Conditional declarative policies
First Claim
1. A computer-implemented method for producing a firewall rule set comprising:
- receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and an action associated with the at least one predetermined category, the at least one predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, wherein the declarative policy is high risk assets are not allowed to communicate with high value assets;
collecting information from at least one external system of record, the information associated with the at least one predetermined category;
generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and
provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.
-
Citations
18 Claims
-
1. A computer-implemented method for producing a firewall rule set comprising:
-
receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and an action associated with the at least one predetermined category, the at least one predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, wherein the declarative policy is high risk assets are not allowed to communicate with high value assets; collecting information from at least one external system of record, the information associated with the at least one predetermined category; generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for producing a firewall rule set comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method comprising; receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and an action associated with the at least one predetermined category, the at least one predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, wherein the declarative policy is high risk assets are not allowed to communicate with high value assets; collecting information from at least one external system of record, the information associated with the at least one predetermined category; generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for producing a firewall rule set, the method comprising:
-
receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and an action associated with the at least one predetermined category, the at least one predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, wherein the declarative policy is high risk assets are not allowed to communicate with high value assets; collecting information from at least one external system of record, the information evaluated and associated with the at least one predetermined category; generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.
-
Specification