PDstudio design system and method

US 20030110192A1
Filed: 03/21/2002
Published: 06/12/2003
Est. Priority Date: 01/07/2000
Status: Active Grant

First Claim

Patent Images

1. A policy developer system for development of an implementable network security policy, said system comprising:

a meta-policy for representing said network security policy;

at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy developer studio comprising: a meta-policy core of network objects, a policy developer graphical user interface (GUI) tool for providing a front end to a policy language, an output in XML, a compiled output for a policy engine, and an output in human readable form is provided.

Citations

71 Claims

1. A policy developer system for development of an implementable network security policy, said system comprising:
- a meta-policy for representing said network security policy;
  
  at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, further comprising:
    - a graphical user interface tool for manipulating said meta-policy.
  - 3. The system of claim 1, wherein said at least one translation is an XML file, said XML file preserving a state of said network security policy.
  - 4. The system of claim 1, wherein said at least one translation is a compiled file, compiled in a policy language suitable for input into a policy engine.
  - 5. The system of claim 1, wherein said at least one translation is a policy description document.
  - 6. The system of claim 1, said meta-policy comprising:
    - an association with zero or more outcomes;
      
      an association with zero or more relationships;
      
      an association with zero or more network objects; and
      
      an association with zero or more services.
  - 7. The system of claim 6, further comprising any of, or any combination of the following:
    - wherein a network object of said zero or more network objects is a type of network interface, host group, top-level-network, subnet, or perimeter element;
      
      wherein said network object comprises IP addresses, an attribute of a reporting element, and an attribute of an owner, and implicitly and/or explicitly contains zero or more other network objects;
      
      wherein said network object is associated with no other meta-policy;
      
      wherein when said network object is a reporting element and must be a proper subset of any other network object that is also a reporting element;
      
      wherein a relationship of said zero or more relationships is associated with only one of said zero or more services and is associated with only one of said zero or more outcomes, wherein a protocol of said only one of said zero or more services must match a protocol of said only one of said zero or more outcomes, and wherein said relationship is associated with an initiator network object and a target network object;
      
      wherein an outcome of said zero or more outcomes comprises a protocol and an attribute of owner and is associated with one or more components, each of said one or more components associated with a criticality; and
      
      wherein said service of said zero or more services comprises zero or more ports, one or more protocols, and an attribute of owner.

8. A policy developer method for development of an implementable network security policy, said method comprising:
- providing a meta-policy for representing said network security policy;
  
  providing at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - providing a graphical user interface tool for manipulating said meta-policy.
  - 10. The method of claim 8, wherein said at least one translation is an XML file, said XML file preserving a state of said network security policy.
  - 11. The method of claim 8, wherein said at least one translation is a compiled file, compiled in a policy language suitable for input into a policy engine.
  - 12. The method of claim 8, wherein said at least one translation is a policy description document.
  - 13. The method of claim 8, said providing a meta-policy comprising:
    - providing an association with zero or more outcomes;
      
      providing an association with zero or more relationships;
      
      providing an association with zero or more network objects; and
      
      providing an association with zero or more services.
  - 14. The method of claim 13, further comprising any of, or any combination of the following:
    - wherein a network object of said zero or more network objects is a type of network interface, host group, top-level-network, subnet, or perimeter element;
      
      wherein said network object comprises IP addresses, an attribute of a reporting element, and an attribute of an owner, and implicitly and/or explicitly contains zero or more other network objects;
      
      wherein said network object is associated with no other meta-policy;
      
      wherein when said network object is a reporting element and must be a proper subset of any other network object that is also a reporting element;
      
      wherein a relationship of said zero or more relationships is associated with only one of said zero or more services and is associated with only one of said zero or more outcomes, wherein a protocol of said only one of said zero or more services must match a protocol of said only one of said zero or more outcomes, and wherein said relationship is associated with an initiator network object and a target network object;
      
      wherein an outcome of said zero or more outcomes comprises a protocol and an attribute of owner and is associated with one or more components, each of said one or more components associated with a criticality; and
      
      wherein said service of said zero or more services comprises zero or more ports, one or more protocols, and an attribute of owner.

15. A method for generating a network security policy in a policy language from a meta-policy, said method comprising:
- generating route information;
  
  generating host information;
  
  generating subnet credentials;
  
  generating host group credentials;
  
  generating network interface credentials;
  
  generating perimeter element credentials;
  
  generating NAT credentials;
  
  generating rules from relationships;
  
  generating rules per outcome component; and
  
  reporting of services by reporting elements.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 16. The method of claim 15, said generating route information further comprising:
    - for each monitored subnet, creating an associative routes array, the key of which is a unique pair of network interfaces on said each monitored subnet and the value of which is a collection of pairs of subnets whose traffic flows between such network interfaces;
      
      for determining the set of traffic originating or terminating at a network interface of said unique pair of network interfaces, performing a breadth first search of a given network topology from said network interface considering connecting subnets as nodes, connecting perimeter elements as edges, and processing any circular sub-graphs only once; and
      
      for each element in said routes array, creating a rule allowing the complete set of potential IP traffic between associated originating and terminating network interfaces.
  - 17. The method of claim 15, said generating host information further comprising:
    - for each subnet object, creating an associative array, referred to as hosts, the key of which is a network object that is partly or wholly contained within said each subnet object and the value of which is the subset of IP-addresses of said network object that are contained within said each subnet object.
  - 18. The method of claim 15, said generating subnet credentials further comprising:
    - for said each subnet object creating a credential having an “
      
      or”
      
      assertion containing IP-masks of values of, and host credentials of values of said hosts associative array.
  - 19. The method of claim 15, said generating subnet credentials further comprising:
    - creating a group comprising a union of the names of all subnets marked as monitoring points;
      
      for each monitored subnet of said all subnets marked as monitoring points creating a credential comprising a “
      
      member”
      
      assertion whose arguments are the said monitored subnet name and “
      
      agent-attribute”
      
      .
  - 20. The method of claim 15, said generating subnet credentials further comprising:
    - creating a credential for Intranet, said credential having an “
      
      or”
      
      assertion made up of the credentials of all subnets marked as “
      
      Intranet”
      
      ;
      
      creating a credential for Extranet, said credential having an “
      
      or”
      
      assertion made up of the credentials of all the subnets marked as “
      
      Extranet”
      
      ; and
      
      creating a credential for Internet, said credential having an assertion of “
      
      not”
      
      of said “
      
      or”
      
      of said “
      
      Intranet” and
      
      “
      
      Extranet”
      
      credentials, and illegal IP-addresses.
  - 21. The method of claim 15, said generating host group credentials further comprising:
    - for each host group object creating a credential with an “
      
      or”
      
      assertion of all IP-addresses of said each host group and the credentials of any host groups contained therein.
  - 22. The method of claim 15, said generating network interface credentials further comprising:
    - for each network interface object, creating a first credential with the IP-address of the network interface, referred to as the network interface IP-address credential, a second credential with the MAC-address of the network interface, referred to as the network interface MAC-address credential, and a third credential with the “
      
      and”
      
      assertion of said first and second credentials.
  - 23. The method of claim 15, said generating perimeter element credentials further comprising:
    - for each perimeter element object creating a credential with an “
      
      or”
      
      assertion of all IP-addresses of network interfaces attached to said each perimeter element.
  - 24. The method of claim 15, said generating NAT credential information further comprising:
    - for each monitored subnet object;
      
      creating an associative NAT array, the key of which is a network object and the value of which is a NAT credential, and for each network object;
      
      creating a credential, referred to as NAT credential, representing how said network object appears in said monitored subnet, and adding said network object and said NAT credential to said associative NAT array.
  - 25. The method of claim 24, further comprising:
    - calculating said NAT credential, said calculating comprising;
      
      finding all paths from said monitored subnet to subnets wherein said each network object is found;
      
      for each path applying any NAT supplied by all network interfaces along said each path;
      
      if no NAT is applied to said network object, then using credential of said network object; and
      
      if NAT is applied by one or more of said all paths, then creating a credential with an “
      
      or”
      
      assertion of IP-addresses applied by each of said one or more of all of said paths.
  - 26. The method of claim 15, said generating rules from relationships further comprising:
    - for each monitored subnet object, finding all relationship objects that define traffic visible from said each monitored subnet object;
      
      for each network object, considering all relationships associated with the said network object;
      
      if said each network object is a reporting element, then considering also relationships of other network objects that implicitly or explicitly contain said network object; and
      
      for each relationship creating a set of rules that describe the traffic allowed for said each relationship.
  - 27. The method of claim 24, further comprising:
    - for finding initiator and target credentials, using the value of said NAT associative array for said monitored subnet by using initiator and target values of said each relationship; and
      
      if a service object contains initiator or target ports, then creating a credential with an assertion of “
      
      and”
      
      of said initiator or target credential along with a credential describing said ports of said service object.
  - 28. The method of claim 15, said generating rules per outcome component further comprising:
    - using an outcome object, creating an actions associative array wherein the key is a protocol action and the value is an associative array the key of which is a condition and the value of which is a criticality, wherein said actions associative array has an entry for each action defined by a protocol to which said outcome object pertains;
      
      optionally optimizing by combining all actions of said actions array having a same value;
      
      for each key in said actions associative array, creating a rule for said protocol represented by said outcome, listing all protocol actions given by said each key, wherein in the outcome section of said created rule, creating a guarded clause for each condition given by the value of said actions associative array;
      
      for each said guarded clause, including the default clause of said outcome, creating a disposition comprising a severity matching the criticality of said condition;
      
      said disposition having a name comprising an owner, if said owner can be determined, the name of said condition, and the criticality of said condition; and
      
      said owner being determined first by selecting the owner of said outcome, and if said owner of said outcome does not exist, then selecting the owner of said service, and if said owner of said service does not exist, selecting the owner of said target reporting element, and if said owner of said target reporting element does not exist, selecting none.
  - 29. The method of claim 15, said reporting of services by reporting elements for classifying traffic for traffic analysis or for network assessment, said method further comprising:
    - for each network object that is a reporting element, creating a set of rules for each offered service of said network object, said offered service describing inbound traffic as originating from an unexpected host, said set of rules comprising a rule for each XNet, thus identifying said unexpected host as a member of said XNet;
      
      each of said rules issuing a disposition comprising an owner of said traffic, if said owner can be determined, wherein said owner is determined first by selecting the owner of said service, and if said owner of said service does not exist, then selecting the owner of said each reporting element; and
      
      optionally optimizing by grouping said offered services by owners of said offered services and using said group as an “
      
      or”
      
      of a group of services having a same owner as when generating a target credential.
  - 30. The method of claim 15, said reporting of services by reporting elements for classifying traffic for traffic analysis or for network assessment, said method further comprising:
    - for each network object that is a reporting element, creating a set of rules that classify traffic as TCP, UDP, or ICMP, and either inbound or outbound, using each XNet as an initiator for inbound traffic or target for outbound traffic, and using said each network object as a target for inbound traffic or initiator for outbound traffic.

31. An apparatus for generating a network security policy in a policy language from a meta-policy, said apparatus comprising:
- means for generating route information;
  
  means for generating host information;
  
  means for generating subnet credentials;
  
  means for generating host group credentials;
  
  means for generating network interface credentials;
  
  means for generating perimeter element credentials;
  
  means for generating NAT credentials;
  
  means for generating rules from relationships;
  
  means for generating rules per outcome component; and
  
  means for reporting of services by reporting elements.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 32. The apparatus of claim 31, said means for generating route information further comprising:
    - for each monitored subnet, means for creating an associative routes array, the key of which is a unique pair of network interfaces on said each monitored subnet and the value of which is a collection of pairs of subnets whose traffic flows between such network interfaces;
      
      for determining the set of traffic originating or terminating at a network interface of said unique pair of network interfaces, means for performing a breadth first search of a given network topology from said network interface considering connecting subnets as nodes, connecting perimeter elements as edges, and processing any circular sub-graphs only once; and
      
      for each element in said routes array, means for creating a rule allowing the complete set of potential IP traffic between associated originating and terminating network interfaces.
  - 33. The apparatus of claim 31, said means for generating host information further comprising:
    - for each subnet object, means for creating an associative array, referred to as hosts, the key of which is a network object that is partly or wholly contained within said each subnet object and the value of which is the subset of IP-addresses of said network object that are contained within said each subnet object.
  - 34. The apparatus of claim 31, said means for generating subnet credentials further comprising:
    - for said each subnet object, means for creating a credential having an “
      
      or”
      
      assertion containing IP-masks of values of, and host credentials of values of said hosts associative array.
  - 35. The apparatus of claim 31, said means for generating subnet credentials further comprising:
    - means for creating a group comprising a union of the names of all subnets marked as monitoring points;
      
      for each monitored subnet of said all subnets marked as monitoring points, means for creating a credential comprising a “
      
      member”
      
      assertion whose arguments are the said monitored subnet name and “
      
      agent-attribute”
      
      .
  - 36. The apparatus of claim 31, said means for generating subnet credentials further comprising:
    - means for creating a credential for Intranet, said credential having an “
      
      or”
      
      assertion made up of the credentials of all subnets marked as “
      
      Intranet”
      
      ;
      
      means for creating a credential for Extranet, said credential having an “
      
      or”
      
      assertion made up of the credentials of all the subnets marked as “
      
      Extranet”
      
      ; and
      
      means for creating a credential for Internet, said credential having an assertion of “
      
      not”
      
      of said “
      
      or”
      
      of said “
      
      Intranet” and
      
      “
      
      Extranet”
      
      credentials and illegal IP-addresses.
  - 37. The apparatus of claim 31, said means for generating host group credentials further comprising:
    - for each host group object, means for creating a credential with an “
      
      or”
      
      assertion of all IP-addresses of said each host group and the credentials of any host groups contained therein.
  - 38. The apparatus of claim 31, said means for generating network interface credentials further comprising:
    - for each network interface object, means for creating a first credential with the IP-address of the network interface, referred to as the network interface IP-address credential, a second credential with the MAC-address of the network interface, referred to as the network interface MAC-address credential, and a third credential with the “
      
      and”
      
      assertion of said first and second credentials.
  - 39. The apparatus of claim 31, said means for generating perimeter element credentials further comprising:
    - for each perimeter element object, means for creating a credential with an “
      
      or”
      
      assertion of all IP-addresses of network interfaces attached to said each perimeter element.
  - 40. The apparatus of claim 31, said means for generating NAT credential information further comprising:
    - for each monitored subnet object;
      
      means for creating an associative NAT array, the key of which is a network object and the value of which is a NAT credential, and for each network object;
      
      means for creating a credential, referred to as NAT credential, representing how said network object appears in said monitored subnet, and means for adding said network object and said NAT credential to said associative NAT array.
  - 41. The apparatus of claim 40, further comprising:
    - means for calculating said NAT credential, said calculating comprising;
      
      means for finding all paths from said monitored subnet to subnets wherein said each network object is found;
      
      for each path, means for applying any NAT supplied by all network interfaces along said each path;
      
      if no NAT is applied to said network object, then means for using credential of said network object; and
      
      if NAT is applied by one or more of said all paths, then means for creating a credential with an “
      
      or”
      
      assertion of IP-addresses applied by each of said one or more of all of said paths.
  - 42. The apparatus of claim 31, said means for generating rules from relationships further comprising:
    - for each monitored subnet object, means for finding all relationship objects that define traffic visible from said each monitored subnet object;
      
      for each network object, considering all relationships associated with said network object;
      
      if said each network object is a reporting element, then means for considering also relationships of other network objects that implicitly or explicitly contain said network object; and
      
      for each relationship means for creating a set of rules that describe the traffic allowed for said each relationship.
  - 43. The apparatus of claim 40, further comprising:
    - for finding initiator and target credentials, means for using the value of said NAT associative array for said monitored subnet by using initiator and target values of said each relationship; and
      
      if a service object contains initiator or target ports, then means for creating a credential with an assertion of “
      
      and”
      
      of said initiator or target credential along with a credential describing said ports of said service object.
  - 44. The apparatus of claim 31, said means for generating rules per outcome component further comprising:
    - means for using an outcome object, creating an actions associative array wherein the key is a protocol action and the value is an associative array the key of which is a condition and the value of which is a criticality, wherein said actions associative array has an entry for each action defined by a protocol to which said outcome object pertains;
      
      means for optionally optimizing by combining all actions of said actions array having a same value;
      
      for each key in said actions associative array, means for creating a rule for said protocol represented by said outcome, listing all protocol actions given by said each key, wherein in the outcome section of said created rule, and creating a guarded clause for each condition given by the value of said actions associative array;
      
      for each said guarded clause, including the default clause of said outcome, means for creating a disposition comprising a severity matching the criticality of said condition;
      
      means for said disposition having a name comprising an owner, if said owner can be determined, the name of said condition, and the criticality of said condition; and
      
      means for said owner being determined first by selecting the owner of said outcome, and if said owner of said outcome does not exist, then selecting the owner of said service, and if said owner of said service does not exist, selecting the owner of said target reporting element, and if said owner of said target reporting element does not exist, selecting none.
  - 45. The apparatus of claim 31, said means for reporting of services by reporting elements for classifying traffic for traffic analysis or for network assessment, said apparatus further comprising:
    - for each network object that is a reporting element, means for creating a set of rules for each offered service of said network object, said offered service describing inbound traffic as originating from an unexpected host, said set of rules comprising a rule for each XNet, thus identifying said unexpected host as a member of said XNet;
      
      means for each of said rules issuing a disposition comprising an owner of said traffic, if said owner can be determined, wherein said owner is determined first by selecting the owner of said service, and if said owner of said service does not exist, then selecting the owner of said each reporting element; and
      
      means for optionally optimizing by grouping said offered services by owners of said offered services and using said group as an “
      
      or”
      
      of a group of services having a same owner as when generating a target credential.
  - 46. The apparatus of claim 31, said means for reporting of services by reporting elements for classifying traffic for traffic analysis or for network assessment, said apparatus further comprising:
    - for each network object that is a reporting element, means for creating a set of rules that classify traffic as TCP, UDP, or ICMP, and either inbound or outbound, using each XNet as an initiator for inbound traffic or target for outbound traffic, and using said each network object as a target for inbound traffic or initiator for outbound traffic.

47. A user interface to a meta-policy for allowing direct or indirect manipulation of actionable information of a network for developing and maintaining a network security policy, said user interface comprising:
- an application menu bar;
  
  toolbars;
  
  a subnet pane;
  
  a tabbed content pane;
  
  a tabbed messages pane; and
  
  various property windows used for defining objects of said meta-policy.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 48. The user interface of claim 47, said application menu bar further comprising, but not limited to:
    - a file menu, for accessing standard file manipulation functions for a network security policy file;
      
      an edit menu, for providing standard editing options for said policy file;
      
      a run menu, for running said network security policy, said run menu comprising, but not limited to an evaluate policy option whereby said current network security policy is evaluated against a particular network traffic file;
      
      a subnet menu, for adding components to a subnet pane, said components comprising, but not limited to subnet, firewall, router, Internet, and connect;
      
      a policy menu, for manipulating a policy, said policy menu comprising, but not limited to a new host option for creating a new host object and for specifying host properties, new service for creating a new service object and for specifying service properties, a compile option for generating a form of said network security policy file suitable for a policy engine, and a generate policy description option for generating a human readable description document for said network security policy;
      
      a window, for bringing currently open application windows to the foreground; and
      
      a help menu, for providing help and for displaying standard about information.
  - 49. The user interface of claim 47, said toolbars further comprising, but not limited to:
    - an applications toolbar providing access to commands available in said file menu and said policy menu; and
      
      a subnet toolbar providing access to commands available in said subnet menu.
  - 50. The user interface of claim 47, said subnet pane further comprising, but not limited to:
    - an Internet object for representing all subnets not explicitly defined within said network security policy;
      
      a subnet object for representing a collection of IP subnets, said subnet object displaying the name of an associated subnet block, masks of subnets within said block, and an icon indicating whether said block contains a monitoring point;
      
      a router object for representing a routing element within said network, said router object displaying the name of said routing element and an icon indicating whether said router performs NAT;
      
      a firewall object for representing a firewall element within said network, said firewall object displaying the name of said firewall element and an icon indicating whether said firewall performs NAT;
      
      a connection object for indicating a possibility for traffic to flow between a perimeter element and a subnet block, whereby creating said connection between said perimeter element and said subnet block causes a network interface to be added to said perimeter element; and
      
      a network interface object for representing a physical interface on a router or firewall;
      
      wherein said objects are selectable and draggable for aesthetically positioning on said subnet pane.
  - 51. The user interface of claim 47, said tabbed content pane further comprising, but not limited to:
    - a listing of all objects in said meta-policy representing said network security policy;
      
      a hosts tab comprising, but not limited to the following categories;
      
      all networks, Internet, extranet, intranet, subnets, hosts, perimeter elements, and network interfaces;
      
      a services tab listing all services in and available to said network security policy; and
      
      an outcomes tab for providing a detailed listing of all outcomes defined within said network security policy;
      
      wherein each network object of said all network objects is linkable to an associated property windows and wherein any or all of said each network object or any or all of a part of said each network object is drag-and-dropable into a compatible field of a property window.
  - 52. The user interface of claim 47, said tabbed messages pane for displaying messages further comprising, but not limited to:
    - a console tab for displaying informational messages that are output from an associated policy developer application using said user interface; and
      
      a compiler tab for displaying output from an associated policy compilation process, comprising, but not limited to warnings and errors;
      
      wherein said pane is clearable by, but not limited to choice of a user or automatically.
  - 53. The user interface of claim 52, further comprising:
    - a policy description tab for displaying output from a policy description generation process.
  - 54. The user interface of claim 47, said various property windows used for defining objects of said meta-policy further comprising, but not limited to:
    - subnet properties;
      
      host group properties;
      
      perimeter element properties;
      
      network interface properties;
      
      top-level networks properties;
      
      service properties; and
      
      outcome properties;
      
      wherein some or all properties of said objects are editable.
  - 55. The user interface of claim 54, said subnet properties comprising, but not limited to:
    - name;
      
      subnet type;
      
      collection point;
      
      collection point name;
      
      reporting element;
      
      reporting element owner;
      
      generate discovery policy;
      
      IP masks tab;
      
      requiring tab; and
      
      offering tab.
  - 56. The user interface of claim 54, said host group properties comprising, but not limited to:
    - name;
      
      button icon;
      
      reporting element;
      
      reporting element owner;
      
      generate discovery policy;
      
      IP addresses tab;
      
      notes tab;
      
      requiring tab; and
      
      offering tab.
  - 57. The user interface of claim 54, said perimeter element properties comprising, but not limited to:
    - name; and
      
      does IP address translation?.
  - 58. The user interface of claim 54, said network interface properties comprising, but not limited to:
    - name;
      
      reporting element;
      
      reporting element owner;
      
      MAC address;
      
      IP address;
      
      NAT tab wherein NAT is configured for the interface towards which a translation occurs;
      
      requiring tab; and
      
      offering tab.
  - 59. The user interface of claim 54, said top-level networks properties comprising, but not limited to:
    - name;
      
      reporting element;
      
      reporting element owner;
      
      generate discovery policy;
      
      requiring tab; and
      
      offering tab.
  - 60. The user interface of claim 54, said service properties comprising, but not limited to:
    - name;
      
      services icon;
      
      owner;
      
      base protocol;
      
      outcome;
      
      traffic descriptor;
      
      protocol layers;
      
      initiators; and
      
      targets.
  - 61. The user interface of claim 54, said outcome properties comprising, but not limited to:
    - name;
      
      outcome icon;
      
      owner;
      
      component; and
      
      criticality.

62. An apparatus for providing policy description of a current policy domain, said apparatus comprising:
- means for indexing an overview of network objects of said policy domain, said indexing by name and by network;
  
  for each of said network objects, means for providing detailed information about associated services and relationships between other network objects; and
  
  means for providing outcomes information, comprising showing criticality information assigned to associated relationship outcomes.

63. A method for providing policy description of a current network security policy, said method comprising:
- indexing an overview of network objects of said current policy, said indexing by name and by network;
  
  for each of said network objects, providing detailed information about associated services and relationships between other network objects; and
  
  providing outcomes information, comprising showing criticality information assigned to associated relationship outcomes.

64. A method for generating a policy description output from meta-policy objects, said meta-policy objects comprising a plurality of network objects and outcomes, said meta-policy objects representing a network security policy, said method comprising:
- generating a name index view and a network index view of said plurality of network objects;
  
  generating a view on specific network object information for each network object of said plurality of network objects; and
  
  generating a view on information of said outcomes.
- View Dependent Claims (65, 66, 67)
- - 65. The method of claim 64, said generating a name index and a network index, further comprising any combination of:
    - listing said network objects in said name index view in ascending order by leading character, along with associated IP addresses, subnet masks, contained host groups, and other unique identifiers;
      
      listing said network objects in said network index view in the order determined by the containment hierarchy of said network objects;
      
      listing network interfaces assigned to perimeter element objects beneath said perimeter element objects, noting associated IP and MAC addresses of said network interfaces;
      
      wherein each network object entry in said name and network index view is a hyperlink to said specific network object view;
      
      wherein network objects that are reporting elements are displayed in a distinctive manner;
      
      providing means for easily switching from said name index view to said network index view;
      
      wherein an IP address is a hyperlink from said name index view to said network index view, and vice-versa; and
      
      providing hyperlinks from said name and network indexes views to said outcomes view.
  - 66. The method of claim 64, said generating a view on specific network object information for each network object of said plurality of network objects, further comprising any combination of:
    - showing all relationships in which said each network object is involved, either directly or as a result of said each network object'"'"'s implicit or explicit containment within other network objects;
      
      showing said all relationships in the order determined by said each network object'"'"'s containment hierarchy;
      
      providing a headings view, said view comprising, but not limited to name of said each network object, a hyperlink to a corresponding entry in said network index view, a list of hyperlinks to views of associated containing network objects, and name of a network interface object having an associated containing perimeter element name as a prefix;
      
      providing a body view comprising, but not limited to, lists of all services to which said each network object offers and requires, said services noted in ascending order by port with the lowest port of said ports used in case of multi-port services, wherein noted network objects hyperlink to associated network object views for each noted network object, and a description of Network Address Translation configuration for network interface objects;
      
      providing a relationship notation for each relationship comprising, but not limited to, the service name, the name of the network object where said each relationship is defined, the name of other network objects with which said network object is allowed to have said each relationship, wherein relationships per service are listed in the order determined by said network object'"'"'s containment hierarchy; and
      
      providing a footers view comprising, but not limited to, hyperlinks to said name and network indexes, and outcomes view.
  - 67. The method of claim 64, said generating a view on information of said outcomes, further comprising any combination of:
    - listing in alphabetical order each outcome of said outcomes;
      
      listing associated outcome components, the dispositions and criticalities of said outcome components of said each outcome, beneath said each outcome in alphabetical order of said outcome component names; and
      
      providing hyperlinks to said name and network indexes.

68. An apparatus for generating a policy description output from meta-policy objects, said meta-policy objects comprising a plurality of network objects and outcomes, said meta-policy objects representing a network security policy, said apparatus comprising:
- means for generating a name index view and a network index view of said plurality of network objects;
  
  means for generating a view on specific network object information for each network object of said plurality of network objects; and
  
  means for generating a view on information of said outcomes.

69. The apparatus of claim 68, said means for generating a name index and a network index, further comprising any combination of:
- means for listing said network objects in said name index view in ascending order by leading character, along with associated IP addresses, subnet masks, contained host groups, and other unique identifiers;
  
  means for listing said network objects in said network index view in the order determined by the containment hierarchy of said network objects;
  
  means for listing network interfaces assigned to perimeter element objects beneath said perimeter element objects, noting associated IP and MAC addresses of said network interfaces;
  
  wherein each network object entry in said name and network index view is a hyperlink to said specific network object view;
  
  wherein network objects that are reporting elements are displayed in a distinctive manner;
  
  means for easily switching from said name index view to said network index view;
  
  wherein an IP address is a hyperlink from said name index view to said network index view, and vice-versa; and
  
  hyperlinks from said name and network indexes views to said outcomes view.

70. The apparatus of claim 68, said means for generating a view on specific network object information for each network object of said plurality of network objects, further comprising any combination of:
- means for showing all relationships in which said each network object is involved, either directly or as a result of said each network object'"'"'s implicit or explicit containment within other network objects;
  
  means for showing said all relationships in the order determined by said each network object'"'"'s containment hierarchy;
  
  a headings view, said view comprising, but not limited to name of said each network object, a hyperlink to a corresponding entry in said network index view, a list of hyperlinks to views of associated containing network objects, and name of a network interface object having an associated containing perimeter element name as a prefix;
  
  a body view comprising, but not limited to, lists of all services to which said each network object offers and requires, said services noted in ascending order by port with the lowest port of said ports used in case of multi-port services, wherein noted network objects hyperlink to associated network object views for each noted network object, and a description of Network Address Translation configuration for network interface objects;
  
  a relationship notation for each relationship comprising, but not limited to, the service name, the name of the network object where said each relationship is defined, the name of other network objects with which said network object is allowed to have said each relationship, wherein relationships per service are listed in the order determined by said network object'"'"'s containment hierarchy; and
  
  a footers view comprising, but not limited to, hyperlinks to said name and network indexes, and outcomes view.

71. The apparatus of claim 68, said means for generating a view on information of said outcomes, further comprising any combination of:
- means for listing in alphabetical order each outcome of said outcomes;
  
  means for listing associated outcome components, the dispositions and criticalities of said outcome components of said each outcome, beneath said each outcome in alphabetical order of said outcome component names; and
  
  hyperlinks to said name and network indexes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Securify, Inc. (McAfee, LLC)
Inventors
Guzik, John R., Pearcy, Derek P., Valente, Luis

Granted Patent

US 7,246,370 B2
Time in Patent Office

Days
Field of Search
US Class Current

715/513
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

H04L 41/0681   Configuration of triggering...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/22   comprising specially adapte...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

PDstudio design system and method

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

PDstudio design system and method

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links