System and method for rapid response network policy implementation

US 20060048142A1
Filed: 09/02/2004
Published: 03/02/2006
Est. Priority Date: 09/02/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for responding to one or more triggers involving a plurality of network devices of a network system, the method comprising the steps of:

a. installing on one or more of the plurality of network devices, prior to detection of the one or more triggers, one or more policy sets, one or more policy enforcement rule (PER) sets, or a combination of policy and PER sets, associated with usage of the network system;

b. designating each of the policy sets and PER sets with a unique rapid response identifier;

c. monitoring the network system for the one or more triggers;

d. upon detection of one or more triggers deemed to require a response, selecting one or more policy sets and/or PER sets deemed responsive to the one or more triggers; and

e. instructing one or more of the one or more network devices to implement the selected one or more policy sets and/or PER sets by communicating thereto one or more of the rapid response identifiers associated with the selected one or more policy sets and/or PER sets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for rapidly responding to triggering events or activities in a network system. The system includes a policy enforcement function, a policy manager function, and one or more network devices of the network system. The policy enforcement function includes one or more installed policy sets and/or policy enforcement rule sets suitably responsive to triggering events or activities. Upon detection of a trigger, the policy manager function analyzes the trigger and selects one or more appropriate policy sets and/or policy enforcement rule sets deemed to be responsive to the trigger. Each set has a unique rapid response identifier. The policy manager function signals for implementation of the one or more policy and/or rule sets, based on one or more rapid response identifiers, which are enforced through the policy enforcement function. The policy enforcement function may be a part of one or more of the one or more network infrastructure devices for implementing the policy change. The system and method enable rapid response to a detected trigger (which might be a manual input) by pre-installing responsive policy and/or rule sets first and then generating and transmitting the unique rapid response identifier(s) corresponding to one or more selected policy and/or rule sets for implementation. That is, the network device is already configured with a response through the pre-installed policy and/or rule sets. Responses may be implemented and/or removed gradually, and different network devices may be instructed to implement different policies in response to the same trigger and the same policy may be implemented with different policy enforcement rules on different devices, ports, or interfaces.

202 Citations

31 Claims

1. A method for responding to one or more triggers involving a plurality of network devices of a network system, the method comprising the steps of:
- a. installing on one or more of the plurality of network devices, prior to detection of the one or more triggers, one or more policy sets, one or more policy enforcement rule (PER) sets, or a combination of policy and PER sets, associated with usage of the network system;
  
  b. designating each of the policy sets and PER sets with a unique rapid response identifier;
  
  c. monitoring the network system for the one or more triggers;
  
  d. upon detection of one or more triggers deemed to require a response, selecting one or more policy sets and/or PER sets deemed responsive to the one or more triggers; and
  
  e. instructing one or more of the one or more network devices to implement the selected one or more policy sets and/or PER sets by communicating thereto one or more of the rapid response identifiers associated with the selected one or more policy sets and/or PER sets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method as claimed in claim 1 wherein the one or more network policy sets and/or PER sets selected for implementation permit only minimal network functionality through the one or more of the plurality of network devices.
  - 3. The method as claimed in claim 2 further comprising the step of examining one or more portions of the network for effects of the one or more triggers considered to be likely to destabilize the network.
  - 4. The method as claimed in claim 3 further comprising the steps of identifying the one or more portions of the network not affected by the one or more triggers and releasing from minimal network functionality those network devices identified as not affected by the condition.
  - 5. The method as claimed in claim 3 further comprising the steps of identifying the one or more portions of the network affected by the one or more triggers and implementing one or more policy and/or PER sets specifically responsive to the identified one or more triggers only on those network devices of the identified portions of the network.
  - 6. The method as claimed in claim 5 further comprising the step of replacing one or more of the one or more selected policy and/or PER sets implemented on those network devices of the identified portions of the network with one or more release policy and/or PER sets upon determination that the minimal network functionality restriction is to be released.
  - 7. The method as claimed in claim 6 wherein the release is performed incrementally from more restrictive network usage policy set(s) and/or PER set(s) to less restrictive policy set(s) and/or PER set(s).
  - 8. The method as claimed in claim 7 wherein the incremental release includes the steps of applying less restrictive policy set(s) and/or PER set(s), evaluating network stability, and then releasing all restrictive policy set(s) and/or PER set(s) through the network devices upon determination that the network is stable.
  - 9. The method as claimed in claim 1 further comprising the steps of applying one or more of the identified one or more installed policy sets and/or PER sets incrementally as a function of the detection of the one or more triggers, and adjusting the application of the one or more installed policy sets and/or PER sets by adding, removing or changing the implementation of the one or more installed policy sets and/or PER sets upon further detection of the one or more triggers until network stability is achieved.
  - 10. The method as claimed in claim 9 further comprising the step of incrementally adjusting the application of the one or more installed policy sets and/or PER sets by adding, removing or changing implementation of the one or more installed policy sets and/or PER sets for specific identified ones of the network devices to remove network usage restrictions upon determination of removal of the existence of the detected one or more triggers.
  - 11. The method as claimed in claim 1 wherein one or more of the one or more installed policy sets and/or PER sets are applied to one or more subsets of the network devices as a function of the detected one or more triggers.
  - 12. The method as claimed in claim 11 wherein the one or more installed policy sets and/or PER sets are applied in an incrementally more restrictive manner.
  - 13. The method as claimed in claim 12 further comprising the steps of continuing to monitor the network for additional one or more triggers and adjusting the application of the one or more installed policy sets and/or PER sets as a function of the detection of the one or more triggers until stability of the one or more subsets is achieved.
  - 14. The method as claimed in claim 13 further comprising the step of continuing to monitor the network for additional one or more triggers and adjusting the application of the one or more installed policy sets and/or PER sets as a function of the detection of the one or more triggers until stability of the entire network is achieved.
  - 15. The method as claimed in claim 14 further comprising the step of removing the one or more installed policy sets and/or PER sets by identified one or more subsets of the network devices upon determination that such one or more subsets are not affected by the detected one or more triggers.
  - 16. The method as claimed in claim 1 wherein the trigger for initiation of the rapid response change is from an input from a button, logical button, icon activation or other human initiated action.
  - 17. The method as claimed in claim 16 wherein the input is a single action.

18. A system for responding to one or more triggers involving a plurality of network devices of a network system, the system comprising:
- a. one or more of the plurality of network devices having installed thereon one or more policy sets, one or more policy enforcement rule (PER) sets, or a combination of policy sets and PER sets;
  
  b. an analysis function for analyzing monitored information and relating policy change triggers with the monitored information;
  
  c. an implementation function for signaling one or more policy set or PER set changes based on rapid response identifiers corresponding to each of the one or more policy sets and PER sets; and
  
  d. a policy enforcement function (PEF) for implementing on one or more of the one or more of the plurality of network devices a select one or more of the one or more installed policy sets and/or PER sets based on the rapid response identifiers received from said implementation function.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The system as claimed in claim 18 wherein said analysis function and said implementation function form part of a policy manager function.
  - 20. The system as claimed in claim 18 wherein said PEF forms part of one or more of the one or more of the plurality of network devices.
  - 21. The system as claimed in claim 18 wherein the monitored information is information received from an intrusion detection function.
  - 22. The system as claimed in claim 18 wherein at least one of the one or more of the plurality of network devices is a network entry device.
  - 23. The system as claimed in claim 18 wherein at least one of the one or more of the plurality of network devices is a central switching device.
  - 24. The system as claimed in claim 19 wherein the policy manager function further includes a database of triggers, policies, and PERs.
  - 25. The system as claimed in claim 18 wherein the trigger for initiation of the rapid response change is from an input from a button, logical button, icon activation or other human initiated action.
  - 26. The system as claimed in claim 25 wherein the input is a single action.

27. A method for responding to one or more triggers involving a plurality of network devices of a network system, the method comprising the steps of:
- a. mapping one or more policies to one or more corresponding policy enforcement rules (PER);
  
  b. installing on one or more of the plurality of network devices, prior to detection of the one or more triggers, one or more policy sets, one or more PER sets, or a combination of policy and PER sets, associated with usage of the network system;
  
  c. monitoring the network system for the one or more triggers;
  
  d. upon detection of one or more triggers deemed to require a response, selecting one or more policy sets and/or PER sets deemed responsive to the one or more triggers; and
  
  e. instructing one or more of the one or more network devices to implement the selected one or more policy sets and/or PER sets by broadcast or multicast communication.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The method as claimed in claim 27 further comprising the step of designating each of the policy sets and PER sets with a unique rapid response identifier.
  - 29. The method as claimed in claim 27 further comprising the step of polling the one or more of the one or more of the network devices to confirm implementation of the selected one or more policy sets and/or PER sets.
  - 30. The method as claimed in claim 27 wherein the trigger for initiation of the rapid response change is from an input from a button, logical button, icon activation or other human initiated action.
  - 31. The method as claimed in claim 30 wherein the input is a single action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Roese, John J., Graham, Richard W., Harrington, David, Richmond, James

Application Number

US10/932,824
Publication Number

US 20060048142A1
Time in Patent Office

Days
Field of Search
US Class Current

717/176
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

System and method for rapid response network policy implementation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

202 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for rapid response network policy implementation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

202 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links