Analyzing security compliance within a network
First Claim
1. A system comprising:
- a database that is configured to identify one or more pairs of zones of a network, each element of a first zone of each pair having a common security policy relative to each element of a second zone of the pair, a traffic generator that is configured to process the database to;
select at least one pair of the pairs of zones, generate one or more messages for transmission between a source zone and a destination zone of the at least one pair, and a security analyzer that is configured to determine the security policy corresponding to the at least one pair of zones based on propagation of the one or more messages from the source zone toward the destination zone.
21 Assignments
0 Petitions
Accused Products
Abstract
A security policy database identifies the intended security policies within a network, a traffic generator provides test traffic that is configured to test each defined security policy, and a simulator simulates the propagation of this traffic on a model of the network. The model of the network includes the configuration data associated with each device, and thus, if devices are properly configured to enforce the intended security policies, the success/failure of the simulated test traffic will conform to the intended permit/deny policy of each connection. Differences between the simulated message propagation and the intended security policies are reported to the user, and diagnostic tools are provided to facilitate identification of the device configuration data that accounts for the observed difference. Additionally, if a network'"'"'s current security policy is unknown, test traffic is generated to reveal the actual policy in effect, to construct a baseline intended security policy.
-
Citations
61 Claims
-
1. A system comprising:
-
a database that is configured to identify one or more pairs of zones of a network, each element of a first zone of each pair having a common security policy relative to each element of a second zone of the pair, a traffic generator that is configured to process the database to;
select at least one pair of the pairs of zones, generate one or more messages for transmission between a source zone and a destination zone of the at least one pair, and a security analyzer that is configured to determine the security policy corresponding to the at least one pair of zones based on propagation of the one or more messages from the source zone toward the destination zone. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method comprising:
-
identifying one or more pairs of zones of a network, each element of a first zone of each pair having a common security policy relative to each element of a second zone of the pair, selecting at least one pair of the pairs of zones, generating one or more messages for transmission between a source zone and a destination zone of the at least one pair, and determining the security policy corresponding to the at least one pair of zones based on propagation of the one or more messages from the source zone toward the destination zone. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
-
-
28-46. -46. (canceled)
-
57. A computer program embodied on a computer-readable media that is configured to cause a processor to:
-
identify one or more pairs of zones of a network, each element of a first zone of each pair having a common security policy relative to each element of a second zone of the pair, select at least one pair of the pairs of zones, generate one or more messages for transmission between a source zone and a destination zone of the at least one pair, and determine the security policy corresponding to the at least one pair of zones based on propagation of the one or more messages from the source zone toward the destination zone. - View Dependent Claims (58, 59, 60, 61)
-
Specification