IP network vulnerability and policy compliance assessment by IP device analysis
First Claim
1. An IP network policy compliance assessment method comprising the steps of:
- providing network device configurations;
checking device configurations for conformance to predetermined best-current-practices and/or regulatory compliance; and
assessing the results of said checking and providing an indication of the assessment.
8 Assignments
0 Petitions
Accused Products
Abstract
Customizable software provides assurances about the ability of an IP network to satisfy security, regulatory and availability requirements by comprehensive vulnerability and compliance assessment of IP networks through automated analysis of configurations of devices such as routers, switches, and firewalls. The solution comprises three main approaches for testing of IP device configurations to eliminate errors that result in vulnerabilities or requirements compliance issues. The first two fall in to the “static constraint validation” category since they do not change significantly for each IP network, while the last approach involves incorporation of each specific IP network'"'"'s policies/requirements. These approaches are complementary, and may be used together to satisfy all the properties described above. The first approach involves checking the configurations of devices for conformance to Best-Current-Practices provided by vendors (e.g. Cisco Network Security Policy) and organizations such as the NIST, NSA or CERT. Also this includes checks of compliance with regulations such as FISMA, SOX, HIPPA, PCI, etc. The second approach is where as one reads device configurations, one collects beliefs about network administrator intent. As each belief is collected, an inference engine checks whether the new belief is inconsistent with previously accumulated beliefs. The third approach addresses the multiple device/protocol issue by including an understanding of high-level service and security requirements about the specific IP network under test from the network administrators.
162 Citations
18 Claims
-
1. An IP network policy compliance assessment method comprising the steps of:
-
providing network device configurations; checking device configurations for conformance to predetermined best-current-practices and/or regulatory compliance; and assessing the results of said checking and providing an indication of the assessment.
-
-
2. An IP network policy compliance assessment method comprising the steps of:
-
reading IP network device configurations; accumulating beliefs about network administrator intent; and assessing whether each new belief is consistent with the previously accumulated beliefs.
-
-
3. An IP network policy compliance assessment method comprising the steps of:
-
combining network and security policies with rules; combining network device configurations with the combined network and security policies and rules; and providing outputs based on assessing network and security rules against the network device configurations. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for IP network policy compliance assessment comprising:
-
configuration parsers receiving IP network configuration data for multiple device types and vendors for parsing real-time input from route-registries and route markers; a relational database coupled to said configuration parsers using a vendor-neutral schema for multiple device types and vendors; and assessment modules containing best-current-practices and/or regulatory compliance information for assessing IP network configuration. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification