Generalized network security policy templates for implementing similar network security policies across multiple networks
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network.
-
Citations
28 Claims
-
1-13. -13. (Canceled)
-
14. A method in a computer system for adapting a generalized network security policy to a particular network, comprising:
-
retrieving the generalized network security policy comprising a plurality of network security rules each specified with respect to aliases each representing a role for one or more network elements in a network;
providing a user interface for specifying, for each alias included in the generalized network security policy, a list of one or more network elements in the network serving the role represented by the alias; and
replacing each alias in the generalized network security policy with the list of network elements specified for the alias using the user interface to produce a network security policy adapted to the network. - View Dependent Claims (15, 16, 17)
-
-
18. A computer-readable medium whose contents cause a computer system to adapt a network security policy model for use in a particular network, comprising:
-
retrieving the network security policy model, which comprises a plurality of network security rules each specified with respect to one or more aliases each representing a role in a network for one or more network elements;
receiving, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias; and
replacing each alias in the network security policy model with the received list of network elements specified for the alias to produce a network security policy adapted for use in the network. - View Dependent Claims (19, 20)
-
-
21-23. -23. (Canceled)
-
24. A computer memory computer security policy template data structure, the data structure comprising a plurality of computer security directives specifying action to be taken in connection with network traffic between pairs of network nodes, the nodes of each pair being specified in terms of the roles of the nodes rather than in terms of the identity of the nodes, such that, for a subject computer network, the identities of the nodes in the subject computer network having the roles contained in the policy template data structure can be substituted for roles contained in the policy template data to produce a network security policy adapted to the subject network.
-
25. A computer memory containing a network security policy data structure for a protected network, the data structure comprising one or more network security rules, each rule expressed in terms of specific network elements of the protected network, each rule having been converted from a model rule expressed in terms of types of network elements by substituting in the model rule for each type of network element a network element of the protected network of that type, such that the network security policy data structure may be implemented to provide networks security services in the protected network.
-
26. A generated data signal conveying a network security policy data structure for a protected network to a security device for the protected network, the data structure comprising one or more network security rules, each rule expressed in terms of specific network elements of the protected network, each rule having been converted from a model rule expressed in terms of types of network elements by substituting in the model rule for each type of network element a network element of the protected network of that type, such that the network security policy data structure may be implemented to provide networks security services in the protected network.
-
27. A method in a computer system for obtaining information usable to produce a network security policy for a network comprising:
-
displaying a plurality of network element aliases used in a network security policy template; and
with respect to each of the displayed network element aliases, receiving user input specifying one or more network addresses of network elements within the network.
-
-
28. A computer-readable medium whose contents cause a computer system to produce a network security policy for a network by:
-
displaying a plurality of network element aliases used in a network security policy template; and
with respect to each of the displayed network element aliases, receiving user input specifying one or more network addresses of network elements within the network.
-
Specification