to native rule parameters of native security rules including a network protocol and at least one of a source address and a destination address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Knjazihhin, Denis, Dotan, Yedidya, Say, Burak, Martherus, Robin, Vasant, Sachin
Primary Examiner(s)
Potratz, Daniel B

Application Number

US15/498,927
Publication Number

US 20170230425A1
Time in Patent Office

551 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 41/28   Restricting access to netwo...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Security policy unification across different security products

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security policy unification across different security products

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links