CLOUD BASED DYNAMIC ACCESS CONTROL LIST MANAGEMENT ARCHITECTURE

US 20140379915A1
Filed: 11/19/2013
Published: 12/25/2014
Est. Priority Date: 06/19/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving, by a router, network traffic having been generated by one or more client devices;

parsing information from the network traffic;

forwarding the information associated with the network traffic to an access control list management server;

receiving, from the access control list management server, policy values describing an access control list policy associated with the network traffic; and

implementing the policy values for enforcement of the access control list policy by the router.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method comprises receiving, by a router, network traffic having been generated by one or more client devices; parsing information from the network traffic; forwarding the information associated with the network traffic to an access control list management server; receiving, from the access control list management server, policy values describing an access control list policy associated with the network traffic; and implementing the policy values for enforcement of the access control list policy by the router.

151 Citations

20 Claims

1. A method comprising:
- receiving, by a router, network traffic having been generated by one or more client devices;
  
  parsing information from the network traffic;
  
  forwarding the information associated with the network traffic to an access control list management server;
  
  receiving, from the access control list management server, policy values describing an access control list policy associated with the network traffic; and
  
  implementing the policy values for enforcement of the access control list policy by the router.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the parsing includes capturing a data packet from the network traffic, the forwarding including specifying, within the information, the data packet, an interface identifier associated with reception of the network traffic, and a router identifier.
  - 3. The method of claim 1, wherein the implementing includes:
    - determining whether the policy values can be summarized with existing policies, and generating a corresponding policy decision; and
      
      generating access control lists, based on the policy decision, for execution by network interfaces in the router.

4. An apparatus comprising:
- a network interface circuit configured for receiving network traffic having been generated by one or more client devices; and
  
  a processor circuit configured for;
  
  parsing information from the network traffic, and forwarding the information associated with the network traffic to an access control list management server,receiving, from the access control list management server, policy values describing an access control list policy associated with the network traffic, andimplementing the policy values within the network interface circuit for enforcement of the access control list policy.
- View Dependent Claims (5, 6)
- - 5. The apparatus of claim 4, wherein the parsing includes capturing a data packet from the network traffic, the forwarding including specifying, within the information, the data packet, an interface identifier associated with reception of the network traffic, and a router identifier.
  - 6. The apparatus of claim 4, wherein the implementing includes:
    - determining whether the policy values can be summarized with existing policies, and generating a corresponding policy decision; and
      
      generating access control lists, based on the policy decision, for execution by network interfaces in the router.

7. Logic encoded in one or more non-transitory tangible media for execution by a machine and when executed by the machine operable for:
- receiving, by the machine, network traffic having been generated by one or more client devices;
  
  parsing information from the network traffic;
  
  forwarding the information associated with the network traffic to an access control list management server;
  
  receiving, from the access control list management server, policy values describing an access control list policy associated with the network traffic; and
  
  implementing the policy values for enforcement of the access control list policy by the machine.
- View Dependent Claims (8, 9)
- - 8. The logic of claim 7, wherein the parsing includes capturing a data packet from the network traffic, the forwarding including specifying, within the information, the data packet, an interface identifier associated with reception of the network traffic, and a router identifier.
  - 9. The logic of claim 7, wherein the implementing includes:
    - determining whether the policy values can be summarized with existing policies, and generating a corresponding policy decision; and
      
      generating access control lists, based on the policy decision, for execution by network interfaces in the router.

10. A method comprising:
- receiving, from a router, information associated with network traffic having been received by the router;
  
  determining an access control list policy for the network traffic based on the information; and
  
  sending to the router policy values describing the access control list policy, for implementation and enforcement of the access control list policy by the router.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the determining includes:
    - categorizing the network traffic according to network traffic type; and
      
      identifying the access control list policy for the network traffic according to network traffic type, based on a correlation relative to stored access control list policies.
  - 12. The method of claim 11, wherein the identifying includes:
    - determining whether a best match exists based on determining whether one or more matching access control list policies is located for the network traffic according to the network traffic type;
      
      if no matching access control list policies are located, determining a closest historic decision for an access control list as the access control list policy for the router, based on sending a query to an event management database configured for storing events and associated policy decisions.
  - 13. The method of claim 12, wherein determining a best match includes applying at least one of a rule selection reasoning, a highest confidence level, or a popularity level rule for choosing the access control list policy if multiple matching access control list policies are located for the network traffic.
  - 14. The method of claim 10, further comprising:
    - notifying an event management database of the network traffic having been received by the router, the event management database storing historical policy decisions for respective network traffic events;
      
      the determining including determining from the event management database if a closest historic decision is available for the network traffic having been received by the router, based on a determined absence of a matching access control list policy in a rules database configured for storing rules for access control list policiesthe determining further including notifying the event management database of the access control list policy determined for the network traffic having been received by the router.

15. Logic encoded in one or more non-transitory tangible media for execution by a machine and when executed by the machine operable for:
- receiving, from a router, information associated with network traffic having been received by the router;
  
  determining an access control list policy for the network traffic based on the information; and
  
  sending to the router policy values describing the access control list policy, for implementation and enforcement of the access control list policy by the router.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The logic of claim 15, wherein the determining includes:
    - categorizing the network traffic according to network traffic type,identifying the access control list policy for the network traffic according to network traffic type, based on a correlation relative to stored access control list policies.
  - 17. The logic of claim 16, wherein the identifying includes:
    - determining whether a best match exists based on determining whether one or more matching access control list policies is located for the network traffic according to the network traffic type;
      
      if no matching access control list policies are located, determining a closest historic decision for an access control list as the access control list policy for the router, based on sending a query to an event management database configured for storing events and associated policy decisions.
  - 18. The logic of claim 17, wherein determining a best match includes applying at least one of a rule selection reasoning, a highest confidence level, or a popularity level rule for choosing the access control list policy if multiple matching access control list policies are located for the network traffic.
  - 19. The logic of claim 15, further operable for:
    - notifying an event management database of the network traffic having been received by the router, the event management database storing historical policy decisions for respective network traffic events;
      
      the determining further including notifying the event management database of the access control list policy determined for the network traffic having been received by the router.
  - 20. The logic of claim 19, wherein the determining further includes including determining from the event management database if a closest historic decision is available for the network traffic having been received by the router, based on a determined absence of a matching access control list policy in a rules database configured for storing rules for access control list policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
YANG, Ling, XIE, Yijie

Application Number

US14/084,074
Publication Number

US 20140379915A1
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 63/101 Access control lists [ACL]

CLOUD BASED DYNAMIC ACCESS CONTROL LIST MANAGEMENT ARCHITECTURE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

151 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CLOUD BASED DYNAMIC ACCESS CONTROL LIST MANAGEMENT ARCHITECTURE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links