Managing multiple network security devices from a manager device
First Claim
1. A method for a security manager device to manage a plurality of network security devices with a plurality of supervisor devices, each network security device generating network security information related to an associated group of network devices, storing the generated network security information on a primary supervisor device for the network security device when the primary supervisor device is available to store the generated network security information, and storing the generated network security information on an alternate supervisor device when the primary supervisor device is unavailable, the method comprising:
- distributing security control information to multiple network security devices, the security control information to be used to generate network security information, by determining a supervisor device that is the primary supervisor device for each of the multiple network security devices;
sending a single copy of the security control information to the determined supervisor device; and
indicating to the determined supervisor device to send a copy of the security control information to each of the multiple network security devices; and
aggregating the network security information generated by an indicated one of the multiple network security devices using the security control information, by determining at least one alternate supervisor device that stores at least a portion of the network security information generated by the indicated network security device;
notifying the primary supervisor device for the indicated network security device of a desire for the generated network security information, the notifying including an indication of the determined alternate supervisor devices; and
in response, receiving the generated network security information, so that the manager device can efficiently distribute information to multiple network security devices, and can retrieve all of the generated network security information for a network security device because alternate supervisor devices will store the information when the primary supervisor device for the network security device is unavailable.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to a facility for using a security policy manager device to remotely manage multiple network security devices (NSDs). The manager device can also use one or more intermediate supervisor devices to assist in the management. Security for the communication of information between various devices can be provided in a variety of ways. The system allows the manager device to create a consistent security policy for the multiple NSDs by distributing a copy of a security policy template to each of the NSDs and by then configuring each copy of the template with NSD-specific information. For example, the manager device can distribute the template to multiple NSDs by sending a single copy of the template to a supervisor device associated with the NSDs and by then having the supervisor device update each of the NSDs with a copy of the template. Other information useful for implementing security policies can also be distributed to the NSDs in a similar manner. The system also allows a manager device to retrieve, analyze and display all of the network security information gathered by the various NSDs while implementing security policies. Each NSD can forward its network security information to a supervisor device currently associated with the NSD, and the manager device can retrieve network security information of interest from the one or more supervisor devices which store portions of the information and then aggregate the retrieved information in an appropriate manner.
-
Citations
105 Claims
-
1. A method for a security manager device to manage a plurality of network security devices with a plurality of supervisor devices, each network security device generating network security information related to an associated group of network devices, storing the generated network security information on a primary supervisor device for the network security device when the primary supervisor device is available to store the generated network security information, and storing the generated network security information on an alternate supervisor device when the primary supervisor device is unavailable, the method comprising:
-
distributing security control information to multiple network security devices, the security control information to be used to generate network security information, by determining a supervisor device that is the primary supervisor device for each of the multiple network security devices;
sending a single copy of the security control information to the determined supervisor device; and
indicating to the determined supervisor device to send a copy of the security control information to each of the multiple network security devices; and
aggregating the network security information generated by an indicated one of the multiple network security devices using the security control information, by determining at least one alternate supervisor device that stores at least a portion of the network security information generated by the indicated network security device;
notifying the primary supervisor device for the indicated network security device of a desire for the generated network security information, the notifying including an indication of the determined alternate supervisor devices; and
in response, receiving the generated network security information, so that the manager device can efficiently distribute information to multiple network security devices, and can retrieve all of the generated network security information for a network security device because alternate supervisor devices will store the information when the primary supervisor device for the network security device is unavailable. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for collecting security information generated by a security device, the generated security information based on network information passing between other network devices, the generated security information stored on at least one host device distinct from the security device, the method comprising:
-
receiving a request for the generated security information;
determining the host devices on which at least portions of the generated security information are stored; and
when there are multiple determined host devices, for each of the multiple determined host devices, retrieving the portions of the generated security information that are stored on the host device; and
aggregating the retrieved portions of the generated security information. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A method for collecting security information generated by a security device, the generated security information based on network information passing between other network devices, the generated security information stored on multiple host devices distinct from the security device, the method comprising:
-
receiving a request from a manager device for the generated security information;
receiving an indication of the multiple host devices which store portions of the generated security information;
retrieving from each of the multiple host devices the stored portions of the generated security information; and
sending to the manager device the retrieved portions of the generated security information, so that the manager device can aggregate the portions of the generated security information stored by the multiple host devices. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A method for storing security information generated by a security device in a distributed manner so as to ensure the security information is available, the security information based on network information passing between network devices, the method comprising:
-
identifying whether a primary supervisor device for the security device is available to store received security information;
when the primary supervisor device is available, storing the security information on the primary supervisor device; and
when the primary supervisor device is not available, storing the security information on an alternate supervisor device, so that a manager device can retrieve all of the security information because alternate supervisor devices will store the information when the primary supervisor device is unavailable. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. A method for distributing security policy implementation information to multiple security devices for use in implementing a security policy, the method comprising:
-
for each of the security devices, determining a supervisor device currently associated with the security device;
distributing the security policy implementation information to each of the determined supervisor devices; and
indicating to each of the determined supervisor devices to distribute the security policy implementation information to the security devices with which the supervisor device is associated. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A method for a supervisor device to distribute security policy implementation information to multiple security devices for use in implementing a security policy, the method comprising:
-
receiving from a manager device a single copy of security policy implementation information to be distributed to multiple security devices; and
for each of the multiple security devices, if the supervisor device is associated with the security device, distributing the security policy implementation information to the security device. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49)
-
-
50. A method for distributing control information to multiple security devices for use in controlling the operation of the multiple security devices, the method comprising:
-
for each of the security devices, determining a supervisor device currently associated with the security device;
distributing the control information to each of the determined supervisor devices; and
indicating to each of the determined supervisor devices to distribute the control information to the security devices with which the supervisor device is associated. - View Dependent Claims (51)
-
-
52. A method for a security device to operate in accordance with security policy implementation information distributed from a manager device, the method comprising:
-
receiving security policy implementation information to be used by the security device in implementing a security policy; and
using the security policy implementation information to implement the security policy. - View Dependent Claims (53, 54, 55, 56, 57, 58, 59)
-
-
60. A method for collecting security information generated by a security device, the generated security information based on network information passing between other network devices, the generated security information stored on at least one host device distinct from the security device, the method comprising:
-
displaying to a user a view including the security device and the host devices;
receiving from the user a visual indication of a security device from which to retrieve generated security information;
determining the host devices on which at least portions of the generated security information are stored;
retrieving the portions of the generated security information that are stored on the determined host devices; and
aggregating the retrieved portions of the generated security information. - View Dependent Claims (61, 62, 63, 64)
-
-
65. A method for distributing security policy implementation information to multiple security devices for use in implementing a security policy, the method comprising:
-
displaying to a user a view of the multiple security devices and of multiple supervisor devices;
receiving from the user visual indications of multiple security devices to which the security policy implementation information is to be distributed;
distributing the security policy implementation information to a supervisor device associated with each of the security devices; and
indicating to the associated supervisor device to distribute the security policy implementation information to each of the security devices. - View Dependent Claims (66, 67, 68)
-
-
69. A method for displaying security information generated by a security device, the generated security information based on network information passing between other network devices, portions of the generated security information stored on multiple host devices distinct from the security device, the method comprising:
-
displaying to a user a view including the security device and the host devices;
receiving from the user an indication of a security device from which to retrieve generated security information; and
displaying to the user an aggregation of the portions of the generated security information retrieved from the multiple host devices. - View Dependent Claims (70, 71)
-
-
72. A method for distributing security policy implementation information to multiple security devices for use in implementing a security policy, the method comprising:
-
displaying to a user a view of a manager device, the multiple security devices and of multiple supervisor devices;
receiving from the user indications of multiple security devices to which the security policy implementation information is to be distributed; and
displaying to the user an indication that the security policy implementation information is distributed to the multiple security devices, the distribution accomplished by the manager device sending the security policy implementation information to a supervisor device associated with each of the security devices and indicating to the associated supervisor device to distribute the security policy implementation information to each of the security devices. - View Dependent Claims (73, 74, 75, 76)
-
-
77. A computer-readable medium whose contents cause a manager device to collect security information generated by a security device, the generated security information based on network information passing between other network devices, the generated security information stored on at least one host device distinct from the security device, by:
-
receiving a request for the generated security information;
determining the host devices on which at least portions of the generated security information are stored; and
when there are multiple determined host devices, for each of the multiple determined host devices, retrieving the portions of the generated security information that are stored on the host device; and
aggregating the retrieved portions of the generated security information. - View Dependent Claims (78, 79, 80, 81)
-
-
82. A computer-readable medium whose contents cause a manager device to distribute security policy implementation information to multiple security devices for use in implementing a security policy, by:
-
for each of the security devices, determining a supervisor device currently associated with the security device;
distributing the security policy implementation information to each of the determined supervisor devices; and
indicating to each of the determined supervisor devices to distribute the security policy implementation information to the security devices with which the supervisor device is associated. - View Dependent Claims (83, 84, 85, 86, 87)
-
-
88. A computer system for collecting security information generated by a security device, the generated security information based on network information passing between other network devices, the generated security information stored on at least one host device distinct from the security device, comprising:
-
a user interface component that receives from a user a request for the generated security information; and
a security information retriever that determines the host devices on which at least portions of the generated security information are stored, and that when there are multiple determined host devices, for each of the multiple determined host devices, retrieves the portions of the generated security information that are stored on the host device and aggregates the retrieved portions of the generated security information. - View Dependent Claims (89, 90)
-
-
91. A computer system for distributing security policy implementation information to multiple security devices for use in implementing a security policy, comprising:
-
a security device associator for determining for each of the security devices a supervisor device currently associated with the security device; and
an information distributor for distributing the security policy implementation information to each of the determined supervisor devices, and for indicating to each of the determined supervisor devices to distribute the security policy implementation information to the security devices with which the supervisor device is associated. - View Dependent Claims (92, 93, 94)
-
-
95. A computer system for storing security information generated by a security device in a distributed manner so as to ensure the security information is available, the security information based on network information passing between network devices, comprising:
-
a storage identifier for identifying whether a primary supervisor device for the security device is available to store received security information; and
an information storer for storing the security information on the primary supervisor device if the primary supervisor device is available, and for storing the security information on an alternate supervisor device when the primary supervisor device is not available. - View Dependent Claims (96, 97)
-
-
98. A computer system that implements a security policy in accordance with security policy implementation information distributed from a manager device, comprising:
-
a security policy information receiver for receiving security policy implementation information to be used in implementing a security policy; and
a security policy implementer for using the security policy implementation information to implement the security policy. - View Dependent Claims (99, 100, 101)
-
-
102. A generated data signal transmitted via a data transmission medium from a manager device to a supervisor device, the data signal including a single copy of security policy implementation information to be distributed by the supervisor device to multiple security devices, the security policy implementation information for use by the supervisor devices in implementing a security policy,
so that the manager device can efficiently distribute information to multiple security devices via a supervisor device.
Specification