System and method for implementing a security policy
First Claim
Patent Images
1. In a computer network having a plurality of separate networks, an access control mechanism comprising:
- a plurality of regions, including a first and a second region;
one or more services bridging said first and second regions;
access control rules which define a security policy, wherein the access control rules limit data transfer by the one or more services bridging the first and second regions, wherein the access control rules are defined as a decision tree, wherein the decision tree includes a decision node and a first and a second branch and wherein the decision node includes a true and a false destination path, wherein the true destination path leads to the first branch and the false destination path leads to the second branch; and
access control logic, wherein the access control logic operates with the access control rules to enforce the security policy.
13 Assignments
0 Petitions
Accused Products
Abstract
A system and method of implementing a security policy, comprising the steps of providing a plurality of access policies, defining a process and connecting the access policies and the process to form a security policy.
-
Citations
8 Claims
-
1. In a computer network having a plurality of separate networks, an access control mechanism comprising:
-
a plurality of regions, including a first and a second region;
one or more services bridging said first and second regions;
access control rules which define a security policy, wherein the access control rules limit data transfer by the one or more services bridging the first and second regions, wherein the access control rules are defined as a decision tree, wherein the decision tree includes a decision node and a first and a second branch and wherein the decision node includes a true and a false destination path, wherein the true destination path leads to the first branch and the false destination path leads to the second branch; and
access control logic, wherein the access control logic operates with the access control rules to enforce the security policy. - View Dependent Claims (2, 3, 4)
-
-
5. In a computer network system having a plurality of networks and a plurality of services, wherein each service defines a protocol for transferring data between two of the plurality of networks, a method of defining a security policy, comprising:
-
defining a plurality of access policies, including a first and a second access policy, wherein the first and second access policies limit access to one or more services, wherein defining includes creating a plurality of access policy routines, including a first and a second access policy routine, wherein the first access policy routine embodies the first access policy and wherein the second access policy routine embodies the second access policy;
forming a decision tree having a plurality of decision nodes, including a first, second and third decision node, wherein the first and second decision nodes enforce the first access policy and wherein the third decision node enforces the second access policy; and
compiling a list of access control rules, wherein compiling includes replacing each decision node with one of the plurality of access policy routines. - View Dependent Claims (7)
-
-
6. In a computer network system having a plurality of networks and a plurality of services, wherein each service defines a protocol for transferring data between two of the plurality of networks, a method of enforcing a security policy, comprising:
-
defining a plurality of regions, including a first and a second region;
assigning each network to a region;
defining a first and a second service;
defining a plurality of access policies, including a first and a second access policy, wherein the first access policy limits communication between the first and second region using the first service and wherein the second access policy limits communication between the first and second region using the second service, wherein defining a plurality of access policies includes creating a plurality of access policy routines, including a first and a second access policy routine, wherein the first access policy routine embodies the first access policy and wherein the second access policy routine embodies the second access policy;
forming a decision tree having a plurality of decision nodes, including a first, second and third decision node, wherein the first and second decision nodes enforce the first access policy and wherein the third decision node enforces the second access policy;
compiling a list of access control rules, wherein compiling includes replacing each decision node with one of the plurality of access policy routines;
receiving a packet from the first region; and
accessing the list of access control rules to determine if the packet should be forwarded to the second region. - View Dependent Claims (8)
-
Specification