ANALYSIS OF DISTRIBUTED POLICY RULE-SETS FOR COMPLIANCE WITH GLOBAL POLICY
First Claim
1. A method for analysis of distributed device rule-sets for compliance with global policies, the method comprising:
- enabling an administrator to specify a network topology with a plurality of intercommunicating elements and associated parameters required to secure the intercommunication with one or more access control elements of the network topology;
establishing connections to the access controls elements to capture a snapshot configuration of device rule-sets of the one or more access control elements;
enabling the administrator to specify a set of global access constraints with reference to the plurality of access control elements;
enabling the administrator to select between exhaustive analysis and statistical analysis, wherein exhaustive analysis is of each potential path through the network topology;
conducting the selected analysis to determine violations by the device rule-sets that fail to comply with the set of global access constraints, wherein statistical analysis quantitatively characterizes a level of compliance without conducting analysis of all potential paths of the network topology; and
providing results of the selected analysis to the administrator through a graphical user interface (GUI) as the results are obtained.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for analysis of distributed device rule-sets for compliance with global policies includes enabling an administrator to specify a network topology with intercommunicating elements and parameters required to secure the intercommunication with access control elements of the network topology; establishing connections to the access controls elements to capture a snapshot configuration of device rule-sets of the access control elements; enabling the administrator to specify a set of global access constraints with reference to the access control elements; enabling the administrator to select between exhaustive analysis and statistical analysis; conducting the selected analysis to determine violations by the device rule-sets that fail to comply with the set of global access constraints, wherein statistical analysis quantitatively characterizes a level of compliance without conducting analysis of all potential network paths; and providing results of the selected analysis to the administrator through a graphical user interface (GUI) as the results are obtained.
-
Citations
27 Claims
-
1. A method for analysis of distributed device rule-sets for compliance with global policies, the method comprising:
-
enabling an administrator to specify a network topology with a plurality of intercommunicating elements and associated parameters required to secure the intercommunication with one or more access control elements of the network topology; establishing connections to the access controls elements to capture a snapshot configuration of device rule-sets of the one or more access control elements; enabling the administrator to specify a set of global access constraints with reference to the plurality of access control elements; enabling the administrator to select between exhaustive analysis and statistical analysis, wherein exhaustive analysis is of each potential path through the network topology; conducting the selected analysis to determine violations by the device rule-sets that fail to comply with the set of global access constraints, wherein statistical analysis quantitatively characterizes a level of compliance without conducting analysis of all potential paths of the network topology; and providing results of the selected analysis to the administrator through a graphical user interface (GUI) as the results are obtained. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for analyzing distributed policy rule-sets for compliance with global policies, the system comprising:
-
a graphical user interface (GUI) through which an administrator specifies a network topology with a plurality of intercommunicating elements and associated parameters required to secure the intercommunication with one or more access control elements of the network topology; an analysis engine in communication with the GUI and with the plurality of elements, the analysis engine including a processor to unify a plurality of device rule-sets associated with the one or more access control elements, and to convert the device rule-sets into a software language format presentable to the administrator through the GUI; and a memory to store an administrator-specified global access policy (GAP) that includes a plurality of global access constraints with reference to the plurality of elements, and to store the plurality of access policy rules; wherein the processor; enables the administrator to select through the GUI between exhaustive analysis and statistical analysis as the compliance analysis, wherein exhaustive analysis is of each potential path through the network topology; conducts the selected compliance analysis to determine violations by the device rule-sets that fail to comply with the GAP, wherein statistical analysis quantitatively characterizes a level of compliance without conducting analysis of all potential paths of the network topology; and provides results of the selected compliance analysis to the GUI for viewing by the administrator. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer readable medium including program code that causes a computer to perform the operations of:
-
enabling an administrator to specify a network topology with a plurality of intercommunicating elements and associated parameters required to secure the intercommunication with one or more access control elements of the network topology; establishing connections to the access controls elements to capture a snapshot configuration of device rule-sets of the one or more access control elements; enabling the administrator to specify a set of global access constraints with reference to the plurality of access control elements; enabling the administrator to select between exhaustive analysis and statistical analysis, wherein exhaustive analysis is of each potential path through the network topology; conducting the selected analysis to determine violations by the device rule-sets that fail to comply with the set of global access constraints, wherein statistical analysis quantitatively characterizes a level of compliance without conducting analysis of all potential paths of the network topology; and providing results of the selected analysis to the administrator through a graphical user interface (GUI) as the results are obtained. - View Dependent Claims (26, 27)
-
Specification