Conditional declarative policies

US 10,333,986 B2
Filed: 04/05/2017
Issued: 06/25/2019
Est. Priority Date: 03/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for producing a firewall rule set comprising:

receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and an action associated with the at least one predetermined category, the at least one predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, wherein the declarative policy is high risk assets are not allowed to communicate with high value assets;

collecting information from at least one external system of record, the information associated with the at least one predetermined category;

generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and

provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.

Citations

18 Claims

1. A computer-implemented method for producing a firewall rule set comprising:
- receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and an action associated with the at least one predetermined category, the at least one predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, wherein the declarative policy is high risk assets are not allowed to communicate with high value assets;
  
  collecting information from at least one external system of record, the information associated with the at least one predetermined category;
  
  generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and
  
  provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the declarative policy is received through at least one of a graphical user interface, a command line interface, and an application programming interface.
  - 3. The computer-implemented method of claim 2, wherein the declarative policy is received in a tabular form.
  - 4. The computer-implemented method of claim 1, wherein the information includes assets in a computer network, a risk level, and a value associated with each asset.
  - 5. The computer-implemented method of claim 1, wherein the provisioning includes sending an update to at least one hypervisor, the update including the firewall rule set.
  - 6. The computer-implemented method of claim 1, wherein the generating comprises:
    - receiving a workload associated with the declarative policy;
      
      determining attributes associated with the workload using the information;
      
      computing a score using the attributes;
      
      comparing the score to a predetermined threshold;
      
      identifying addresses associated with the workload, in response to the comparison; and
      
      producing the firewall rule set using the addresses associated with the workload.
  - 7. The computer-implemented method of claim 6, wherein the score is further computed using a sum of the attributes.
  - 8. The computer-implemented method of claim 1, further comprising:
    - checking the firewall rule set for at least one of a conflict and overlap among the workload addresses; and
      
      correcting the firewall rule set in response to finding the at least one of a conflict and overlap.
  - 9. The computer-implemented method of claim 1, further comprising:
    - re-collecting information from at least one external system of record, in response to at least one of an input from a user, an input from another external system of record, and a predetermined amount of time elapsing; and
      
      re-generating the firewall rule set using the declarative policy and the re-collected information, the firewall rule set including addresses to or from which network communications are not permitted.

10. A system for producing a firewall rule set comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method comprising;
  
  receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and an action associated with the at least one predetermined category, the at least one predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, wherein the declarative policy is high risk assets are not allowed to communicate with high value assets;
  
  collecting information from at least one external system of record, the information associated with the at least one predetermined category;
  
  generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and
  
  provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the declarative policy is received through at least one of a graphical user interface, a command line interface, and an application programming interface.
  - 12. The system of claim 11, wherein the declarative policy is received in a tabular form.
  - 13. The system of claim 10, wherein the information includes assets in a computer network, a risk level, and a value associated with each asset.
  - 14. The system of claim 10, wherein the provisioning includes sending an update to at least one hypervisor, the update including the firewall rule set.
  - 15. The system of claim 10, wherein the generating comprises:
    - receiving a workload associated with the declarative policy;
      
      determining attributes associated with the workload using the information;
      
      computing a score using the attributes;
      
      comparing the score to a predetermined threshold;
      
      identifying addresses associated with the workload, in response to the comparison; and
      
      producing the firewall rule set using the addresses.
  - 16. The system of claim 15, wherein the score is further computed using a sum of the attributes.
  - 17. The system of claim 10, further comprising:
    - re-collecting information from at least one external system of record, in response to at least one of an input from a user, an input from another external system of record, and a predetermined amount of time elapsing; and
      
      re-generating the firewall rule set using the declarative policy and the re-collected information, the firewall rule set including addresses to or from which network communications are not permitted.

18. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for producing a firewall rule set, the method comprising:
- receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and an action associated with the at least one predetermined category, the at least one predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, wherein the declarative policy is high risk assets are not allowed to communicate with high value assets;
  
  collecting information from at least one external system of record, the information evaluated and associated with the at least one predetermined category;
  
  generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and
  
  provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Lian, Jia-Jyi, Paterra, Anthony, Woolward, Marc
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Le, Thanh H

Application Number

US15/479,728
Publication Number

US 20170208100A1
Time in Patent Office

811 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0806   for initial configuration o...

H04L 41/0893   Assignment of logical group...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Conditional declarative policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Conditional declarative policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links