COMPUTER NETWORK SECURITY CONFIGURATION VISUALIZATION AND CONTROL SYSTEM

US 20190319926A1
Filed: 11/21/2017
Published: 10/17/2019
Est. Priority Date: 11/25/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of generating a map in a user interface representing a network security configuration of a computer network comprising a plurality of network appliances, the method comprising:

receiving a plurality of standardized firewall configurations corresponding respectively to the plurality of network appliances;

processing the plurality of standardized firewall configurations to identify network security enclaves;

receiving a plurality of security sensitivity values corresponding respectively to the plurality of network appliances;

receiving network traffic data identifying and characterizing network traffic flows in the computer network between corresponding ones of the network appliances; and

generating in the user interface the map representing graphically the network appliances, the network security enclaves, the respective security sensitivity values, and the network traffic flows.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device is configured to retrieve network security configuration information from a computer network and generate a security configuration map which readily enables a user to detect defects in the security configuration with respect to a security policy. The computing device retrieves firewall configurations from security appliances in the network which operate firewalls, and processes the firewall configurations to generate a set of corresponding standardized firewall configurations. These are processed to identify enclaves containing network nodes which are associated with respective security sensitivity values based on the security policy. The computing device monitors and detects inter-node network traffic. The computing device generates a map representing the network nodes and security appliances, the security enclaves, the respective security sensitivity values, and the network traffic flows, thereby rendering readily visible inconsistencies between the actual security configuration and traffic flows, and the security policy.

Citations

25 Claims

1. A computer-implemented method of generating a map in a user interface representing a network security configuration of a computer network comprising a plurality of network appliances, the method comprising:
- receiving a plurality of standardized firewall configurations corresponding respectively to the plurality of network appliances;
  
  processing the plurality of standardized firewall configurations to identify network security enclaves;
  
  receiving a plurality of security sensitivity values corresponding respectively to the plurality of network appliances;
  
  receiving network traffic data identifying and characterizing network traffic flows in the computer network between corresponding ones of the network appliances; and
  
  generating in the user interface the map representing graphically the network appliances, the network security enclaves, the respective security sensitivity values, and the network traffic flows.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 24, 25)
- - 2. The method according to claim 1, wherein receiving the plurality of standardized firewall configurations corresponding respectively to the plurality of network appliances comprises:
    - accessing each of the network appliances to retrieve an appliance security configuration of the network appliance, the appliance security configuration comprising a firewall configuration, thereby providing a respective plurality of firewall configurations; and
      
      processing each of the firewall configurations to generate a corresponding standardized firewall configuration.
  - 3. The method according to claim 2, wherein accessing each of the network appliances to retrieve the appliance security configuration of the network appliance comprises accessing at least one of the network appliances over the computer network to retrieve the appliance security configuration of the network appliance.
  - 4. The method according to claim 2, wherein first ones of the plurality of firewall configurations are characterized by a first firewall configuration type different from a second firewall configuration type characterizing second ones of the plurality of firewall configurations, and processing each of the firewall configurations to generate the respectively corresponding standardized firewall configurations comprises:
    - determining a firewall configuration type of the firewall configuration, and processing firewall configuration parameters of the firewall configuration based on an algorithm associated with the firewall configuration type to generate corresponding standardized firewall configuration parameters of the corresponding standardized firewall configuration.
  - 5. The method according to claim 1, wherein processing the plurality of standardized firewall configurations to identify network security enclaves comprises identifying corresponding groups of the network appliances accessible over the computer network via a corresponding common network appliance.
  - 6. The method according to claim 1, wherein receiving the plurality of security sensitivity values corresponding respectively to the plurality of network appliances comprises receiving at least one of the security sensitivity values via the user interface.
  - 7. The method according to claim 1, wherein receiving the network traffic data comprises monitoring the computer network to identify and characterize the network traffic flows between the corresponding ones of the network appliances.
  - 8. The method according to claim 1 further comprising:
    - retrieving, for each of a plurality of network segments, performing port scanning, vulnerability scanning, passive monitoring, or active packet monitoring to determine security risk values corresponding to at least one of the network appliances; and
      
      associating in a memory the security risk values to at least some of the standardized firewall configurations corresponding to the at least one of the network appliances.
  - 9. The method according to claim 1, wherein the map comprises a background comprising a region, and, for each network appliance, the map comprises an icon representing the network appliance positioned relatively in the region based on the security sensitivity value of the network appliance.
  - 10. The method according to claim 9, wherein the region comprises a center and a perimeter, and, for each network appliance, the icon representing the network appliance is positioned relative to the center and the perimeter of the region based on the security sensitivity value of the network appliance.
  - 11. The method according to claim 10, wherein icons of network appliances having relatively higher security sensitivity values are positioned closer to the center of the region relative to icons of network appliances having relatively lower security sensitivity values.
  - 12. The method according to claim 1, wherein, for each network security enclave, the map comprises a boundary encompassing the icons of the network appliances belonging to that network security enclave.
  - 13. The method according to claim 1, wherein, for each network traffic flow, the map comprises a line joining the corresponding ones of the network appliances.
  - 14. The method according to claim 13, wherein a visual attribute of the line joining the corresponding ones of the network appliances represents a protocol of the network traffic flow.
  - 15. The method according to claim 1, wherein the user interface comprises a display, and generating in the user interface the map representing graphically the network appliances, the network security enclaves, the respective security sensitivity values, and the network traffic flows comprises displaying the map using the display.
  - 24. A computing device comprising a processor, a network interface, and a memory encoding computer-executable instructions executable by the processor to perform the method according to claim 1 using the network interface.
  - 25. A non-transient computer-readable medium encoding computer-executable instructions executable by the processor to perform the method according to claim 1 using the network interface.

16-23. -23. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cybernetiq, Inc.
Original Assignee
Cybernetiq, Inc.
Inventors
CUMMINS, Joseph, WONG, Jonathan

Granted Patent

US 11,258,763 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 9/451   Execution arrangements for ...

H04L 41/02   Standardisation; Integration

H04L 41/22   comprising specially adapte...

H04L 41/28   Restricting access to netwo...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

COMPUTER NETWORK SECURITY CONFIGURATION VISUALIZATION AND CONTROL SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTER NETWORK SECURITY CONFIGURATION VISUALIZATION AND CONTROL SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links