PDstudio design system and method
First Claim
Patent Images
1. A policy developer system for development of an implementable network security policy, said system comprising:
- a meta-policy for representing said network security policy;
at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy.
11 Assignments
0 Petitions
Accused Products
Abstract
A policy developer studio comprising: a meta-policy core of network objects, a policy developer graphical user interface (GUI) tool for providing a front end to a policy language, an output in XML, a compiled output for a policy engine, and an output in human readable form is provided.
-
Citations
71 Claims
-
1. A policy developer system for development of an implementable network security policy, said system comprising:
-
a meta-policy for representing said network security policy;
at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A policy developer method for development of an implementable network security policy, said method comprising:
-
providing a meta-policy for representing said network security policy;
providing at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for generating a network security policy in a policy language from a meta-policy, said method comprising:
-
generating route information;
generating host information;
generating subnet credentials;
generating host group credentials;
generating network interface credentials;
generating perimeter element credentials;
generating NAT credentials;
generating rules from relationships;
generating rules per outcome component; and
reporting of services by reporting elements. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. An apparatus for generating a network security policy in a policy language from a meta-policy, said apparatus comprising:
-
means for generating route information;
means for generating host information;
means for generating subnet credentials;
means for generating host group credentials;
means for generating network interface credentials;
means for generating perimeter element credentials;
means for generating NAT credentials;
means for generating rules from relationships;
means for generating rules per outcome component; and
means for reporting of services by reporting elements. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A user interface to a meta-policy for allowing direct or indirect manipulation of actionable information of a network for developing and maintaining a network security policy, said user interface comprising:
-
an application menu bar;
toolbars;
a subnet pane;
a tabbed content pane;
a tabbed messages pane; and
various property windows used for defining objects of said meta-policy. - View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
-
-
62. An apparatus for providing policy description of a current policy domain, said apparatus comprising:
-
means for indexing an overview of network objects of said policy domain, said indexing by name and by network;
for each of said network objects, means for providing detailed information about associated services and relationships between other network objects; and
means for providing outcomes information, comprising showing criticality information assigned to associated relationship outcomes.
-
-
63. A method for providing policy description of a current network security policy, said method comprising:
-
indexing an overview of network objects of said current policy, said indexing by name and by network;
for each of said network objects, providing detailed information about associated services and relationships between other network objects; and
providing outcomes information, comprising showing criticality information assigned to associated relationship outcomes.
-
-
64. A method for generating a policy description output from meta-policy objects, said meta-policy objects comprising a plurality of network objects and outcomes, said meta-policy objects representing a network security policy, said method comprising:
-
generating a name index view and a network index view of said plurality of network objects;
generating a view on specific network object information for each network object of said plurality of network objects; and
generating a view on information of said outcomes. - View Dependent Claims (65, 66, 67)
-
-
68. An apparatus for generating a policy description output from meta-policy objects, said meta-policy objects comprising a plurality of network objects and outcomes, said meta-policy objects representing a network security policy, said apparatus comprising:
-
means for generating a name index view and a network index view of said plurality of network objects;
means for generating a view on specific network object information for each network object of said plurality of network objects; and
means for generating a view on information of said outcomes.
-
-
69. The apparatus of claim 68, said means for generating a name index and a network index, further comprising any combination of:
-
means for listing said network objects in said name index view in ascending order by leading character, along with associated IP addresses, subnet masks, contained host groups, and other unique identifiers;
means for listing said network objects in said network index view in the order determined by the containment hierarchy of said network objects;
means for listing network interfaces assigned to perimeter element objects beneath said perimeter element objects, noting associated IP and MAC addresses of said network interfaces;
wherein each network object entry in said name and network index view is a hyperlink to said specific network object view;
wherein network objects that are reporting elements are displayed in a distinctive manner;
means for easily switching from said name index view to said network index view;
wherein an IP address is a hyperlink from said name index view to said network index view, and vice-versa; and
hyperlinks from said name and network indexes views to said outcomes view.
-
-
70. The apparatus of claim 68, said means for generating a view on specific network object information for each network object of said plurality of network objects, further comprising any combination of:
-
means for showing all relationships in which said each network object is involved, either directly or as a result of said each network object'"'"'s implicit or explicit containment within other network objects;
means for showing said all relationships in the order determined by said each network object'"'"'s containment hierarchy;
a headings view, said view comprising, but not limited to name of said each network object, a hyperlink to a corresponding entry in said network index view, a list of hyperlinks to views of associated containing network objects, and name of a network interface object having an associated containing perimeter element name as a prefix;
a body view comprising, but not limited to, lists of all services to which said each network object offers and requires, said services noted in ascending order by port with the lowest port of said ports used in case of multi-port services, wherein noted network objects hyperlink to associated network object views for each noted network object, and a description of Network Address Translation configuration for network interface objects;
a relationship notation for each relationship comprising, but not limited to, the service name, the name of the network object where said each relationship is defined, the name of other network objects with which said network object is allowed to have said each relationship, wherein relationships per service are listed in the order determined by said network object'"'"'s containment hierarchy; and
a footers view comprising, but not limited to, hyperlinks to said name and network indexes, and outcomes view.
-
-
71. The apparatus of claim 68, said means for generating a view on information of said outcomes, further comprising any combination of:
-
means for listing in alphabetical order each outcome of said outcomes;
means for listing associated outcome components, the dispositions and criticalities of said outcome components of said each outcome, beneath said each outcome in alphabetical order of said outcome component names; and
hyperlinks to said name and network indexes.
-
Specification