Method and apparatus for network wide policy-based analysis of configurations of devices

US 20020178246A1
Filed: 09/17/2001
Published: 11/28/2002
Est. Priority Date: 03/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method, using an analysis platform, for analyzing a network having a plurality of network devices, the method comprising the steps of:

receiving a network policy pertaining to said network;

receiving a topology of said network devices in said network;

receiving configuration data from at least a portion of said network devices;

creating a network configuration model for said network based on said topology and said configuration data received; and

analyzing said network configuration model in accordance with said network policy to determine the existence of a violation of said network policy.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus for analyzing a network configuration against a corporate network policy and determining violation(s) against the corporate network policy. A report indicating the violation(s) can be generated indicating instances of the violation(s). An analysis platform reads in a network policy. The analysis platform collects configuration files from the relevant network devices in the network and builds up an internal instance of a network configuration model based on the configuration files and the network topology. The analysis platform analyzes this network configuration model according to the network policy and adds an entry to its final report each time that it detects a violation against the network policy in the network configuration model. The data in the entries pinpoints the cause of the deviation(s) from the network policy.

171 Citations

62 Claims

1. A method, using an analysis platform, for analyzing a network having a plurality of network devices, the method comprising the steps of:
- receiving a network policy pertaining to said network;
  
  receiving a topology of said network devices in said network;
  
  receiving configuration data from at least a portion of said network devices;
  
  creating a network configuration model for said network based on said topology and said configuration data received; and
  
  analyzing said network configuration model in accordance with said network policy to determine the existence of a violation of said network policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. A method in accordance with claim 1, wherein said violation exists, said method further comprising the step of generating a report specifying said violation.
  - 3. A method in accordance with claim 1, wherein said network policy is expressed in a policy modeling language.
  - 4. A method in accordance with claim 1, wherein said topology is expressed in a topology modeling language.
  - 5. A method in accordance with claim 1, wherein said step of receiving said configuration data comprises the steps of:
    - reading a configuration file from one of said network devices; and
      
      parsing said configuration file to obtain the configuration data for said one of said network devices.
  - 6. A method in accordance with claim 1, wherein said network policy is expressed in terms of capabilities.
  - 7. A method in accordance with claim 1, wherein said network configuration model comprises an entity-relationship model.
  - 8. A method in accordance with claim 7, wherein said network policy is expressed in terms of capabilities, said entity-relationship model employing said capabilities.
  - 9. A method in accordance with claim 8, wherein said step of analyzing comprises the step of generating a query pertaining to one of said capabilities.
  - 10. A method in accordance with claim 8, wherein said step of analyzing comprises the step of retrieving a query from a knowledge base associated with said analysis platform.
  - 11. A method in accordance with claim 1, wherein said step of analyzing comprises the step of simulating at least a portion of said network devices in said network.
  - 12. A method in accordance with claim 1, wherein said step of analyzing comprises the step of determining traffic flow through said network.
  - 13. A method in accordance with claim 1, wherein said step of receiving said configuration data comprises the step of receiving configuration data from only relevant ones of said network devices in said network.
  - 14. A method in accordance with claim 13, wherein the relevancy of a particular network device is determined by said network policy.
  - 15. A method in accordance with claim 13, wherein the relevancy of a particular network device is determined by said topology.
  - 16. A method in accordance with claim 1, wherein one of said plurality of network devices comprises a host, said step of analyzing comprising the step of verifying that traffic to and from said host is limited to a type of traffic, wherein said network policy defines said host as being limited to said type of traffic.
  - 17. A method in accordance with claim 16, wherein said host is selected from the group consisting of:
    - a mail server;
      
      a domain name server;
      
      an access control server; and
      
      a web server.
  - 18. A method in accordance with claim 16, wherein a second network device is connected to said host for routing traffic thereto, said step of analyzing comprising the step of analyzing said second network device to ensure that said type of traffic is routed to said host.
  - 19. A method in accordance with claim 18, wherein said second network device is selected from the group consisting of:
    - a router;
      
      a network switch;
      
      a VPN device and a firewall.
  - 20. A method in accordance with claim 1, wherein said network policy describes a routing sequence, said step of analyzing comprising the step of determining that routes taken by traffic in said network corresponds to said routing sequence.
  - 21. A method in accordance with claim 1, wherein one of said plurality of network devices comprises a host, said step of analyzing comprising the step of verifying that a configuration of said host corresponds to said network policy.

22. In a network having a plurality of network devices, a method, using an analysis platform, for analyzing a proposed change to a configuration file of one of said network devices, the method comprising the steps of:
- receiving a network policy pertaining to said network;
  
  receiving a network configuration model for said network, wherein said network configuration model is based on a topology of said network and configuration data pertaining to at least a portion of said network devices;
  
  receiving said proposed change to said configuration file;
  
  creating an updated network configuration model based on said proposed change; and
  
  analyzing said updated network configuration model in accordance with said network policy to determine the existence of a violation of said network policy.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. A method in accordance with claim 22, wherein said violation exists, said method further comprising the step of generating a report specifying said violation
  - 24. A method in accordance with claim 22, wherein said network policy is expressed in terms of capabilities.
  - 25. A method in accordance with claim 22, wherein said network configuration model comprises an entity-relationship model.
  - 26. A method in accordance with claim 25, wherein said network policy is expressed in terms of capabilities, said entity-relationship model employing said capabilities.
  - 27. A method in accordance with claim 26, wherein said step of analyzing comprises the step of generating a query pertaining to one of said capabilities.
  - 28. A method in accordance with claim 22, wherein said step of analyzing comprises the step of retrieving a query from a knowledge base associated with said analysis platform.
  - 29. A method in accordance with claim 22, wherein said step of analyzing comprises the step of simulating at least a portion of said network devices in said network.
  - 30. A method in accordance with claim 22, wherein said step of analyzing comprises the step of determining traffic flow through said network.
  - 31. A method in accordance with claim 22, further comprising the step of uploading a configuration file containing said proposed change to said network device if no violation exists.
  - 32. A method in accordance with claim 22, wherein said step of receiving said network configuration model comprises the step of retrieving said network configuration model from a storage device associated with said analysis platform.

33. A method, using an analysis platform, for analyzing a proposed change to a network policy pertaining to a network, the method comprising the steps of:
- receiving a network configuration model for said network, wherein said network configuration model is based on a topology of said network and configuration data pertaining to at least a portion of network devices in said network;
  
  receiving said proposed change;
  
  analyzing said network configuration model in accordance with a new network policy that incorporates said proposed change to determine the existence of a violation of said new network policy.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 34. A method in accordance with claim 33, wherein said violation exists, said method further comprising the step of generating a report specifying said violation.
  - 35. A method in accordance with claim 33, wherein said network policy is expressed in terms of capabilities.
  - 36. A method in accordance with claim 33, wherein said network configuration model comprises an entity-relationship model.
  - 37. A method in accordance with claim 36, wherein said network policy is expressed in terms of capabilities, said entity-relationship model employing said capabilities.
  - 38. A method in accordance with claim 37, wherein said step of analyzing comprises the step of generating a query pertaining to one of said capabilities.
  - 39. A method in accordance with claim 33, wherein said step of analyzing comprises the step of retrieving a query from a knowledge base associated with said analysis platform.
  - 40. A method in accordance with claim 33, wherein said step of analyzing comprises the step of simulating at least a portion of said network devices in said network.
  - 41. A method in accordance with claim 33, wherein said step of analyzing comprises the step of determining traffic flow through said network.
  - 42. A method in accordance with claim 33, wherein said step of receiving said network configuration model comprises the step of retrieving said network configuration model from a storage device associated with said analysis platform.

43. A computer program, performed by a computer, for analyzing a network having a plurality of network devices, the computer program comprising:
- instructions for parsing a network policy file containing a network policy pertaining to said network;
  
  instructions for parsing a network topology file containing a topology of said network devices in said network;
  
  instructions for parsing configuration files of selected ones of said network devices to obtain configuration data for said selected ones of said network devices, wherein said instructions for parsing said network policy file, said instructions for parsing said network topology file and said instructions for parsing said configuration files cooperate to create a network configuration model for said network based on said topology and said configuration data;
  
  instructions for generating a query for analyzing said network; and
  
  instructions for using said query to determine the existence of a violation of said network policy.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 57, 58, 59, 60, 61, 62)
- - 44. A computer program in accordance with claim 43, further comprising instructions for generating a report specifying said violation if said violation exists.
  - 45. A computer program in accordance with claim 43, wherein said network policy is expressed in terms of capabilities.
  - 46. A computer program in accordance with claim 43, wherein said network configuration model comprises an entity-relationship model.
  - 47. A computer program in accordance with claim 46, wherein said network policy is expressed in terms of capabilities, said entity-relationship model employing said capabilities.
  - 48. A computer program in accordance with claim 47, wherein instructions for using said query is adapted to use said query to verify one of said capabilities.
  - 49. A computer program in accordance with claim 47, wherein one of said capabilities is a pre-defined capability, said instructions for generating said query adapted to retrieve, from a knowledge base, a query for verifying said pre-defined capability.
  - 50. A computer program in accordance with claim 43, wherein said instructions for using said query is adapted to use said query in determining traffic flow through said network.
  - 51. A computer program in accordance with claim 43, further comprising instructions for allowing a user to create said network policy file without using a programming language.
  - 52. A computer program in accordance with claim 43, further comprising instructions for allowing a user to define said network devices in said network without using a programming language.
  - 53. A computer program in accordance with claim 43, further comprising instructions for collecting said topology of said network devices and creating a network topology file therefrom.
  - 54. A computer program in accordance with claim 43, wherein a configuration file of one of said network devices is changed to a new configuration file, said computer program further comprising:
    - instructions for creating a new network configuration model based on said new configuration file;
      
      instructions for generating a new query for analyzing said new network configuration model; and
      
      instructions for using said new query to determine the existence of a violation of said network policy.
  - 55. A computer program in accordance with claim 43, wherein said network policy is changed to a new network policy, said computer program further comprising:
    - instructions for generating a new query for analyzing said network configuration model in accordance with said new network policy; and
      
      instructions for using said new query to determine the existence of a violation of said new network policy.
  - 57. A computer program in accordance with claim 56, further comprising:
    - instructions for reading a configuration file from one of said plurality of network devices; and
      
      instructions for parsing said configuration file to obtain said configuration data for said one of said plurality of network devices.
  - 58. A computer program in accordance with claim 56, wherein said network policy is expressed in terms of capabilities.
  - 59. A computer program in accordance with claim 56, wherein said network configuration model comprises an entity-relationship model
  - 60. A computer program in accordance with claim 59, wherein said network policy is expressed in terms of capabilities, said entity-relationship model employing said capabilities.
  - 61. A computer program in accordance with claim 60, further comprising instructions for retrieving a query pertaining to one of said capabilities from a knowledge base associated with said computer.
  - 62. A computer program in accordance with claim 56, further comprising instructions for determining traffic flow through said network.

56. A computer program for processing data, comprising:
- instructions for receiving a network policy pertaining to a network;
  
  instructions for receiving a topology of a plurality of network devices in said network;
  
  instructions for receiving configuration data from at least a portion of said plurality of network devices;
  
  instructions for creating a network configuration model for said network based on said topology and said configuration data received;
  
  instructions for analyzing said network configuration model in accordance with said network policy to determine the existence of a violation of said network policy; and
  
  instructions for generating a report specifying said violation if said violation exists.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Redseal, Inc.
Original Assignee
Redseal Systems Incorporated
Inventors
Mayer, Alain Jules

Granted Patent

US 7,003,562 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

171 Citations

62 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

62 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others