Analyzing security compliance within a network

US 20070157286A1
Filed: 08/16/2006
Published: 07/05/2007
Est. Priority Date: 08/20/2005
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a database that is configured to identify one or more pairs of zones of a network, each element of a first zone of each pair having a common security policy relative to each element of a second zone of the pair, a traffic generator that is configured to process the database to;

select at least one pair of the pairs of zones, generate one or more messages for transmission between a source zone and a destination zone of the at least one pair, and a security analyzer that is configured to determine the security policy corresponding to the at least one pair of zones based on propagation of the one or more messages from the source zone toward the destination zone.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security policy database identifies the intended security policies within a network, a traffic generator provides test traffic that is configured to test each defined security policy, and a simulator simulates the propagation of this traffic on a model of the network. The model of the network includes the configuration data associated with each device, and thus, if devices are properly configured to enforce the intended security policies, the success/failure of the simulated test traffic will conform to the intended permit/deny policy of each connection. Differences between the simulated message propagation and the intended security policies are reported to the user, and diagnostic tools are provided to facilitate identification of the device configuration data that accounts for the observed difference. Additionally, if a network'"'"'s current security policy is unknown, test traffic is generated to reveal the actual policy in effect, to construct a baseline intended security policy.

Citations

61 Claims

1. A system comprising:
- a database that is configured to identify one or more pairs of zones of a network, each element of a first zone of each pair having a common security policy relative to each element of a second zone of the pair, a traffic generator that is configured to process the database to;
  
  select at least one pair of the pairs of zones, generate one or more messages for transmission between a source zone and a destination zone of the at least one pair, and a security analyzer that is configured to determine the security policy corresponding to the at least one pair of zones based on propagation of the one or more messages from the source zone toward the destination zone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1, including:
    - a model of the network, and a network simulator, wherein the simulator is configured to determine the propagation of the one or more messages based on the model of the network.
  - 3. The system of claim 2, wherein the database includes an expected security policy associated with the at least one pair, and the security analyzer is configured to determine whether the security policy corresponding to the at least one pair of zones based on propagation of the one or more messages between the zones is consistent with the expected security policy.
  - 4. The system of claim 3, wherein the security analyzer is configured to facilitate diagnosis of violations of the expected security policy.
  - 5. The system of claim 4, wherein the security analyzer is configured to identify a path corresponding to the propagation of at least one of the one or more messages between the source and destination zones.
  - 6. The system of claim 5, wherein at least one message of the at least one or more messages are not propagated to the destination zone, and the security analyzer is configured to identify one or more network devices that blocked the propagation of the at least one message to the destination zone.
  - 7. The system of claim 1, wherein the database includes an expected security policy associated with the at least one pair, and the security analyzer is configured to determine whether the security policy corresponding to the at least one pair of zones based on the propagation of the one or more messages between the zones is consistent with the expected security policy.
  - 8. The system of claim 7, wherein the security analyzer is configured to facilitate diagnosis of violations of the expected security policy.
  - 9. The system of claim 1, wherein the security analyzer is configured to identify a path corresponding to the propagation of at least one of the one or more messages between the source and destination zones.
  - 10. The system of claim 1, wherein at least one message of the at least one or more messages is not propagated to the destination zone, and the security analyzer is configured to identify one or more network devices that blocked the propagation of the at least one message to the destination zone.
  - 11. The system of claim 1, including a graphic user interface, operably coupled to the security analyzer, that is configured to display information regarding the security policy corresponding to the at least one pair of zones.
  - 12. The system of claim 11, wherein the information includes an identification of whether a connection was permitted or denied between the first zone and the second zone of at least one pair.
  - 13. The system of claim 11, wherein the database includes an expected security policy associated with the at least one pair, and the information includes an identification of whether the expected security policy was violated, based on the propagation.
  - 14. The system of claim 11, wherein the security analyzer is configured to identify a path corresponding to the propagation of at least one of the one or more messages between the source and destination zones, and the graphic user interface is configured to display the path.
  - 15. The system of claim 11, wherein the graphic user interface is configured to provide a first report that identifies the security policy for a plurality of the one or more pairs.
  - 16. The system of claim 15, wherein the graphic user interface is configured to provide a second report that identifies each of the one or more pairs in which communication was denied between the first zone and the second zone, based on the propagation.
  - 17. The system of claim 16, wherein the graphic user interface is configured to provide a third report that identifies each of the one or more pairs in which communication was permitted between the first zone and the second zone, based on the propagation.
  - 18. The system of claim 17, wherein the database includes an expected security policy associated with the at least one pair, and the graphic user interface is configured to provide a fourth report that identifies each of the one or more pairs in which the expected security policy was violated, based on the propagation.
  - 19. The system of claim 11, wherein the database includes an expected security policy associated with the at least one pair, and the graphic user interface is configured to provide a report that identifies each of the one or more pairs in which the expected security policy was violated, based on the propagation.

20. A method comprising:
- identifying one or more pairs of zones of a network, each element of a first zone of each pair having a common security policy relative to each element of a second zone of the pair, selecting at least one pair of the pairs of zones, generating one or more messages for transmission between a source zone and a destination zone of the at least one pair, and determining the security policy corresponding to the at least one pair of zones based on propagation of the one or more messages from the source zone toward the destination zone.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
- - 21. The method of claim 20, wherein determining the security policy includes simulating the propagation of the one or more messages based on a model of the network.
  - 22. The method of claim 21, including determining whether the security policy corresponding to the at least one pair of zones is consistent with an expected security policy associated with the at least one pair, based on the propagation of the one or more messages.
  - 23. The method of claim 22, including facilitating diagnosis of violations of the expected security policy.
  - 24. The method of claim 23, including:
    - based on the propagation, identifying one of;
      
      a path corresponding to the propagation of at least one of the one or more messages between the source and destination zones, and one or more network devices that blocked the propagation of the at least one message to the destination zone.
  - 25. The method of claim 20, including determining whether the security policy corresponding to the at least one pair of zones based on the propagation of the one or more messages between the zones is consistent with an expected security policy for the at least one pair of zones.
  - 26. The method of claim 25, including facilitating diagnosis of violations of the expected security policy.
  - 27. The method of claim 20, including identifying a path corresponding to the propagation of at least one of the one or more messages between the source and destination zones.
  - 47. The method of claim 20, including identifying one or more network devices that blocked the propagation of the at least one message to the destination zone.
  - 48. The method of claim 20, including displaying information regarding the security policy corresponding to the at least one pair of zones.
  - 49. The method of claim 48, wherein the information includes an identification of whether a connection was permitted or denied between the first zone and the second zone of at least one pair, based on the propagation.
  - 50. The method of claim 48, wherein the information includes an identification of whether an expected security policy of the at least one pair of zones was violated, based on the propagation.
  - 51. The method of claim 48, wherein the information includes a path corresponding to the propagation of at least one of the one or more messages between the source and destination zones, based on the propagation.
  - 52. The method of claim 48, wherein the information includes a first report that identifies the security policy for a plurality of the one or more pairs, based on the propagation.
  - 53. The method of claim 52, wherein the information includes a second report that identifies each of the one or more pairs in which communication was denied between the first zone and the second zone, based on the propagation.
  - 54. The method of claim 53, wherein the information includes a third report that identifies each of the one or more pairs in which communication was permitted between the first zone and the second zone, based on the propagation.
  - 55. The method of claim 54, wherein the information includes a fourth report that identifies each of the one or more pairs in which an expected security policy was violated, based on the propagation.
  - 56. The method of claim 48, wherein the information includes a report that identifies each of the one or more pairs in which an expected security policy was violated, based on the propagation.

28-46. -46. (canceled)

57. A computer program embodied on a computer-readable media that is configured to cause a processor to:
- identify one or more pairs of zones of a network, each element of a first zone of each pair having a common security policy relative to each element of a second zone of the pair, select at least one pair of the pairs of zones, generate one or more messages for transmission between a source zone and a destination zone of the at least one pair, and determine the security policy corresponding to the at least one pair of zones based on propagation of the one or more messages from the source zone toward the destination zone.
- View Dependent Claims (58, 59, 60, 61)
- - 58. The computer program of claim 57, wherein determining the security policy includes simulating the propagation of the one or more messages based on a model of the network.
  - 59. The computer program of claim 57, which causes the processor to determine whether the security policy corresponding to the at least one pair of zones is consistent with an expected security policy associated with the at least one pair, based on the propagation of the one or more messages.
  - 60. The computer program of claim 57, which, based on the propagation, causes the processor to identify one of:
    - a path corresponding to the propagation of at least one of the one or more messages between the source and destination zones, and one or more network devices that blocked the propagation of the at least one message to the destination zone.
  - 61. The computer program of claim 57, which causes the processor to display information regarding the security policy corresponding to the at least one pair of zones.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
OPNET Technologies Incorporated (Riverbed Technology Incorporated)
Inventors
Singh, Pradeep, Agarwal, Ankit, Barathan, Venuprakash, Jeyachandran, Vinod, Cohen, Alain

Granted Patent

US 8,898,734 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 41/0866   Checking the configuration

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 41/28   Restricting access to netwo...

H04L 43/50   Testing arrangements

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Analyzing security compliance within a network

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

Citations

61 Claims

Specification

Solutions

Use Cases

Quick Links

Analyzing security compliance within a network

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

61 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links