Method and apparatus for network wide policy-based analysis of configurations of devices

US 20060129672A1
Filed: 01/18/2006
Published: 06/15/2006
Est. Priority Date: 03/27/2001
Status: Abandoned Application

First Claim

Patent Images

1-62. -62. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus for analyzing a network configuration against a corporate network policy and determining violation(s) against the corporate network policy. A report indicating the violation(s) can be generated indicating instances of the violation(s). An analysis platform reads in a network policy. The analysis platform collects configuration files from the relevant network devices in the network and builds up an internal instance of a network configuration model based on the configuration files and the network topology. The analysis platform analyzes this network configuration model according to the network policy and adds an entry to its final report each time that it detects a violation against the network policy in the network configuration model. The data in the entries pinpoints the cause of the deviation(s) from the network policy.

100 Citations

View as Search Results

92 Claims

1-62. -62. (canceled)

63. A method for a computer system comprises:
- receiving a policy for a network comprising a plurality of network devices, including a first host server, in a network topology, wherein the first host server hosts a first application, and wherein the policy specifies a set of required traffic associated with the first host server;
  
  receiving configuration data for at least some of the plurality of network devices;
  
  computing network traffic on all network paths between the network devices in the network, in response to the configuration data and to the policy;
  
  determining a relationship condition between computed network traffic associated with the first host server from the network traffic on all network paths to the set of required traffic associated with the first host server, wherein the relationship condition is selected from a group consisting of;
  
  less than, equal, and greater than; and
  
  determining a violation of the policy in response to the relationship condition.
- View Dependent Claims (64, 65, 66, 67, 68, 69, 70, 71, 72)
- - 64. The method of claim 63 wherein determining the violation comprises generating a report when the relationship condition is selected from a group consisting of:
    - less than, greater than.
  - 65. The method of claim 64wherein the relationship condition is less than;
    - wherein the set of required network traffic specifies additional network traffic;
      
      wherein the computed network traffic does not include the additional network traffic; and
      
      wherein the report includes data selected from a group consisting of;
      
      a specification of the additional network traffic, and configuration data associated with the first host server.
  - 66. The method of claim 64wherein the relationship condition is greater than;
    - wherein the computed network traffic includes additional network traffic;
      
      wherein the set of required network traffic does not specify the additional network traffic; and
      
      wherein the report includes data selected from a group consisting of;
      
      a source of the additional network data, a traffic type for the additional network traffic, configuration data associated with the first host server.
  - 67. The method of claim 64 further comprising:
    - receiving at least one set of updated configuration data for at least one the plurality of network devices;
      
      computing updated network traffic in response to at least the one set of updated configuration data and to the policy;
      
      determining an updated relationship condition between updated computed network traffic associated with the first host server from the updated network traffic and the set of required traffic associated with the first host server, wherein the relationship condition is selected from a group consisting of;
      
      less than, equal, and greater than; and
      
      determining a violation of the policy in response to the updated relationship condition.
  - 68. The method of claim 67 wherein determining the violation of the policy in response to the updated relationship condition comprises generating an updated report when the updated relationship condition is selected from a group consisting of:
    - less than, greater than.
  - 69. The method of claim 64 further comprising:
    - receiving an updated policy for at least one network device in the network;
      
      computing updated network traffic in response the configuration data and to the updated policy;
      
      determining updated network traffic associated with the first host server in response to the updated network traffic;
      
      determining an updated relationship condition between the updated network traffic associated with the first host server and the set of required traffic associated with the first host server, wherein the updated relationship condition is selected from a group consisting of;
      
      less than, equal, and greater than; and
      
      determining a violation of the policy in response to the updated relationship condition.
  - 70. The method of claim 69 wherein determining the violation of the policy in response to the updated relationship condition comprises generating an updated report when the updated relationship condition is selected from a group consisting of:
    - less than, greater than.
  - 71. The method of claim 63wherein the set of required traffic associated with the first host server comprises a first set of required traffic and a second set of required traffic;
    - wherein the first application is associated with a first set of required traffic;
      
      wherein the second application is associated with a second set of required traffic; and
      
      wherein the first set of required traffic and the second set of required traffic are not identical.
  - 72. The method of claim 63wherein the network is part of a larger network;
    - and wherein the method further comprises determining the plurality of network devices in the network in response to the policy.

73. A computer program product for a computer system including a processor comprises:
- code that directs the processor to receive a policy for a network comprising a plurality of network devices, including a first host server, in a network topology, wherein the first host server hosts a first application, and wherein the policy specifies a set of required traffic associated with the first host server;
  
  code that directs the processor to receive configuration data for at least some of the plurality of network devices;
  
  code that directs the processor to compute network traffic on all network paths between the network devices in the network, in response to the configuration data and to the policy;
  
  code that directs the processor to determine a relationship condition between computed network traffic associated with the first host server in response to the network traffic on all network paths to the set of required traffic associated with the first host server, wherein the relationship condition is selected from a group consisting of;
  
  less than, equal, and greater than; and
  
  code that directs the processor to determine a violation of the policy in response to the relationship condition;
  
  wherein the codes reside on a tangible media.
- View Dependent Claims (74, 75, 76, 77, 78, 79, 80, 81, 82)
- - 74. The computer program product of claim 73 wherein the code that directs the processor to determine the violation comprises code that directs the processor to generate a report when the relationship condition is selected from a group consisting of:
    - less than, greater than.
  - 75. The computer program product of claim 74wherein the relationship condition is less than;
    - wherein the set of required network traffic associated with the first host server specifies additional network traffic;
      
      wherein the computed network traffic associated with the first host server does not include the additional network traffic; and
      
      wherein the report includes data selected from a group consisting of;
      
      a specification of the additional network traffic, and configuration data associated with the first host server.
  - 76. The computer program product of claim 74wherein the relationship condition is greater than;
    - wherein the computed network traffic associated with the first host server includes additional network traffic;
      
      wherein the set of required network traffic associated with the first host server does not specify the additional network traffic; and
      
      wherein the report includes data selected from a group consisting of;
      
      a source of the additional network data, a traffic type for the additional network traffic, and configuration data associated with the first host server.
  - 77. The computer program product of claim 74 further comprising:
    - code that directs the processor to receive at least one set of updated configuration data for at least one the plurality of network devices;
      
      code that directs the processor to compute updated network traffic in response to at least the one set of updated configuration data and to the policy;
      
      code that directs the processor to determine updated network traffic associated with the first host server in response to the updated network traffic;
      
      code that directs the processor to determine an updated relationship condition between the updated network traffic associated with the first host server and the set of required traffic associated with the first host server, wherein the relationship condition is selected from a group consisting of;
      
      less than, equal, and greater than; and
      
      code that directs the processor to determine a violation of the policy in response to the updated relationship condition.
  - 78. The computer program product of claim 77 wherein code that directs the processor to determine the violation of the policy in response to the updated relationship condition comprises code that directs the processor to generate an updated report when the updated relationship condition is selected from a group consisting of:
    - less than, greater than.
  - 79. The computer program product of claim 74 further comprising:
    - code that directs the processor to receive an updated policy for at least one network device in the network;
      
      code that directs the processor to compute updated network traffic in response the configuration data and to the updated policy;
      
      code that directs the processor to determine updated network traffic associated with the first host server in response to the updated network traffic;
      
      code that directs the processor to determine an updated relationship condition between the updated network traffic associated with the first host server and the set of required traffic associated with the first host server, wherein the updated relationship condition is selected from a group consisting of;
      
      less than, equal, and greater than; and
      
      code that directs the processor to determine a violation of the policy in response to the updated relationship condition.
  - 80. The computer program product of claim 79 wherein code that directs the processor to determine the violation of the policy in response to the updated relationship condition comprises code that directs the processor to generate an updated report when the updated relationship condition is selected from a group consisting of:
    - less than, greater than.
  - 81. The computer program product of claim 73wherein the set of required traffic associated with the first host server comprises a first set of required traffic and a second set of required traffic;
    - wherein the first application is associated with a first set of required traffic;
      
      wherein the second application is associated with a second set of required traffic; and
      
      wherein the first set of required traffic and the second set of required traffic are not identical.
  - 82. The computer program product of claim 73wherein the network is part of a larger network;
    - and wherein the computer program product further comprises code that directs the processor to determine the plurality of network devices in the network in response to the policy.

83. A computer system comprises:
- a processor; and
  
  a memory coupled to the processor, wherein the memory includes;
  
  a software module that directs the processor to receive a policy for a network comprising a plurality of network devices, including a first host server, in a network topology, wherein the first host server hosts a first application, and wherein the policy specifies a set of required traffic associated with the first host server;
  
  a software module that directs the processor to receive configuration data for at least some of the plurality of network devices;
  
  a software module that directs the processor to compute network traffic on all network paths between the network devices in the network, in response to the configuration data and to the policy;
  
  a software module that directs the processor to determine a relationship condition between computed network traffic associated with the first host server in response to the network traffic on all network paths to the set of required traffic associated with the first host server, wherein the relationship condition is selected from a group consisting of;
  
  less than, equal, and greater than; and
  
  a software module that directs the processor to determine a violation of the policy in response to the relationship condition.
- View Dependent Claims (84, 85, 86, 87, 88, 89, 90, 91, 92)
- - 84. The computer system of claim 83 wherein the software module that determines the violation comprises a software module that generates a report when the relationship condition is selected from a group consisting of:
    - less than, greater than.
  - 85. The computer system of claim 84wherein the relationship condition is less than;
    - wherein the set of required network traffic associated with the first host server specifies additional network traffic;
      
      wherein the computed network traffic associated with the first host server does not include the additional network traffic; and
      
      wherein the report includes data selected from a group consisting of;
      
      a specification of the additional network traffic, and configuration data associated with the first host server.
  - 86. The computer system of claim 84wherein the relationship condition is greater than;
    - wherein the computed network traffic associated with the first host server includes additional network traffic;
      
      wherein the set of required network traffic associated with the first host server does not specify the additional network traffic; and
      
      wherein the report includes data selected from a group consisting of;
      
      a source of the additional network data, a traffic type for the additional network traffic, and configuration data associated with the first host server.
  - 87. The computer system of claim 84 wherein the memory further comprises:
    - a software module that directs the processor to receive at least one set of updated configuration data for at least one the plurality of network devices;
      
      a software module that directs the processor to compute updated network traffic in response to at least the one set of updated configuration data and to the policy;
      
      a software module that directs the processor to determine updated network traffic associated with the first host server in response to the updated network traffic;
      
      a software module that directs the processor to determine an updated relationship condition between the updated network traffic associated with the first host server and the set of required traffic associated with the first host server, wherein the relationship condition is selected from a group consisting of;
      
      less than, equal, and greater than; and
      
      a software module that directs the processor to determine a violation of the policy in response to the updated relationship condition.
  - 88. The computer system of claim 87 wherein the software module that directs the processor to determine the violation of the policy in response to the updated relationship condition comprises a software module that directs the processor to generate an updated report when the updated relationship condition is selected from a group consisting of:
    - less than, greater than.
  - 89. The computer system of claim 84 wherein the memory further comprises:
    - a software module that directs the processor to receive an updated policy for at least one network device in the network;
      
      a software module that directs the processor to compute updated network traffic in response the configuration data and to the updated policy;
      
      a software module that directs the processor to determine updated network traffic associated with the first host server in response to the updated network traffic;
      
      a software module that directs the processor to determine an updated relationship condition between the updated network traffic associated with the first host server and the set of required traffic associated with the first host server, wherein the updated relationship condition is selected from a group consisting of;
      
      less than, equal, and greater than; and
      
      a software module that directs the processor to determine a violation of the policy in response to the updated relationship condition.
  - 90. The computer system of claim 89 wherein the software module that directs the processor to determine the violation of the policy in response to the updated relationship condition comprises a software module that directs the processor to generate an updated report when the updated relationship condition is selected from a group consisting of:
    - less than, greater than.
  - 91. The computer system of claim 83wherein the set of required traffic associated with the first host server comprises a first set of required traffic and a second set of required traffic;
    - wherein the first application is associated with a first set of required traffic;
      
      wherein the second application is associated with a second set of required traffic; and
      
      wherein the first set of required traffic and the second set of required traffic are not identical.
  - 92. The computer system of claim 83wherein the network is part of a larger network;
    - and wherein the memory further comprises a software module that directs the processor to determine the plurality of network devices in the network in response to the policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Redseal Systems Incorporated
Original Assignee
Redseal Systems Incorporated
Inventors
Mayer, Alain Jules

Application Number

US11/335,052
Publication Number

US 20060129672A1
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

100 Citations

92 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

92 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links