Method and apparatus for network wide policy-based analysis of configurations of devices

US 20060129670A1
Filed: 11/08/2005
Published: 06/15/2006
Est. Priority Date: 03/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method for a computer system comprises:

determining a plurality of network devices within a network arranged in a network topology, wherein the plurality of network devices includes a first application server hosting a first application;

receiving a policy for the network, wherein the policy comprises requirements associated with the first application server, wherein the requirements include a description of a first set of required network traffic and a first server associated with the first set of required network traffic;

receiving a plurality of configuration files associated with the plurality of network devices;

determining a network configuration model in response to the plurality of configuration files;

computing network traffic on all network paths from the first application server to the first server to determine a first plurality of computed paths;

determining if the network traffic that was computed includes at least the first set of required network traffic associated with the first server; and

generating a report indicating whether the network traffic includes at least the first set of required network traffic.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for a computer system includes determining network devices within a network topology, wherein the network devices includes a first application server hosting a first application, receiving a policy for the network comprising requirements of a first application server including a description of a set of required network traffic, receiving a plurality of configuration files associated with the plurality of network devices, determining a network configuration model in response to the plurality of configuration files, computing network traffic on all network paths to and from the first application server to determine a plurality of computed paths, determining if the network traffic includes at least the set of required network traffic associated with the first server, and generating a report indicating whether the network traffic includes at least the set of required network traffic.

Citations

32 Claims

1. A method for a computer system comprises:
- determining a plurality of network devices within a network arranged in a network topology, wherein the plurality of network devices includes a first application server hosting a first application;
  
  receiving a policy for the network, wherein the policy comprises requirements associated with the first application server, wherein the requirements include a description of a first set of required network traffic and a first server associated with the first set of required network traffic;
  
  receiving a plurality of configuration files associated with the plurality of network devices;
  
  determining a network configuration model in response to the plurality of configuration files;
  
  computing network traffic on all network paths from the first application server to the first server to determine a first plurality of computed paths;
  
  determining if the network traffic that was computed includes at least the first set of required network traffic associated with the first server; and
  
  generating a report indicating whether the network traffic includes at least the first set of required network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method of claim 1wherein the first application comprises a first negative application;
    - wherein the first server comprise a targeted server; and
      
      wherein the network traffic comprises IP traffic.
  - 3. The method of claim 2wherein the first plurality of computed paths includes computed paths selected from a group consisting of:
    - computed paths that do not couple the targeted server to the first application server, and computed paths that couple the targeted server to the first application server.
  - 4. The method of claim 3wherein the requirements of the first negative application also includes data selected from a group consisting of:
    - a specific application running on the targeted server, a specific version number for the application running on the targeted server, a specific patch level of the application running on the targeted server, a specific operating system running on the targeted server, a specific operating system patch level running on the targeted server.
  - 5. The method of claim 4wherein the targeted server is selected from a group consisting of:
    - e-commerce server, domain name server, e-mail server, database server, financial data server, CRM server, ERP server, and data storage server; and
      
      wherein the first threat is selected from a group consisting of;
      
      worm, virus, Trojan, spyware, and key logger.
  - 6. The method of claim 2wherein the plurality of network devices also includes a second application server hosting a second negative application;
    - wherein the policy also comprises additional requirements associated with the second application server, wherein the additional requirements includes a description of a second set of required network traffic and an additional targeted server associated with the second set of required network traffic;
      
      wherein the method further comprises computing additional IP traffic on all IP paths between the second application server and the additional targeted server to determine a second plurality of computed paths;
      
      wherein generating the report further comprises generating the report indicating whether the additional IP traffic includes at least the second set of required network traffic, and including at least one computed path from the second plurality of computed paths; and
      
      wherein the second plurality of computed paths includes computed paths selected from a group consisting of;
      
      computed paths that do not couple the additional targeted server to the second application server, and computed paths that couple the additional targeted server to the second application server.
  - 7. The method of claim 6wherein generating the report further comprises determining a first plurality of threat metrics associated with the first negative application and a second plurality of threat metrics associated with the second negative application.
  - 8. The method of claim 7wherein the report includes a prioritization of the first negative application over the second negative application;
    - wherein the prioritization is based upon threat metrics from the first plurality of threat metrics and the second plurality of threat metrics; and
      
      wherein threat metrics are selected from a group consisting of;
      
      probability of threats, potential harm of threats, ease of remediation of threats, commonality of servers in both the first plurality of computed paths and the second plurality of computed paths.
  - 26. The method of claim 2wherein first application server also hosts a business application;
    - wherein the requirements include a description of a second set of required network traffic and a second server associated with the second set of required network traffic;
      
      wherein the method further comprises;
      
      computing additional network traffic on all network paths associated with the first application server and the second server to determine a second plurality of computed paths; and
      
      determining if the additional network traffic that was computed includes at least the second set of required network traffic associated with the first server; and
      
      wherein the report also indicates whether the second network traffic includes at least the second set of required network traffic.
  - 27. The method of claim 26wherein the report indicates that the business application was successful when the second network traffic includes at least the second set of required network traffic.
  - 28. The method of claim 27wherein the report indicates that the first negative application was unsuccessful when the first network traffic does not include at least the first set of required network traffic.
  - 29. The method of claim 27 wherein the report indicates that the first negative application was successful when the first network traffic includes at least the first set of required network traffic.
  - 30. The method of claim of claim 29wherein a specific type of network traffic belongs to both the first set of required network traffic and the second set of required network traffic;
    - and wherein the report also indicates the specific type of network traffic.
  - 31. The method of claim 30 wherein the report also indicates that inhibiting the specific type of network traffic would violate the policy.
  - 32. The method of claim of claim 30 wherein the report also suggests an action selected from a group consisting of:
    - upgrade to a different software version of the business application, install a software patch to the business application, upgrade to a different software version of an operating system of the first application server, install a software patch to the operating system.

9. A computer system comprises:
- a memory configured to store a network topology of a network including a plurality of network devices, wherein the plurality of network devices includes a first application on a first application host, wherein the memory is configured to store a policy associated with the network, wherein the policy comprise requirements associated with the first application, wherein the requirements includes a first required set of network traffic from the first application and a second application host associated with the first required set of network traffic, and wherein the memory is configured to store a plurality of configuration data from at least some of the plurality of network devices; and
  
  a processor coupled to the memory, wherein the processor is configured to determine a network configuration model in response to the plurality of configuration data, and in response to the network topology, wherein the processor is configured to receive a query regarding the first application, wherein the processor is configured to compute network traffic on all network paths from the first application host to the second application host in response to the network configuration model, in response to the query, and in response to the policy associated with the network to form a first plurality of computed paths, and wherein the processor is configured to generate a report indicating whether the network traffic includes at least the first required set of network traffic;
  
  wherein the memory is also configured to store the network configuration model.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer system of claim 9wherein the first application comprises a first threat;
    - wherein the first application host comprises a first threat host;
      
      wherein the second application host comprises a first targeted application host; and
      
      wherein the network traffic comprises IP traffic.
  - 11. The computer system of claim 10wherein the report indicates the first threat is unsuccessful when the network traffic from the first threat host does not include at least the first required set of network traffic.
  - 12. The computer system of claim 11 wherein the report includes a plurality of computed paths from the first plurality of computed paths selected from a group consisting of:
    - computed paths that do not couple the first targeted application host to the first threat host, and computed paths that couple the first targeted application host to the first threat host.
  - 13. The computer system of claim 10wherein the requirements associated with the first threat comprise data selected from a group consisting of:
    - a specific application running on the first targeted application host, a specific version number for the application running on the first targeted application host, a specific patch level for the application running on the first targeted application host, a specific operating system running on the first targeted application host, and a specific operating system patch level running on the first targeted application host.
  - 14. The computer system of claim 10wherein the targeted application host is selected from a group consisting of:
    - e-commerce application host, domain name application host, e-mail application host, database application host, financial data application host, ERP application host, CRM application host, and data storage application host; and
      
      wherein the first threat is selected from a group consisting of;
      
      worm, virus, Trojan, spyware, key logger.
  - 15. The computer system of claim 10wherein the plurality of network devices also includes a second threat on a second threat host;
    - wherein the policy also comprises additional requirements associated with the second threat host, wherein the additional requirements includes a second required set of network traffic and a second targeted application host associated with the second required set of network traffic;
      
      wherein the processor is configured to receive an additional query regarding the second threat, wherein the processor is configured to compute network traffic on all network paths from the second threat host to the second targeted application host in response to the network configuration model, in response to the additional query, and in response to the policy associated with the network to form a second plurality of computed paths, and wherein the processor is configured to generate the report indicating whether the network traffic includes at least the second required set of network traffic and including at least one computed path from the second plurality of computed paths, wherein the second plurality of computed paths includes paths selected from a group consisting of;
      
      computed paths that do not couple the second targeted application host to the second threat host, and computed paths that couple the second targeted application host to the second threat host.
  - 16. The computer system of claim 15wherein the report includes a prioritization of the first threat above the second threat in response to a metric selected from a group consisting of:
    - threat probability, potential threat damage, ease of threat remediation, commonality of application hosts in both the first plurality of computed paths and the second plurality of computed paths.

17. A computer program product for a computer system including a memory comprises:
- code that directs the processor to determine a revised network topology in response to a network topology and in response to user input;
  
  code that directs the processor to determine a plurality of network devices within a network arranged in the revised network topology, wherein the plurality of network devices includes a first application on a first application server;
  
  code that directs the processor to receive a policy for the network, wherein the policy comprises requirements associated with the first application server, wherein the requirements include a description of a first set of required network traffic and a first server associated with the first set of required network traffic;
  
  code that directs the processor to receive a plurality of configuration data associated with the plurality of network devices;
  
  code that directs the processor to determine a network configuration model in response to the plurality of configuration data and to the revised network topology;
  
  code that directs the processor to compute network traffic on all network paths from the first application server to the first server to determine a first plurality of computed paths;
  
  code that directs the processor to determine whether the network traffic that was computed includes at least the first set of required network traffic; and
  
  code that directs the processor to generate a report indicating whether the network traffic includes at least the first set of required network traffic;
  
  wherein the codes reside on a tangible media.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The computer program product of claim 17wherein the first application comprises a first threat;
    - wherein the first application server comprises a second server hosting the first threat.
  - 19. The computer program product of claim 18wherein the revised network topology includes changes over the network topology selected from a group consisting of:
    - a new network device, a new application server, and moving an application from one application server to another application server.
  - 20. The computer program product of claim 18wherein the first server is determined based upon criteria selected from a group consisting of:
    - a specific application running on the first server, a specific version number for the application running on the first server, a specific patch level for the application running on the first server, a specific operating system running on the first server, and a specific patch level of a specific operating system running on the first server.
  - 21. The computer program product of claim 20 wherein the first server is selected from a group consisting of:
    - e-commerce server, domain name server, e-mail server, database server, financial data server, ERP server, CRM server, and data storage server.
  - 22. The computer program product of claim 18 wherein the first threat is selected from a group consisting of:
    - worm, virus, Trojan, spyware, key logger.
  - 23. The computer program product of claim 18wherein the plurality of network devices also includes a third server hosting a second threat;
    - wherein the policy also comprises additional requirements associated with the third server, wherein the additional requirements includes a description of a second set of required network traffic and a fourth server associated with the second set of required network traffic;
      
      wherein the computer program product also includes code that directs the processor to compute additional network traffic on all network paths between the third server and the fourth server;
      
      wherein code that directs the processor to generate the report further comprises code that directs the processor to generating the report indicating whether the additional network traffic includes at least the second set of required network traffic.
  - 24. The computer program product of claim 23wherein code that directs the processor to generate the report further comprises code that directs the processor to prioritize the first threat over the second threat in response to a plurality of metrics.
  - 25. The computer program product of claim 24wherein a metric from the plurality of metrics is selected from a group consisting of:
    - probability of threats, potential harm of threats, ease of remediation of threats, commonality of servers in both a first plurality of traffic paths between the first server and the second server and a second plurality of traffic paths between the second server and the third server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Redseal, Inc.
Original Assignee
Redseal Systems Incorporated
Inventors
Mayer, Alain Jules

Granted Patent

US 8,135,815 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

G06F 15/173   using an interconnection ne...

H04L 41/00   Arrangements for maintenanc...

H04L 41/0853   by actively collecting conf...

H04L 41/0873   Checking configuration conf...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 41/145   involving simulating, desig...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 69/16   Implementation or adaptatio...

H04L 69/24   Negotiation of communicatio...

H04L 9/40   Network security protocols

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links