System for supporting security administration and method of doing the same
First Claim
1. A system for supporting security administration in a network system, including:
- a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;
an input device which receives a set of rules as guidance relating to security of said network system, and topology information indicative of hardwares of said network system and softwares installed in each of said hardwares; and
a correspondence maker which, based on said node information, makes correspondence between each of said rules and each of said hardwares or softwares indicated by said topology information.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for supporting security administration in a network system, includes a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of the network system, for each of the hardwares and each of the softwares, an input device which receives a set of rules as guidance relating to security of the network system, and topology information indicative of hardwares of the network system and softwares installed in each of the hardwares, and a correspondence maker which, based on the node information, makes correspondence between each of the rules and each of the hardwares or softwares indicated by the topology information.
-
Citations
40 Claims
-
1. A system for supporting security administration in a network system, including:
-
a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;
an input device which receives a set of rules as guidance relating to security of said network system, and topology information indicative of hardwares of said network system and softwares installed in each of said hardwares; and
a correspondence maker which, based on said node information, makes correspondence between each of said rules and each of said hardwares or softwares indicated by said topology information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for supporting security administration in a network system, including:
-
an input device which receives topology information indicative of hardwares of said network system and softwares installed in each of said hardwares;
a function-map input device which receives a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
a parameter-information memory which stores parameter information including an instruction to extract a parameter to be applied to a hardware or software for causing said hardware or software to carry out its security functions, out of said topology information;
a parameter-extracting device which extracts said parameter information out of said parameter-information memory for each of said security functions to which a rule and a hardware or software corresponds, and extracts a parameter out of said topology information in accordance with an instruction included in the thus extracted parameter information, based on said function map;
a script-model memory which stores a model of a script including a command for determining a parameter on the assumption that a parameter is not determined; and
a script maker which extracts said model out of said script-model memory, and makes said script, based on the thus extracted model and said parameter extracted by said parameter-extracting device.
-
-
18. A system for supporting security administration in a network system, including:
-
a function-map input device which receives a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
a vulnerability information input device which receives vulnerability information including at least first information indicative of a reason why a security vulnerability point is caused, second information indicative of an object to which a solution to said security vulnerability point is applied, and third information indicative of said solution; and
a recommendation-degree judge which determines a degree at which said solution is recommended to carry out, based on said function map.
-
-
19. A system for supporting security administration in a network system, including:
-
a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;
an input device which receives a set of rules as guidance relating to security of said network system, and topology information indicative of classes of said communication network, hardwares belonging to each of said classes, and softwares installed in each of said hardwares, said rules being associated with information of a security function and being classified for each of said classes of said communication network;
a constraint-information memory which stores constraint information indicative of constraint to a security function in each of said classes of said communication network; and
a correspondence maker which, based on said node information, identifies a security function provided by a hardware belonging to each of said classes of said communication network or by a software installed in said hardware for each of said classes of said communication network, and makes correspondence among a rule associated with the thus identified security function, said security function, and said hardware or software, said correspondence maker judges whether said security function associated with said rule and said hardware of software accords with said constraint information. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A method of supporting security administration in a network system, including:
-
storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;
receiving a set of rules as guidance relating to security of said network system, and topology information indicative of hardwares of said network system and softwares installed in each of said hardwares; and
based on said node information, making correspondence between each of said rules and each of said hardwares or softwares indicated by said topology information.
-
-
26. A method of supporting security administration in a network system, including:
-
receiving topology information indicative of hardwares of said network system and softwares installed in each of said hardwares;
receiving a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
storing parameter information including an instruction to extract a parameter to be applied to a hardware or software for causing said hardware or software to carry out its security functions, out of said topology information;
extracting said parameter information for each of said security functions to which a rule and a hardware or software corresponds, and extracting a parameter out of said topology information in accordance with an instruction included in the thus extracted parameter information, based on said function map;
storing a model of a script including a command for determining a parameter on the assumption that a parameter is not determined; and
extracting said model out of said script-model memory, and making said script, based on the thus extracted model and said parameter.
-
-
27. A method of supporting security administration in a network system, including:
-
receiving a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
receiving vulnerability information including at least first information indicative of a reason why a security vulnerability point is caused, second information indicative of an object to which a solution to said security vulnerability point is applied, and third information indicative of said solution; and
determining a degree at which said solution is recommended to carry out, based on said function map.
-
-
28. A method of supporting security administration in a network system, including:
-
storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;
receiving a set of rules as guidance relating to security of said network system, and topology information indicative of classes of said communication network, hardwares belonging to each of said classes, and softwares installed in each of said hardwares, said rules being associated with information of a security function and being classified for each of said classes of said communication network;
storing constraint information indicative of constraint to a security function in each of said classes of said communication network;
based on said node information, identifying a security function provided by a hardware belonging to each of said classes of said communication network or by a software installed in said hardware for each of said classes of said communication network, and making correspondence among a rule associated with the thus identified security function, said security function, and said hardware or software; and
judging whether said security function associated with said rule and said hardware of software accords with said constraint information.
-
-
29. A program for causing a computer to carry out steps,
said computer including a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of a network system, for each of said hardwares and each of said softwares, said steps including: -
receiving a set of rules as guidance relating to security of said network system, and topology information indicative of hardwares of said network system and softwares installed in each of said hardwares; and
based on said node information, making correspondence between each of said rules and each of said hardwares or softwares indicated by said topology information.
-
-
30. A program for causing a computer to carry out steps,
said computer including a parameter-information memory which stores parameter information including an instruction to extract a parameter to be applied to a hardware or software for causing said hardware or software to carry out its security functions, out of said topology information, and a script-model memory which stores a model of a script including a command for determining a parameter on the assumption that a parameter is not determined, said steps including: -
receiving topology information indicative of hardwares of a network system to be administrated and softwares installed in each of said hardwares;
receiving a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
extracting said parameter information for each of said security functions to which a rule and a hardware or software corresponds, and extracting a parameter out of said topology information in accordance with an instruction included in the thus extracted parameter information, based on said function map; and
extracting said model out of said script-model memory, and making said script, based on the thus extracted model and said parameter.
-
-
31. A program for causing a computer to carry out steps of
receiving a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of a network system to be administrated, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule; -
receiving vulnerability information including at least first information indicative of a reason why a security vulnerability point is caused, second information indicative of an object to which a solution to said security vulnerability point is applied, and third information indicative of said solution; and
determining a degree at which said solution is recommended to carry out, based on said function map.
-
-
32. A program for causing a computer to carry out steps,
said computer including a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of a network system, for each of said hardwares and each of said softwares, and a constraint-information memory which stores constraint information indicative of constraint to a security function in each of said classes of said communication network, said steps including: -
receiving a set of rules as guidance relating to security of said network system, and topology information indicative of classes of said communication network, hardwares belonging to each of said classes, and softwares installed in each of said hardwares, said rules being associated with information of a security function and being classified for each of said classes of said communication network;
based on said node information, identifying a security function provided by a hardware belonging to each of said classes of said communication network or by a software installed in said hardware for each of said classes of said communication network, and making correspondence among a rule associated with the thus identified security function, said security function, and said hardware or software; and
judging whether said security function associated with said rule and said hardware of software accords with said constraint information.
-
-
33. An information-display system to be applied to a system for supporting security administration which system makes correspondence between each of rules as guidance relating to security in a network system, and each of hardwares of said network system and each of softwares installed in each of said hardwares,
said information-display system including: -
a screen-information memory which stores information about a screen having a rule-display section for displaying each of rules, a node-display section for displaying each of hardwares and each of softwares, and a correspondence-display section located between said rule-display section and said node-display section;
a screen-information maker which, based on said screen information stored in said screen-information memory, makes output information in accordance with which each of rules is displayed in said rule-display section, each of hardwares and each of softwares are displayed in said node-display section, and a line connecting a rule to a hardware or software associated with said rule is displayed in said correspondence-display section; and
an output device which displays said each of rules, said each of hardwares and each of softwares, and said line in a screen in accordance with said output information. - View Dependent Claims (34, 35)
-
-
36. An information-display system to be applied to a system for supporting security administration which system makes correspondence between each of rules as guidance relating to security in a network system, and each of hardwares of said network system and each of softwares installed in each of said hardwares,
said information-display system including: -
a screen-information memory which stores information about a screen having a section in which each of rules, each of hardwares and each of softwares are displayed;
a screen-information maker which, based on said screen information stored in said screen-information memory, makes output information in accordance with which said hardwares and said softwares are displayed in said section, said each of rules is displayed around an area in which said hardwares and said softwares are displayed, and a line connecting a rule to a hardware or software associated with said rule; and
an output device which displays said each of rules, said each of hardwares and each of softwares, and said line in a screen in accordance with said output information. - View Dependent Claims (37, 38)
-
-
39. A method of displaying information to be applied to a system for supporting security administration which system makes correspondence between each of rules as guidance relating to security in a network system, and each of hardwares of said network system and each of softwares installed in each of said hardwares,
said method including: -
storing information about a screen having a rule-display section for displaying each of rules, a node-display section for displaying each of hardwares and each of softwares, and a correspondence-display section located between said rule-display section and said node-display section;
based on said screen information, making output information in accordance with which each of rules is displayed in said rule-display section, each of hardwares and each of softwares are displayed in said node-display section, and a line connecting a rule to a hardware or software associated with said rule is displayed in said correspondence-display section; and
displaying said each of rules, said each of hardwares and each of softwares, and said line in a screen in accordance with said output information.
-
-
40. A method of displaying information to be applied to a system for supporting security administration which system makes correspondence between each of rules as guidance relating to security in a network system, and each of hardwares of said network system and each of softwares installed in each of said hardwares,
said method including: -
storing information about a screen having a section in which each of rules, each of hardwares and each of softwares are displayed;
based on said screen information, making output information in accordance with which said hardwares and said softwares are displayed in said section, said each of rules is displayed around an area in which said hardwares and said softwares are displayed, and a line connecting a rule to a hardware or software associated with said rule; and
displaying said each of rules, said each of hardwares and each of softwares, and said line in a screen in accordance with said output information.
-
Specification