System and method for implementing a bubble policy to achieve host and network security

US 20020099823A1
Filed: 05/14/2001
Published: 07/25/2002
Est. Priority Date: 05/15/2000
Status: Active Grant

First Claim

Patent Images

1. In a network security system having a plurality of bubbles, where each bubble has a bubble and a plurality of bubble partitions, a method of creating a structured access list template, the method comprising:

dividing a first access list template into a plurality of sections, where each section includes rules that implement a function;

creating an inbound local rule group for the bubble;

creating an outbound local rule group for the bubble;

creating an inbound remote rule group for the bubble; and

creating an outbound remote rule group for the bubble.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of creating a structured access list template, which includes dividing an access list template into a plurality of sections, creating an inbound local rule group for the bubble, creating an outbound local rule group for the bubble, creating an inbound remote rule group for the bubble, and creating an outbound remote rule group for the bubble. A method of creating an access list for each of the plurality of bubble boundary devices, which includes creating an address table that includes a plurality of addresses corresponding to devices in a bubble partition, creating a protocol table that includes a list of network services and whether each of the network services are granted or denied access to the bubble partition, creating an access list template using the address table and the protocol table, generating an access list from the access list template, and providing the access list to one of the plurality of bubble boundary devices.

Citations

26 Claims

1. In a network security system having a plurality of bubbles, where each bubble has a bubble and a plurality of bubble partitions, a method of creating a structured access list template, the method comprising:
- dividing a first access list template into a plurality of sections, where each section includes rules that implement a function;
  
  creating an inbound local rule group for the bubble;
  
  creating an outbound local rule group for the bubble;
  
  creating an inbound remote rule group for the bubble; and
  
  creating an outbound remote rule group for the bubble.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as defined in claim 1, further comprising arranging the inbound local rule group and the outbound local rule group in one of the plurality of sections.
  - 3. A method as defined in claim 1, further comprising arranging the inbound remote rule group and the outbound remote rule group in one of the plurality of sections.
  - 4. A method as defined in claim 1, further comprising arranging the inbound local rule group and the outbound local rule group in the first access list.
  - 5. A method as defined in claim 1, further comprising arranging the inbound remote rule group and the outbound remote rule group from another bubble access list template in the first access list.
  - 6. A method as defined in claim 1, further comprising dividing a second access list template into a plurality of sections, where each section includes rules that implement a function.
  - 7. A method as defined in claim 6, further comprising arranging the inbound local rule group and the outbound local rule group in the second access list.
  - 8. A method as defined in claim 6, further comprising arranging the inbound remote rule group and the outbound remote rule group from another bubble access list template in the second access list.

9. In a network having a plurality of bubbles, a method of creating a uniform network security policy, comprising:
- determining the number of levels of host security policy for the network;
  
  determining the number of levels of network security policies for the network;
  
  determining a minimum standard for each level of host security policy and network security policy; and
  
  assigning each of the plurality of bubbles a host level and a network level that satisfies the minimum standard.
- View Dependent Claims (10, 11, 12, 13, 14, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 10. A method as defined in claim 9, wherein the host level is assigned to a particular bubble according to the host security policy enforced at the least secure host of the particular bubble.
  - 11. A method as defined in claim 9, wherein the network level is assigned to a particular bubble according to the network security policy enforced at the least secure bubble boundary of the particular bubble.
  - 12. A method as defined in claim 9, further comprising selecting a matrix cell to associate with a particular bubble to receive the host security policy and the network security policy.
  - 13. A method as defined in claim 12, wherein the network security policy is defined by the matrix cell.
  - 14. A method as defined in claim 9, further comprising assigning a particular bubble to a matrix cell to define the host security policy and the network security policy.
  - 16. A method as defined in claim 15, further comprising creating a black list of addresses.
  - 17. A method as defined in claim 16, wherein the black list of addresses corresponds to devices that are unable to successfully send data to any one of the plurality of addresses corresponding to devices in the network security system.
  - 18. A method as defined in claim 15, further comprising modifying the access list using business language descriptions.
  - 19. A method as defined in claim 15, further comprising storing the address table and the protocol table in the bubble registry.
  - 20. A method as defined in claim 15, wherein providing the access list includes distributing the access list into the bubble boundary device from the bubble registry.
  - 21. A method as defined in claim 15, wherein providing the access list includes polling the bubble registry for the access list using the bubble boundary device.
  - 22. A method as defined in claim 15, further comprising verifying that the specified access list has been applied to the correct one of the plurality of bubble boundary devices.
  - 23. A method as defined in claim 15, further comprising modifying the address table, the protocol table, and the access list template.
  - 24. A method as defined in claim 15, further comprising regenerating the access list using the access list template and the bubble registry.
  - 25. A method as defined in claim 15, further comprising using a centrally defined network security policy to automate the generation of the access list.
  - 26. A method as defined in claim 25, further comprising automatically distributing the access list to one of the plurality of bubble boundary devices.

15. In a network security system having a plurality of bubbles where each bubble has a plurality of bubble partitions, a plurality of bubble boundary devices configured to connect the plurality of bubble partitions, and a bubble registry configured to connect to the plurality of bubble boundary devices, a method of configuring each of the plurality of bubble boundary devices, comprising:
- creating an address table that includes a plurality of addresses corresponding to devices in a bubble partition;
  
  creating a protocol table that includes a list of network services and whether each of the network services are granted or denied access to the bubble partition;
  
  creating an access list template using the address table and the protocol table;
  
  using the bubble registry, generating an access list from the access list template; and
  
  providing the access list to one of the plurality of bubble boundary devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company), Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Jemes, Brian, Brawn, John Melvin, Buch-Pedersen, Leif

Granted Patent

US 7,376,965 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 61/5061   Pools of addresses

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/104   Grouping of entities

H04L 69/40   for recovering from a failu...

H04L 9/40   Network security protocols

System and method for implementing a bubble policy to achieve host and network security

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing a bubble policy to achieve host and network security

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links