System and methodology for security policy arbitration

US 20030177389A1
Filed: 05/31/2002
Published: 09/18/2003
Est. Priority Date: 03/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method for a device to apply a security policy required for connection to a network, the method comprising:

receiving a request from a device for a connection to a particular network, said device having a plurality of security policies available for governing connections;

based on said plurality of security policies available to said device, determining a current policy to apply to said device for governing said connection to said particular network; and

allowing said connection to said particular network to proceed with said current policy applied to said device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system providing methods for a device to apply a security policy required for connection to a network is described. In response to receipt of a request from a device for connection to a particular network, a current policy to apply to said device for governing the connection to this particular network is determined from a plurality of available security policies available to the device. This current policy to apply to said device is generated by merging a plurality of security policies available for governing connections. After said current policy is applied to the device, the connection from the device to this particular network is allowed to proceed.

Citations

52 Claims

1. A method for a device to apply a security policy required for connection to a network, the method comprising:
- receiving a request from a device for a connection to a particular network, said device having a plurality of security policies available for governing connections;
  
  based on said plurality of security policies available to said device, determining a current policy to apply to said device for governing said connection to said particular network; and
  
  allowing said connection to said particular network to proceed with said current policy applied to said device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein said step of determining a current policy to apply includes determining a particular security policy required for connection to said particular network.
  - 3. The method of claim 1, wherein said step of determining a current policy to apply includes merging said plurality of security policies available for governing connections.
  - 4. The method of claim 3, wherein said step of merging said plurality of security policies includes merging a security policy previously active on said device and a security policy required for connection to said particular network.
  - 5. The method of claim 1, wherein said step of determining a current policy to apply includes merging each security policy required for governing a connection currently open at said device.
  - 6. The method of claim 1, wherein said step of determining a current policy to apply includes the substeps of:
    - examining each rule of each security policy available for governing connections;
      
      for each rule, determining a setting to adopt in said current policy based upon settings of each said security policy.
  - 7. The method of claim 6, in which said substep of examining each rule of each security policy available for governing connections includes examining each security policy required for governing a connection currently open at said device.
  - 8. The method of claim 1, wherein said step of determining a current policy to apply includes evaluating each security setting of said plurality of security policies.
  - 9. The method of claim 1, wherein said plurality of security policies available to said device includes security policies available through connection to a network.
  - 10. The method of claim 1, wherein said plurality of security policies available for governing connections includes at least one security policy which is user configurable.
  - 11. The method of claim 1, wherein said step of determining a current policy to apply includes locating a particular security policy required for connection to said particular network.
  - 12. The method of claim 11, wherein said step of locating a particular security policy required for connection to said particular network includes downloading said security policy from said particular network.
  - 13. The method of claim 1, wherein said step of allowing said connection to said particular network to proceed with said current policy applied to said device, includes updating firewall settings on said device based upon said current policy.
  - 14. The method of claim 1, further comprising:
    - upon disconnection of said device from said particular network, determining a revised security policy to apply.
  - 15. The method of claim 14, wherein said step of determining a revised security policy to apply includes determining said revised security policy based upon security policies required for governing connections remaining open at said device.
  - 16. The method of claim 1, wherein said current security policy comprises a set of enforcement rules governing access to and from said device.

17. A method for a device to automatically revise a security policy as required to allow connection to a network, the method comprising:
- providing a security enforcement module at a device, said security enforcement module enforcing an initial security policy;
  
  upon receipt of a request for connection of said device to a network, determining a particular security policy required to be enforced to allow connection of said device to said network;
  
  generating a revised security policy for enforcement by said security enforcement module, said revised security policy based upon merging said particular security policy and said initial security policy;
  
  applying said revised security policy to said security enforcement module to allow said device to connect to said network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 18. The method of claim 17, wherein said initial security policy includes a plurality of rules governing access at said device to be enforced by said security enforcement module.
  - 19. The method of claim 17, wherein said initial security policy includes an individual security policy adopted by a user of said device.
  - 20. The method of claim 17, wherein said step of determining a particular security policy required to be enforced includes identifying said particular security policy from a plurality of security policies available at said device.
  - 21. The method of claim 17, wherein said step of determining a particular security policy required to be enforced includes downloading said particular security rules from said network.
  - 22. The method of claim 17, wherein said step of generating a revised security policy includes the substeps of:
    - examining each rule of said initial security policy and said particular security policy; and
      
      for each rule, determining a setting to adopt for said rule based upon settings of said initial security policy and said particular security policy.
  - 23. The method of claim 22, in which said substep of determining a setting to adopt for said rule includes adopting the most restrictive setting for said rule.
  - 24. The method of claim 22, in which said substep of determining a setting to adopt for said rule includes adopting a setting based upon a pre-selected ordering of said settings.
  - 25. The method of claim 22, in which said substep of determining a setting to adopt for said rule includes adopting a setting based upon intersecting permissive list settings.
  - 26. The method of claim 22, in which said substep of determining a setting to adopt for said rule includes adopting a setting based upon unioning restrictive list settings.
  - 27. The method of claim 17, wherein said initial security policy includes a revised security policy previously generated and applied to said security enforcement module.
  - 28. The method of claim 17, wherein said step of applying said revised security policy to said security enforcement module includes updating firewall settings of said security enforcement module on said device based upon said revised security policy.
  - 29. The method of claim 17, further comprising:
    - upon disconnection of said device from said network, determining a revised security policy to apply based upon security policies required to be enforced as a result of network connections remaining active at said device.
  - 30. The method of claim 17, further comprising:
    - upon disconnection of said device from said network, applying said initial security policy to said security enforcement module.

31. A system for regulating access at a computing system as required for connection to a network, the system comprising:
- a connection manager for receiving a request for connection to a network at said computing system and determining an access policy which is required for connection to said network;
  
  a rules engine for automatically generating a current access policy for regulating access at a computing system as required for connection to a network, said current access policy being generated by merging a plurality of access policies available at said computing system; and
  
  a security enforcement module for applying said current access policy for regulating access at a computing system.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 32. The system of claim 31, wherein said rules engine generates a current access policy by merging an access policy previously active at said computing system and an access policy required for connection to said network.
  - 33. The system of claim 31, wherein said rules engine generates a current access policy by merging each access policy required for connection to each network to which said computing system is currently connected.
  - 34. The system of claim 33, wherein each network to which said computing system is currently connected includes said network to which said computing system has requested a connection.
  - 35. The system of claim 31, wherein said connection manager includes a communication driver for identifying requests for connection to a network.
  - 36. The system of claim 31, wherein said rules engine generates a current access policy by performing the steps of:
    - examining each rule of each access policy available at said computing system;
      
      for each rule, determining a setting to adopt in said current access policy based upon settings of each said available access policy.
  - 37. The system of claim 36 in which said step of determining a setting to adopt in said current access policy includes considering only available access policies required for connections currently open at said computing system.
  - 38. The system of claim 36, wherein said rules engine generates a current access policy by comparing each security setting of each rule of said plurality of available access policies.
  - 39. The system of claim 31, wherein said connection manager determines an access policy which is required for connection to said network by downloading said access policy from said network.
  - 40. The system of claim 31, wherein said security enforcement module includes a firewall application for selectively blocking access at said computing system based upon said current access policy.
  - 41. The system of claim 31, further comprising:
    - a supervisor module for verifying a computing system is applying an access policy required for connection to network prior to allowing said connection to said network.
  - 42. The system of claim 31, wherein said rules engine determines a revised access policy to apply upon disconnection of said computing system from said network.

43. A method for automatically adjusting enforcement rules of a security enforcement module at a device as required to enable access to a network, the method comprising:
- providing an enforcement module at a device, said enforcement module applying an initial set of enforcement rules;
  
  upon receiving a request for access to a network, determining particular enforcement rules required to be applied by said enforcement module to enable access to said network;
  
  automatically adjusting said initial set of enforcement rules by merging said initial set of enforcement rules with said particular enforcement rules required to enable access to said network; and
  
  applying said adjusted enforcement rules to said enforcement module to enable said device to access said network.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 44. The method of claim 43, wherein said step of determining particular enforcement rules to apply includes locating said particular enforcement rules from a plurality of enforcement rules available to said enforcement module.
  - 45. The method of claim 43, wherein said step of determining particular enforcement rules required to enable access to said network includes downloading said particular enforcement rules from said network.
  - 46. The method of claim 43, wherein said step of merging said initial set of enforcement rules with said particular set of enforcement rules includes determining settings to adopt for each rule by evaluating settings of said initial set of enforcement rules and settings of said particular enforcement rules.
  - 47. The method of claim 46, in which said step of determining settings to adopt for each rule includes adopting the more restrictive setting of said initial set of enforcement rules and said particular enforcement rules.
  - 48. The method of claim 46, in which said step of determining settings to adopt for each rule includes adopting settings based upon a pre-selected ordering of said settings.
  - 49. The method of claim 46, in which said step of determining settings to adopt for each rule includes adopting settings based upon intersecting list settings for rules that are permissive.
  - 50. The method of claim 46, in which said step of determining settings to adopt for each rule includes adopting settings based upon concatenating list settings for rules that are restrictive.
  - 51. The method of claim 43, further comprising:
    - providing a security supervisor on said network, said security supervisor enforcing compliance with particular enforcement rules required to enable access to said network.
  - 52. The method of claim 43, further comprising:
    - upon termination of access to said network by said device, applying said initial set of enforcement rules for enforcement by said enforcement module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Zone Labs Inc. (Check Point Software Technologies Limited)
Inventors
Kawamura, Kyle N., Albert, Anthony, Herrmann, Conrad K., Haycock, Keith A.

Granted Patent

US 7,546,629 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/2876   Handling of subscriber poli...

H04L 63/0263   Rule management

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

System and methodology for security policy arbitration

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

System and methodology for security policy arbitration

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links