Style sheet transformation driven firewall access list generation
First Claim
1. A method of configuring a network security system, comprising:
- a. forming a registry data structure for defining roles within a network;
b. mapping network security policies to the registry data structure, said network security policies being contained in one or more policy documents stored in machine readable form; and
c. using a document transformation algorithm to transform the policy documents into one or more device-specific configuration documents stored in machine-readable form.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for configuring a network security system. A registry data structure includes useful information about the network, such as definitions of roles within the network. The registry may also include information regarding the topology of the network. Documents that contain network security policies are linked to the registry data structure. The policy documents may then be transformed into device-specific configuration documents using a document transformation algorithm, which takes a document of a certain format as input and generates a document in a different format as output. Various different scripts may control the transformation process to achieve compatibility with security devices from different vendors. An advantage of the invention is that major network management tasks, including policy enforcement, may be done by document transformations. Once adopted, a security strategy may be changed in order to adapt to changing business requirements.
-
Citations
20 Claims
-
1. A method of configuring a network security system, comprising:
-
a. forming a registry data structure for defining roles within a network;
b. mapping network security policies to the registry data structure, said network security policies being contained in one or more policy documents stored in machine readable form; and
c. using a document transformation algorithm to transform the policy documents into one or more device-specific configuration documents stored in machine-readable form. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A apparatus for configuring a network security system, comprising:
-
a. a registry data structure including a plurality of network types, each network type being stored within a document in the registry and including a role definition and a set of fields defining segments of a network;
b. security policy documents mapped to the registry data structure, each security policy document being representative of restrictions to be placed on a network type in the registry data structure; and
c. a document transformation algorithm for transforming the documents in the registry and the policy documents into device-specific configuration documents stored in machine-readable form.
-
Specification