CLOUD-BASED SECURITY POLICY CONFIGURATION

US 20140223507A1
Filed: 02/05/2013
Published: 08/07/2014
Est. Priority Date: 02/05/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

logging into a cloud account by a first network appliance;

fetching from the cloud account, by the first network appliance, one or more security parameters shared by a second network appliance to the cloud account;

automatically creating, by the first network appliance, a security policy that controls a connection between the first network appliance and the second network appliance based at least in part on the one or more security parameters.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for configuring security policies based on cloud are provided. According to one embodiment, security parameters are shared on cloud by security devices. A first network appliance may fetch one or more security parameters shared by a second network appliance from a cloud account. Then the first network appliance automatically creates a security policy that controlling a connection between the first network appliance and the second network appliance based at least in part on the one or more security parameters.

143 Citations

32 Claims

1. A method comprising:
- logging into a cloud account by a first network appliance;
  
  fetching from the cloud account, by the first network appliance, one or more security parameters shared by a second network appliance to the cloud account;
  
  automatically creating, by the first network appliance, a security policy that controls a connection between the first network appliance and the second network appliance based at least in part on the one or more security parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising dynamically establishing the connection between the first network appliance and the second network appliance if network traffic is allowed by the security policy.
  - 3. The method of claim 2, wherein the connection is established based at least in part on the one or more shared security parameters.
  - 4. The method of claim 2, wherein the connection comprises a Virtual Private Network (VPN) connection.
  - 5. The method of claim 1, further comprising:
    - fetching from the cloud account, by the first network appliance, a modification of the one or more security parameters shared by the second network appliance to the cloud account;
      
      updating, by the first network appliance, the security policy based at least in part on the modification of the one or more security parameters.
  - 6. The method of claim 1, further comprising:
    - performing, by the first network appliance, a consistency check against a local rule; and
      
      if the consistency check indicates that the one or more security parameters shared by the second network appliance is allowable, then creating the security policy based at least in part on the one or more security parameters.
  - 7. The method of claim 1, wherein the fetched one or more security parameters are cached locally.
  - 8. The method of claim 1, further comprising sending, by the first network appliance, a keepalive command to the cloud account to keep it online
  - 9. The method of claim 1, further comprising sharing or updating, by the first network appliance, one or more security parameters to the cloud account.
  - 10. The method of claim 1, wherein the security policy comprises a Virtual Private Network (VPN) client configuration.
  - 11. The method of claim 1, wherein the security parameters include one or more of information regarding a share-account, a gateway IP address, a subnet, a VPN mode, a VPN authentication method, a VPN pre-shared key, a VPN certificate, a share-to-account and a share-to-subnet.

12. A method comprising:
- logging into a cloud account by a first network appliance;
  
  sharing, by the first network appliance, one or more security parameters with a second network appliance by storing the one or more security parameters within the cloud account;
  
  automatically creating, by the first network appliance, a security policy that controls a connection between the first network appliance and the second network appliance based at least in part on the one or more security parameters.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, further comprising dynamically establishing the connection between the first network appliance and the second network appliance if network traffic is allowed by the security policy.
  - 14. The method of claim 13, wherein the connection comprises a Virtual Private Network (VPN) connection.
  - 15. The method of claim 12, further comprising updating, by the first network appliance, the one or more security parameters within the cloud account.
  - 16. The method of claim 12, wherein the security parameters comprise one or more of information regarding a share-account, a gateway IP address, a subnet, a VPN mode, a VPN authentication method, a VPN pre-shared key, a VPN certificate, a share-to-account and a share-to-subnet.

17. A computer system comprising:
- non-transitory storage device having tangibly embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  logging into a cloud account by a first network appliance;
  
  fetching by the first network appliance, by the first network appliance, one or more security parameters shared by a second network appliance to the cloud account;
  
  automatically creating, by the first network appliance, a security policy that controls a connection between the first network appliance and the second network appliance based at least in part on the one or more security parameters.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The computer system of claim 17, wherein the method further comprises dynamically establishing the connection between the first network appliance and the second network appliance if network traffic is allowed by the security policy.
  - 19. The computer system of claim 18, wherein the connection is established based at least in part on the one or more shared security parameters.
  - 20. The computer system of claim 18, wherein the connection comprises a Virtual Private Network (VPN) connection.
  - 21. The computer system of claim 17, wherein the method further comprises:
    - fetching from the cloud account, by the first network appliance, a modification of the one or more security parameters shared by the second network appliance to the cloud account;
      
      updating, by the first network appliance, the security policy based at least in part on the modification of the one or more security parameters.
  - 22. The computer system of claim 17, wherein the method further comprises:
    - performing, by the first network appliance, a consistency check against a local rule; and
      
      if the consistency check indicates that the one or more security parameters shared by the second network appliance is allowable, then creating the security policy based at least in part on the one or more security parameters.
  - 23. The computer system of claim 17, wherein the fetched one or more security parameters are cached locally.
  - 24. The computer system of claim 17, wherein the method further comprises sending, by the first network appliance, a keepalive command to the cloud account to keep it online.
  - 25. The computer system of claim 17, wherein the method further comprises sharing or updating, by the first network appliance, one or more security parameters to the cloud account.
  - 26. The computer system of claim 17, wherein the security policy comprises a Virtual Private Network (VPN) client configuration.
  - 27. The computer system of claim 17, wherein the security parameters include one or more of information regarding a share-account, a gateway IP address, a subnet, a VPN mode, a VPN authentication method, a VPN pre-shared key, a VPN certificate, a share-to-account and a share-to-subnet.

28. A computer system comprising:
- non-transitory storage device having tangibly embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  logging into a cloud account by a first network appliance;
  
  sharing, by the first network appliance, one or more security parameters with a second network appliance by storing the one or more security parameters within the cloud account;
  
  automatically creating, by the first network appliance, a security policy that controls a connection between the first network appliance and the second network appliance based at least in part on the one or more security parameters.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The computer system of claim 28, wherein the method further comprising dynamically establishing the connection between the first network appliance and the second network appliance if network traffic is allowed by the security policy.
  - 30. The computer system of claim 29, wherein the connection comprises a Virtual Private Network (VPN) connection.
  - 31. The computer system of claim 29, wherein the method further comprising updating, by the first network appliance, the one or more security parameters within the cloud account.
  - 32. The computer system of claim 28, wherein the security parameters include information regarding a share-account, a gateway IP address, a subnet, a VPN mode, a VPN authentication method, a VPN pre-shared key, a VPN certificate, a share-to-account and a share-to-subnet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Xu, Qing

Granted Patent

US 9,060,025 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

CLOUD-BASED SECURITY POLICY CONFIGURATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

143 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

CLOUD-BASED SECURITY POLICY CONFIGURATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others