Network Security Policy Mediation

US 20080034401A1
Filed: 07/18/2006
Published: 02/07/2008
Est. Priority Date: 07/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for mediating between first and second network security policies, comprising:

mapping a first security policy to a second security policy, wherein the second security policy is generic; and

mapping the second security policy to a plurality of rules each associated with a target network security policy and collectively executable at the target network.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for mediating between first and second network security policies, by: (1) mapping a first security policy to a generic second security policy, and (2) mapping the generic second security policy to a plurality of rules each associated with a target network security policy.

Citations

20 Claims

1. A method for mediating between first and second network security policies, comprising:
- mapping a first security policy to a second security policy, wherein the second security policy is generic; and
  
  mapping the second security policy to a plurality of rules each associated with a target network security policy and collectively executable at the target network.
- View Dependent Claims (2, 6, 7, 8)
- - 2. The method of claim 1 wherein mapping the first security policy to the second security policy comprises creating first security policy components based on rules of the first security policy, and verifying syntactic correctness of the first security policy components.
  - 6. The method of claim 1 wherein mapping the second security policy to the plurality of rules associated with the target network security policy comprises deconstructing each rule of the second security policy into at least one generic action and at least one generic target.
  - 7. The method of claim 6 wherein mapping the second security policy to the plurality of rules associated with the target network security policy comprises:
    - mapping the at least one generic action into at least one action deployable in the target network security policy; and
      
      mapping the at least one generic target to at least one target of the target network security policy.
  - 8. The method of claim 7 wherein mapping the second security policy to the rules associated with the target network security policy comprises:
    - generating a first indication of all the generic targets that did not map to a target of the target network security policy; and
      
      generating a second indication of all the generic actions that did not map to an action of the target network security policy.

3. The method of claim 3 wherein mapping the first security policy to the second security policy comprises creating first security policy components based on rules of the first security policy and then comparing the first security policy components with a collection of generic security policy rules and components.
- View Dependent Claims (4, 5)
- - 4. The method of claim 3 wherein mapping the first security policy to the second security policy comprises, if no match is found between any of the first security policy components and the collection of generic security policy rules and components, generating an indication to a user that no match was found.
  - 5. The method of claim 3 wherein mapping the first security policy to the second security policy comprises, if no match is found between any of the first security policy components and the collection of security rules and components, manually matching the unmatched first security policy component to a component of the second security policy.

9. A system configured to mediate between an originating network security policy and a target network security policy, comprising:
- a security policy translator configured to map first rules of the originating network security policy to second rules of a generic network security policy; and
  
  a security policy assembler configured to map the second rules of the generic network security policy to third rules of the target network security policy.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9 wherein the security policy translator comprises a security policy rule parser configured to parse rules from the first network security policy and verify syntactic correctness of the rules from the first network security policy.
  - 11. The system of claim 9 wherein the security policy translator comprises a knowledge base configured to store security policy rules and security policy rule components for at least one of the originating, generic, and target network security policies.
  - 12. The system of claim 9 wherein the security policy translator comprises a security policy translator configured to allow at least one of manual and automatic translation of a first security policy rule to a second security policy rule.
  - 13. The system of claim 9 wherein the security policy assembler comprises an executable module repertoire containing a plurality of executable modules, programs, and/or program parts which are deployable within the context of the target network security policy.
  - 14. The system of claim 9 further comprising a network security provisioning module configured to define new security policy components and new security policy rules of at least one of the originating, generic, and target network security policies.
  - 15. The system of claim 14 wherein the network security provisioning module is remotely accessible via the Internet.

16. A system configured to mediate between first and second network security policies, comprising:
- first mapping means for mapping the first security policy to a generic security policy; and
  
  second mapping means for mapping the generic security policy to the second network security policy.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16 wherein the first mapping means comprises parsing means for creating first security policy components from rules of the first security policy.
  - 18. The system of claim 17 wherein the first mapping means comprises verifying means for evaluating syntactic correctness of the first security policy components.
  - 19. The system of claim 16 wherein the first mapping means comprises means for manually matching any of the first security policy components for which no match is otherwise automatically found by the first mapping means.
  - 20. The system of claim 16 wherein the second mapping means comprises:
    - means for producing at least one generic action and at least one generic target from each rule of the second security policy;
      
      means for mapping the at least one generic action to at least one action deployable in the target network security policy; and
      
      means form mapping the at least one generic target to at least one target deployable in the target network security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Genband US LLC (Ribbon Communications, Inc.)
Original Assignee
Santera Systems LLC
Inventors
Wang, Haojin

Granted Patent

US 8,607,300 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/20 for managing network securi...

Network Security Policy Mediation

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network Security Policy Mediation

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links