CLASSIFICATION OF SECURITY POLICIES ACROSS MULTIPLE SECURITY PRODUCTS

US 20160212167A1
Filed: 01/20/2015
Published: 07/21/2016
Est. Priority Date: 01/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a management entity;

connecting with multiple security devices across a network, each security device configured to operate in accordance with one or more security policies;

importing, over the network, data describing the security policies from the multiple security devices; and

classifying the imported security policies into security policy classifications based on commonality in information included in the security policies across the multiple security devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management entity connects with multiple security devices across a network. Each security device operates in accordance with one or more security policies. The management entity imports, over the network, data describing the security policies from the multiple security devices. The management entity classifies the imported security policies into security policy classifications based on commonality in information included in the security policies across the multiple security devices.

Citations

25 Claims

1. A method comprising:
- at a management entity;
  
  connecting with multiple security devices across a network, each security device configured to operate in accordance with one or more security policies;
  
  importing, over the network, data describing the security policies from the multiple security devices; and
  
  classifying the imported security policies into security policy classifications based on commonality in information included in the security policies across the multiple security devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein:
    - the importing includes importing each security policy as one or more security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource based on a network protocol, source and destination addresses, and a device port; and
      
      the classifying includes classifying the security policies into the security policy classifications based on commonality between the security rules across the multiple security devices.
  - 3. The method of claim 2, wherein the classifying includes:
    - classifying security policies which have identical security rules into one or more identical security policy classifications;
      
      classifying security policies which have similar security rules into one or more similar security policy classifications; and
      
      classifying security policies which have unique security rules into a unique security policy classification.
  - 4. The method of claim 3, further comprising:
    - classifying security policies not already classified into a security policy classification indicating further investigation is needed for certain security policies; and
      
      generating an alert notification indicating that one or more security policies need further investigation.
  - 5. The method of claim 3, further comprising comparing the rule parameters of each rule of each security policy across the security policies, wherein the classifying further includes classifying based on results of the comparing by:
    - classifying the security policies into the identical security policy classification if all of their associated rule parameters are equivalent to each other;
      
      classifying the security policies into the similar security policy classification if only some of their associated rule parameters are equivalent to each other; and
      
      classifying the security policies into a unique security policy classification if none of the associated rule parameters are equivalent to each other.
  - 6. The method of claim 3, further comprising displaying a list of the rule parameters for each of the security policy classifications.
  - 7. The method of claim 3, further comprising:
    - displaying the security policy classifications as selectable security policy classifications;
      
      displaying a policy template naming option through which a policy template name may be entered;
      
      receiving an entered policy template name and selections of multiple security policy classifications; and
      
      assigning all of the security policies in the multiple selected security policy classifications to a security policy template having the entered policy template name.
  - 8. The method of claim 2, further comprising:
    - displaying the security policy classifications in unexpanded views;
      
      displaying the an expand option associated with each of the displayed security policy classifications;
      
      receiving a selection of one of the expand options; and
      
      displaying the security policy classification associated with the selected expand option in an expanded view that exposes device names of all of the security devices associated with that security policy classification.
  - 9. The method of claim 8, wherein:
    - the displaying further includes displaying a filter option to specify a rule parameter associated with the security policy classifications;
      
      receiving a specified rule parameter through the filter option; and
      
      displaying all of the rules in each security policy classifications that include a rule parameter that matches the specified rule parameter.

10. An apparatus comprising:
- a network interface unit to connect with a network; and
  
  a processor coupled to the network interface unit to;
  
  connect with multiple security devices across a network, each security device configured to operate in accordance with one or more security policies;
  
  import, over the network, data describing the security policies from the multiple security devices; and
  
  classify the imported security policies into security policy classifications based on commonality in information included in the security policies across the multiple security devices.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The apparatus of claim 10, wherein:
    - the processor imports by importing each security policy as one or more security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource based on a network protocol, source and destination addresses, and a device port; and
      
      the processor classifies by classifying the security policies into the security policy classifications based on commonality between the security rules across the security devices.
  - 12. The apparatus of claim 11, wherein the processor classifies by:
    - classifying security policies which have identical security rules into one or more identical security policy classifications;
      
      classifying security policies which have similar security rules into one or more similar security policy classifications; and
      
      classifying security policies which have unique security rules into a unique security policy classification.
  - 13. The apparatus of claim 12, wherein the processor further:
    - classifies security policies not already classified into a security policy classification indicating further investigation is needed for certain security policies; and
      
      generates an alert notification indicating that one or more security policies need further investigation.
  - 14. The apparatus of claim 12, wherein the processor further compares the rule parameters of each rule of each security policy across the security policies, and classifies further based on results of the compare by:
    - classifying the security policies into the identical security policy classification if all of their associated rule parameters are equivalent to each other;
      
      classifying the security policies into the similar security policy classification if only some of their associated rule parameters are equivalent to each other; and
      
      classifying security policies into the unique security policy classification if none of the associated rule parameters are equivalent to each other.
  - 15. The apparatus of claim 12, wherein the processor generates for display a list of the rule parameters for each of the security policy classifications.
  - 16. The apparatus of claim 11, wherein the processor further:
    - generates for display the security policy classifications in unexpanded views;
      
      generates for display an expand option associated with each of the displayed security policy classifications;
      
      receives a selection of one of the expand options; and
      
      generates for display the security policy classification associated with the selected expand option in an expanded view that exposes device names of all of the security devices associated with that security policy classification.
  - 17. The apparatus of claim 16, wherein the processor further:
    - generates for display a filter option to specify a rule parameter associated with the security policy classifications;
      
      receives a specified rule parameter through the filter option; and
      
      generates for display all of the rules in each security policy classifications that include a rule parameter that matches the specified rule parameter.

18. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to:
- connect with multiple security devices across a network, each security device configured to operate in accordance with one or more security policies;
  
  import, over the network, data describing the security policies from the multiple security devices; and
  
  classify the imported security policies into security policy classifications based on commonality in information included in the security policies across the multiple security devices.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The computer readable storage media of claim 18, wherein:
    - the instructions to cause the processor to import include instructions to cause the processor to import each security policy as one or more security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource based on a network protocol, source and destination addresses, and a device port; and
      
      the instructions to cause the processor to classify include instructions to cause the processor to classify the security policies into the security policy classifications based on commonality between the security rules across the security devices.
  - 20. The computer readable storage media of claim 19, wherein the instructions to cause the processor to classify include instructions to cause the processor to:
    - classify security policies which have identical security rules into one or more identical security policy classifications;
      
      classify security policies which have similar security rules into one or more similar security policy classifications; and
      
      classify security policies which have unique security rules into a unique security policy classification.
  - 21. The computer readable storage media of claim 20, further comprising instructions to cause the processor to:
    - classify security policies not already classified into a security policy classification indicating further investigation is needed for certain security policies; and
      
      generate an alert notification indicating that one or more security policies need further investigation.
  - 22. The computer readable storage media of claim 20, further comprising instructions to cause the processor to compare the rule parameters of each rule of each security policy across the security policies, wherein the instructions to cause the processor to classify include further instructions to cause the processor to, based on results of the compare:
    - classify the security policies into the identical security policy classification if all of their associated rule parameters are equivalent to each other;
      
      classify the security policies into the similar security policy classification if only some of their associated rule parameters are equivalent to each other; and
      
      classify security policies into the unique security policy classification if none of the associated rule parameters are equivalent to each other.
  - 23. The computer readable storage media of claim 20, further comprising instructions to cause the processor to generate for display a list of the rule parameters for each of the security policy classifications.
  - 24. The computer readable storage media of claim 19, further comprising instructions to cause the processor to:
    - generate for display the security policy classifications in unexpanded views;
      
      generate for display an expand option associated with each of the displayed security policy classifications;
      
      receive a selection of one of the expand options; and
      
      generate for display the security policy classification associated with the selected expand option in an expanded view that exposes device names of all of the security devices associated with that security policy classification.
  - 25. The computer readable storage media of claim 24, further comprising instructions to cause the processor to:
    - generate for display a filter option to specify a rule parameter associated with the security policy classifications;
      
      receive a specified rule parameter through the filter option; and
      
      generate for display all of the rules in each security policy classifications that include a rule parameter that matches the specified rule parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dotan, Yedidya, Martherus, Robin, Agarwal, Sanjay

Granted Patent

US 9,401,933 B1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/186   Templates

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

CLASSIFICATION OF SECURITY POLICIES ACROSS MULTIPLE SECURITY PRODUCTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

CLASSIFICATION OF SECURITY POLICIES ACROSS MULTIPLE SECURITY PRODUCTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links