System and method for generation VPN network policies
First Claim
1. A method for generating a plurality of policies in a Virtual Private Network (VPN) wherein each policy includes a condition and at least one action and in which the VPN is defined by a sum of a plurality of policy segments, the method comprising:
- grouping a plurality of VPN devices into a policy segment based on common policy components, each policy segment being defined by specifying a device list, a topology connection type and a policy template, said policy segment device list comprising a user-defined collection of other device lists or device interface profiles, each device interface profile containing device specific information that is needed to generate a traffic profile and an Internet Protocol Security (IPSec) data management action component for the policy segment;
generating policies for the grouped VPN devices based on the policy segment definition; and
writing each VPN device policy to a server device for storage.
2 Assignments
0 Petitions
Accused Products
Abstract
A system, method and program product for defining a Virtual Private Network (VPN) by the sum of a plurality of policy segments. Each policy segment is composed of a policy segment name, a policy segment type, a VPN device list, a policy template, a quality of service template and a connection type. The policy segment type can include Internet Protocol Security (IPsec), Differential Services (DiffServ) or Reservation Protocol (RSVP). The group of devices in a policy segment are it specified in a device list which is a collection of other device lists and/or device interface profiles. The group of common policy components are specified in a policy template. Policy templates contain the condition and action references that are used to generate policies for the policy segment. The condition reference includes a validity period and a traffic profile. The action reference includes at least one of an IPsec action, a DiffServ action or an RSVP action. The device list, connection type, and policy template are combined to generate all of the policies for a policy segment.
156 Citations
54 Claims
-
1. A method for generating a plurality of policies in a Virtual Private Network (VPN) wherein each policy includes a condition and at least one action and in which the VPN is defined by a sum of a plurality of policy segments, the method comprising:
-
grouping a plurality of VPN devices into a policy segment based on common policy components, each policy segment being defined by specifying a device list, a topology connection type and a policy template, said policy segment device list comprising a user-defined collection of other device lists or device interface profiles, each device interface profile containing device specific information that is needed to generate a traffic profile and an Internet Protocol Security (IPSec) data management action component for the policy segment;
generating policies for the grouped VPN devices based on the policy segment definition; and
writing each VPN device policy to a server device for storage. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
expanding the device list to individual VPN devices; and
building a paired list of devices representing an all-to-all relationship between the VPN devices in the expanded list.
-
-
5. The method for generating a plurality of policies of claim 4 further comprising:
-
building a policy for each device in a paired list of devices; and
writing the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
-
-
6. The method for generating a plurality of policies of claim 1 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a star connection between a designated hub device and every other device in the policy segment.
-
7. The method for generating a plurality of policies of claim 6 further comprising:
-
expanding the device list to individual VPN devices;
building a paired list of devices representing a hub-to-all relationship between the VPN devices in the expanded list.
-
-
8. The method for generating a plurality of policies of claim 7 further comprising:
-
building a policy for each device in a paired list of devices; and
writing the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
-
-
9. The method for generating a plurality of policies of claim 1 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a specific device pair configuration between two devices in the policy segment.
-
10. The method for generating a plurality of policies of claim 9 further comprising:
-
expanding the device list to individual VPN devices;
building a paired list of devices representing a single device to single device relationship between the two devices in the expanded list.
-
-
11. The method for generating a plurality of policies of claim 10 further comprising:
-
building a policy for each device in a paired list of devices; and
writing the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
-
-
12. The method for generating a plurality of policies of claim 1 wherein the policy segment policy template contains the condition and action references that are used to generate policies for the policy segment.
-
13. The method for generating a plurality of policies of claim 1 wherein the policy condition includes a validity period and a traffic profile template.
-
14. The method for generating a plurality of policies of claim 13 wherein the traffic profile template includes all the attributes of a traffic profile except device specific information such as IP addresses.
-
15. The method for generating a plurality of policies of claim 1 wherein the policy action is at least one of an IPsec action, a Differential Services (DiffServ) action or a Reservation Setup Protocol (RSVP) action.
-
16. The method for generating a plurality of policies of claim 15 further comprising for a DiffServ or RSVP policy segment:
-
expanding the device list to individual VPN devices;
building a policy for each device in the device list; and
writing the policy for each device to a Light Weight Directory Protocol (LDAP) server device.
-
-
17. The method for generating a plurality of policies of claim 16 further including for each bi-directional policy:
-
building a second policy for the corresponding device; and
writing the second policy to the LDAP server device.
-
-
18. The method for generating a plurality of policies of claim 1 wherein the server device uses a Light Weight Directory Access Protocol (LDAP).
-
19. A computer readable medium containing a computer program product that generates a plurality of policies in a Virtual Private Network (VPN) wherein each policy includes a condition and at least one action and in which the VPN is defined by a sum of a plurality of policy segments, the computer program product comprising:
-
program instructions that group a plurality of VPN devices into a policy segment based on common policy components, each policy segment being defined by specifying a device list, a topology connection type and a policy template, each policy segment device list comprising a user-defined collection of other device lists or device interface profiles, each device interface profile containing device specific information that is needed to generate a traffic profile and an Internet Protocol Security (IPsec) data management action component for the policy segment;
program instructions that generate policies for the grouped VPN devices based on the policy segment definition; and
program instructions that write each VPN device policy to a server device for storage. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44)
program instructions that expand the device list to individual VPN devices; and
program instructions that build a paired list of devices representing an all-to-all relationship between the VPN devices in the expanded list.
-
-
23. The computer program product that generates a plurality of policies of claim 22 further comprising:
-
program instructions that build a policy for each device in a paired list of devices;
program instructions that write the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
-
-
24. The computer program product that generates a plurality of policies of claim 19 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a star connection between a designated hub device and every other device in the policy segment.
-
25. The computer program product that generates a plurality of policies of claim 24 further comprising:
-
program instructions that expand the device list to individual VPN devices;
program instructions that build a paired list of devices representing a hub-to-all relationship between the VPN devices in the expanded list.
-
-
26. The computer program product that generates a plurality of policies of claim 25 further comprising:
-
program instructions that build a policy for each device in a paired list of devices;
program instructions that write the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
-
-
27. The computer program product that generates a plurality of policies of claim 19 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a specific device pair configuration between two devices in the policy segment.
-
28. The computer program product that generates a plurality of policies of claim 27 further comprising:
-
program instructions that expand the device list to individual VPN devices;
program instructions that build a paired list of devices representing a single device to single device relationship between the two devices in the expanded list.
-
-
29. The computer program product that generates a plurality of policies of claim 28 further comprising:
-
program instructions that build a policy for each device in a paired list of devices;
program instructions that write the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
-
-
30. The computer program product that generates a plurality of policies of claim 19 wherein the policy segment policy template contains the condition and action references that are used to generate policies for the policy segment.
-
31. The computer program product that generates a plurality of policies of claim 19 wherein the policy condition includes a validity period and a traffic profile template.
-
32. The computer program product that generates a plurality of policies of claim 31 wherein the traffic profile template includes all the attributes of a traffic profile except device specific information such as IP addresses.
-
33. The computer program product that generates a plurality of policies of claim 19 wherein the policy action is at least one of an IPsec action, a Differential Services (DiffServ) action or a Reservation Setup Protocol (RSVP) action.
-
34. The computer program product that generates a plurality of policies of claim 33 further comprising for a DiffServ or RSVP policy segment:
-
A program instructions that expand the device list to individual VPN devices;
program instructions that build a policy for each device in the device list; and
program instructions that write the policy for each device to a Light Weight Directory Protocol (LDAP) server device.
-
-
35. The computer program product that generates a plurality of policies of claim 34 further including for each bi-directional policy:
-
program instructions that build a second policy for the corresponding; and
program instructions that write the second policy to the LDAP server device.
-
-
36. The computer program product that generates a plurality of policies of claim 19 wherein the server device uses a Light Weight Directory Access Protocol (LDAP).
-
42. The system for generating a plurality of policies of claim 31 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a star connection between a designated hub device and every other device in the policy segment.
-
43. The system for generating a plurality of policies of claim 42, wherein the management application further comprises:
-
a logic module for expanding the device list to individual VPN devices; and
a logic module for building a paired list of devices representing a hub-to-all relationship between the VPN devices in the expanded list.
-
-
44. The system for generating a plurality of policies of claim 43, wherein the management application further comprises:
-
a logic module for building a policy for each device in a paired list of devices; and
a logic module for writing the policy for each device in a paired list of devices to a Light Weight Directory Protocol (LDAP) server device.
-
-
37. A system for generating a plurality of policies in a Virtual Private Network (VPN) including a plurality of network devices, a server device, and a manager application resident on at least one network device, wherein each policy includes a condition and at least one action and in which the VPN is defined by a sum of a plurality of policy segments, the manager application comprising:
-
an input module for grouping a plurality of VPN devices into a policy segment based on common policy components, each policy segment being defined by specifying a device list, a topology connection type and a policy template, each policy segment device list comprising a user-defined collection of other device lists or device interface profiles, each device interface profile containing device specific information that is needed to generate a traffic profile and an Internet Protocol Security (IPsec) data management action component for the policy segment;
a logic module for generating policies for the grouped VPN devices based on the policy segment definition; and
an output module for writing each VPN device policy to the server device for storage. - View Dependent Claims (38, 39, 40, 41, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
a logic module for expanding the device list to individual VPN devices; and
a logic module for building a paired list of devices representing an all-to-all relationship between the VPN devices in the expanded list.
-
-
41. The system for generating a plurality of policies of claim 40, wherein the management application further comprises:
-
a logic module for building a policy for each device in a paired list of devices; and
a logic module for writing the policy for each device in a paired list of devices to a Light Weight Directory Protocol be (LDAP) server device.
-
-
45. The system for generating a plurality of policies of claim 37 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a specific device pair configuration between two devices in the policy segment.
-
46. The system for generating a plurality of policies of claim 45, wherein the management application further comprises:
-
a logic module for expanding the device list to individual VPN devices; and
a logic module for building a paired list of devices representing a single device to single device relationship between the two devices in the expanded list.
-
-
47. The system for generating a plurality of policies of claim 46, wherein the management application further comprises:
-
a logic module for building a policy for each device in a paired list of devices; and
a logic module for writing the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
-
-
48. The system for generating a plurality of policies of claim 37 wherein the policy segment policy template contains the condition and action references that are used to generate policies for the policy segment.
-
49. The system for generating a plurality of policies of claim 37 wherein the policy condition includes a validity period and a traffic profile template.
-
50. The system for generating a plurality of policies of claim 49 wherein the traffic profile template includes all the attributes of a traffic profile except device specific information such as IP addresses.
-
51. The system for generating a plurality of policies of claim 37 wherein the policy action is at least one of an IPsec action, a Differential Services (DiffServ) action or a Reservation Setup Protocol (RSVP) action.
-
52. The system for generating a plurality of policies of claim 37 further comprising for a DiffServ or RSVP policy segment:
-
a logic module for expanding the device list to individual VPN devices;
a logic module for building a policy for each device in the device list; and
a logic module for writing the policy for each device to a Light Weight Directory Protocol (LDAP) server device.
-
-
53. The system for generating a plurality of policies of claim 52 further including for each bi-directional policy:
-
a logic module for building a second policy for the corresponding device; and
a logic module for writing the second policy to the LDAP server device.
-
-
54. The system for generating a plurality of policies of claim 37 wherein the server device uses a Light Weight Directory Access Protocol (LDAP).
Specification