Graphical network security policy management
First Claim
1. A method for controlling a network device that passes or rejects information messages, the method comprising the computer-implemented steps of:
- defining a set of symbols that identify logical operations that can be carried out by the network device;
defining an information communication policy for the network device by graphically interconnecting one or more of the symbols into a symbolic representation of the policy; and
generating a set of instructions based on the symbolic representation of the policy, wherein the set of instructions causes the network device to selectively pass or reject messages according to the policy, comprising the steps of generating a source script that defines the policy in a scripting language; and
displaying the source script in a window of the user interface.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of establishing a representation of an abstract network security policy is disclosed. The representation is established in the form of a decision tree that is constructed by assembling graphical symbols representing policy actions and policy conditions. A user modifies properties of the graphical symbols to create a logical representation of the policy. Concurrently, the logical representation is transformed into a textual script that represents the policy, and the script is displayed as the user works with the logical representation. When the policy representation is saved, the script is translated into machine instructions that govern the operation of a network gateway or firewall. The policy representation is named. The policy representation may be applied to other network devices or objects by moving an icon identifying the representation over an icon representing the network device. Policies, network objects, and network services are stored in the form of trees.
-
Citations
17 Claims
-
1. A method for controlling a network device that passes or rejects information messages, the method comprising the computer-implemented steps of:
-
defining a set of symbols that identify logical operations that can be carried out by the network device;
defining an information communication policy for the network device by graphically interconnecting one or more of the symbols into a symbolic representation of the policy; and
generating a set of instructions based on the symbolic representation of the policy, wherein the set of instructions causes the network device to selectively pass or reject messages according to the policy, comprising the steps of generating a source script that defines the policy in a scripting language; and
displaying the source script in a window of the user interface. - View Dependent Claims (2, 3, 13, 14, 15, 16, 17)
after re-configuring the one or more symbols, highlighting a corresponding portion of the source script that is displayed in the window when one of the one or more symbols is selected by the user.
-
-
3. The method as recited in claim 1, further comprising the steps of:
-
naming the source script;
storing the source script in a database; and
displaying, in a second window of the user interface, a list of one or more source scripts that are stored in the database.
-
-
13. The method as recited in claim 1, wherein the step of defining the set of symbols includes the steps of:
-
displaying the set of symbols in a window of a user interface;
receiving user input from a user input device coupled to the user interface, in which the user input defines how to manipulate the symbols to create the symbolic representation of the policy.
-
-
14. The method as recited in claim 1, wherein the step of defining the information communication policy includes the steps of:
-
receiving editing commands for re-configuring the symbolic representation;
re-configuring the one or more symbols into a revised symbolic representation of the policy based on the editing commands; and
displaying the revised symbolic representation on the user interface.
-
-
15. The method as recited in claim 14, wherein the step of re-configuring the one or more symbols includes the steps of:
automatically validating the editing commands according to one or more syntactic rules and based on the context of the editing commands.
-
16. The method as recited in claim 1, wherein the step of generating the set of instructions comprises the steps of:
dynamically updating the set of instructions as the information communication policy is defined.
-
17. The method as recited in claim 1, wherein the step of generating the set of instructions comprises the steps of:
dynamically updating the set of instructions as the symbolic representation is re-configured.
-
4. A method for establishing a security policy that is enforced by a network device such as a router, the method comprising the steps of:
-
displaying a user interface, wherein the user interface comprises a first window that includes graphical symbols tat can be manipulated to define the security policy;
receiving editing commands that manipulate one or more symbols in the set of graphical symbols whereby the security policy is established based on the editing commands;
displaying a symbolic representation of the security policy in a second window of the user interface; and
generating a set of instructions that are executable by the network device, whereby the network device enforces the security policy according to the symbolic representation, comprising the steps of generating a source script that defines the policy in a scripting language; and
displaying the source script in a window of the user interface.
-
-
5. A method for associating a security policy with a network device, the method comprising the steps of:
-
displaying a first icon on a user interface, wherein the first icon is associated with a first, pre-defined security policy;
displaying a second icon on the user interface, wherein the second icon identifies the network device;
receiving user input that instructs the user interface to position the first icon near the second icon, comprising receiving user input that drags the first icon over the second icon; and
in response thereto, applying the first security policy to the network device that is associated with the second icon.
-
-
6. A method for associating a security policy with a network device, the method comprising the steps of:
-
displaying a first icon on a user interface, wherein the first icon is associated with a first, pre-defined security policy;
displaying a second icon on the user interface, wherein the second icon identifies the network device;
receiving user input that instructs the user interface to position the first icon near the second icon;
in response thereto, applying the first security policy to the network device that is associated with the second icon;
displaying a network tree in a pane of the user interface, wherein the network tree includes a plurality of first icons organized in a hierarchy, in which each of the first icons represents one of a plurality of network objects in a network; and
displaying a policy tree in a pane of the user interface, wherein the policy tree includes a plurality of second icons organized in a hierarchy, in which each of the second icons represents a pre-defined security policy that can be associated with and enforced by one of the network objects. - View Dependent Claims (7)
displaying a service tree in a pane of the user interface, wherein the service tree includes a plurality of third icons organized in a hierarchy, in which each of the third icons represents a pre-defined logical grouping of services that can be associated with and carried out by one of the network objects.
-
-
8. A method of establishing a representation of a network security policy, the method comprising the computer-implemented steps of:
-
storing a decision tree in a memory, wherein the decision tree is constructed by assembling one or more graphical symbols representing policy actions and policy conditions;
modifying one or more properties of one or more of the graphical symbols to create a logical representation of the policy;
transforming the logical representation into a textual script that represents the policy;
displaying the script;
when the policy representation is saved, translating the script into machine instructions that govern operation of a network device. - View Dependent Claims (9)
-
-
10. A computer-readable medium carrying one or more sequences of instructions for controlling a network device, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
defining a set of symbols that identify logical operations that can be carried out by the network device;
defining an information communication policy for the network device by graphically interconnecting one or more of the symbols into a symbolic representation of the policy; and
generating a set of instructions based on the symbolic representation of the policy, wherein the set of instructions causes the network device to selectively pass or reject messages according to the policy, comprising the steps of generating a source script that defines the policy in a scripting language; and
displaying the source script in a window of the user interface.
-
-
11. A computer data signal embodied in a carrier wave, the computer data signal carrying one or more sequences of instructions for controlling a network device, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of,
defining a set of symbols that identify logical operations that can be carried out by the network device; -
defining a data communication policy for the network device by graphically interconnecting one or more of the symbols into a symbolic representation of the policy; and
generating a set of instructions based on the symbolic representation of the policy, wherein the set of instructions causes the network device to selectively pass or reject messages according to the policy, comprising the steps of generating a source script that defines the policy in a scripting language; and
displaying the source script in a window of the user interface.
-
-
12. A computer apparatus comprising:
-
a processor; and
a memory coupled to the processor, the memory containing one or more sequences of instructions for controlling a network device, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
defining a set of symbols that identify logical operations that can be carried out by the network device;
defining a data communication policy for the network device by graphically interconnecting one or more of the symbols into a symbolic representation of the policy; and
generating a set of instructions based on the symbolic representation of the policy, wherein the set of instructions causes the network device to selectively pass or reject messages according to the policy, comprising the steps of generating a source script that defines the policy in a scripting language; and
displaying the source script in a window of the user interface.
-
Specification