System and method for generation VPN network policies

US 6,539,483 B1
Filed: 01/12/2000
Issued: 03/25/2003
Est. Priority Date: 01/12/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for generating a plurality of policies in a Virtual Private Network (VPN) wherein each policy includes a condition and at least one action and in which the VPN is defined by a sum of a plurality of policy segments, the method comprising:

grouping a plurality of VPN devices into a policy segment based on common policy components, each policy segment being defined by specifying a device list, a topology connection type and a policy template, said policy segment device list comprising a user-defined collection of other device lists or device interface profiles, each device interface profile containing device specific information that is needed to generate a traffic profile and an Internet Protocol Security (IPSec) data management action component for the policy segment;

generating policies for the grouped VPN devices based on the policy segment definition; and

writing each VPN device policy to a server device for storage.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and program product for defining a Virtual Private Network (VPN) by the sum of a plurality of policy segments. Each policy segment is composed of a policy segment name, a policy segment type, a VPN device list, a policy template, a quality of service template and a connection type. The policy segment type can include Internet Protocol Security (IPsec), Differential Services (DiffServ) or Reservation Protocol (RSVP). The group of devices in a policy segment are it specified in a device list which is a collection of other device lists and/or device interface profiles. The group of common policy components are specified in a policy template. Policy templates contain the condition and action references that are used to generate policies for the policy segment. The condition reference includes a validity period and a traffic profile. The action reference includes at least one of an IPsec action, a DiffServ action or an RSVP action. The device list, connection type, and policy template are combined to generate all of the policies for a policy segment.

156 Citations

54 Claims

1. A method for generating a plurality of policies in a Virtual Private Network (VPN) wherein each policy includes a condition and at least one action and in which the VPN is defined by a sum of a plurality of policy segments, the method comprising:
- grouping a plurality of VPN devices into a policy segment based on common policy components, each policy segment being defined by specifying a device list, a topology connection type and a policy template, said policy segment device list comprising a user-defined collection of other device lists or device interface profiles, each device interface profile containing device specific information that is needed to generate a traffic profile and an Internet Protocol Security (IPSec) data management action component for the policy segment;
  
  generating policies for the grouped VPN devices based on the policy segment definition; and
  
  writing each VPN device policy to a server device for storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method for generating a plurality of policies of claim 1 wherein the device specific information includes Internet Protocol (IP) addresses.
  - 3. The method for generating a plurality of policies of claim 1 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a mesh connection in which each device in the policy segment is connected to every other device in the policy segment.
  - 4. The method for generating a plurality of policies of claim 3 further comprising:
5. The method for generating a plurality of policies of claim 4 further comprising:
- building a policy for each device in a paired list of devices; and
  
  writing the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
6. The method for generating a plurality of policies of claim 1 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a star connection between a designated hub device and every other device in the policy segment.
7. The method for generating a plurality of policies of claim 6 further comprising:
- expanding the device list to individual VPN devices;
  
  building a paired list of devices representing a hub-to-all relationship between the VPN devices in the expanded list.
8. The method for generating a plurality of policies of claim 7 further comprising:
- building a policy for each device in a paired list of devices; and
  
  writing the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
9. The method for generating a plurality of policies of claim 1 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a specific device pair configuration between two devices in the policy segment.
10. The method for generating a plurality of policies of claim 9 further comprising:
- expanding the device list to individual VPN devices;
  
  building a paired list of devices representing a single device to single device relationship between the two devices in the expanded list.
11. The method for generating a plurality of policies of claim 10 further comprising:
- building a policy for each device in a paired list of devices; and
  
  writing the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
12. The method for generating a plurality of policies of claim 1 wherein the policy segment policy template contains the condition and action references that are used to generate policies for the policy segment.
13. The method for generating a plurality of policies of claim 1 wherein the policy condition includes a validity period and a traffic profile template.
14. The method for generating a plurality of policies of claim 13 wherein the traffic profile template includes all the attributes of a traffic profile except device specific information such as IP addresses.
15. The method for generating a plurality of policies of claim 1 wherein the policy action is at least one of an IPsec action, a Differential Services (DiffServ) action or a Reservation Setup Protocol (RSVP) action.
16. The method for generating a plurality of policies of claim 15 further comprising for a DiffServ or RSVP policy segment:
- expanding the device list to individual VPN devices;
  
  building a policy for each device in the device list; and
  
  writing the policy for each device to a Light Weight Directory Protocol (LDAP) server device.
17. The method for generating a plurality of policies of claim 16 further including for each bi-directional policy:
- building a second policy for the corresponding device; and
  
  writing the second policy to the LDAP server device.
18. The method for generating a plurality of policies of claim 1 wherein the server device uses a Light Weight Directory Access Protocol (LDAP).

19. A computer readable medium containing a computer program product that generates a plurality of policies in a Virtual Private Network (VPN) wherein each policy includes a condition and at least one action and in which the VPN is defined by a sum of a plurality of policy segments, the computer program product comprising:
- program instructions that group a plurality of VPN devices into a policy segment based on common policy components, each policy segment being defined by specifying a device list, a topology connection type and a policy template, each policy segment device list comprising a user-defined collection of other device lists or device interface profiles, each device interface profile containing device specific information that is needed to generate a traffic profile and an Internet Protocol Security (IPsec) data management action component for the policy segment;
  
  program instructions that generate policies for the grouped VPN devices based on the policy segment definition; and
  
  program instructions that write each VPN device policy to a server device for storage.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44)
- - 20. The computer program product that generates a plurality of policies of claim 19 wherein the device specific information includes Internet Protocol (IP) addresses.
  - 21. The computer program product that generates a plurality of policies of claim 19 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a mesh connection in which each device in the policy segment is connected to every other device in the policy segment.
  - 22. The computer program product that generates a plurality of policies of claim 21 further comprising:
23. The computer program product that generates a plurality of policies of claim 22 further comprising:
- program instructions that build a policy for each device in a paired list of devices;
  
  program instructions that write the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
24. The computer program product that generates a plurality of policies of claim 19 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a star connection between a designated hub device and every other device in the policy segment.
25. The computer program product that generates a plurality of policies of claim 24 further comprising:
- program instructions that expand the device list to individual VPN devices;
  
  program instructions that build a paired list of devices representing a hub-to-all relationship between the VPN devices in the expanded list.
26. The computer program product that generates a plurality of policies of claim 25 further comprising:
- program instructions that build a policy for each device in a paired list of devices;
  
  program instructions that write the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
27. The computer program product that generates a plurality of policies of claim 19 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a specific device pair configuration between two devices in the policy segment.
28. The computer program product that generates a plurality of policies of claim 27 further comprising:
- program instructions that expand the device list to individual VPN devices;
  
  program instructions that build a paired list of devices representing a single device to single device relationship between the two devices in the expanded list.
29. The computer program product that generates a plurality of policies of claim 28 further comprising:
- program instructions that build a policy for each device in a paired list of devices;
  
  program instructions that write the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
30. The computer program product that generates a plurality of policies of claim 19 wherein the policy segment policy template contains the condition and action references that are used to generate policies for the policy segment.
31. The computer program product that generates a plurality of policies of claim 19 wherein the policy condition includes a validity period and a traffic profile template.
32. The computer program product that generates a plurality of policies of claim 31 wherein the traffic profile template includes all the attributes of a traffic profile except device specific information such as IP addresses.
33. The computer program product that generates a plurality of policies of claim 19 wherein the policy action is at least one of an IPsec action, a Differential Services (DiffServ) action or a Reservation Setup Protocol (RSVP) action.
34. The computer program product that generates a plurality of policies of claim 33 further comprising for a DiffServ or RSVP policy segment:
- A program instructions that expand the device list to individual VPN devices;
  
  program instructions that build a policy for each device in the device list; and
  
  program instructions that write the policy for each device to a Light Weight Directory Protocol (LDAP) server device.
35. The computer program product that generates a plurality of policies of claim 34 further including for each bi-directional policy:
- program instructions that build a second policy for the corresponding; and
  
  program instructions that write the second policy to the LDAP server device.
36. The computer program product that generates a plurality of policies of claim 19 wherein the server device uses a Light Weight Directory Access Protocol (LDAP).
42. The system for generating a plurality of policies of claim 31 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a star connection between a designated hub device and every other device in the policy segment.
43. The system for generating a plurality of policies of claim 42, wherein the management application further comprises:
- a logic module for expanding the device list to individual VPN devices; and
  
  a logic module for building a paired list of devices representing a hub-to-all relationship between the VPN devices in the expanded list.
44. The system for generating a plurality of policies of claim 43, wherein the management application further comprises:
- a logic module for building a policy for each device in a paired list of devices; and
  
  a logic module for writing the policy for each device in a paired list of devices to a Light Weight Directory Protocol (LDAP) server device.

37. A system for generating a plurality of policies in a Virtual Private Network (VPN) including a plurality of network devices, a server device, and a manager application resident on at least one network device, wherein each policy includes a condition and at least one action and in which the VPN is defined by a sum of a plurality of policy segments, the manager application comprising:
- an input module for grouping a plurality of VPN devices into a policy segment based on common policy components, each policy segment being defined by specifying a device list, a topology connection type and a policy template, each policy segment device list comprising a user-defined collection of other device lists or device interface profiles, each device interface profile containing device specific information that is needed to generate a traffic profile and an Internet Protocol Security (IPsec) data management action component for the policy segment;
  
  a logic module for generating policies for the grouped VPN devices based on the policy segment definition; and
  
  an output module for writing each VPN device policy to the server device for storage.
- View Dependent Claims (38, 39, 40, 41, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 38. The method for generating a plurality of policies of claim 37 wherein the device specific information includes Internet Protocol (IP) addresses.
  - 39. The system for generating a plurality of policies of claim 37 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a mesh connection in which each device in the policy segment is connected to every other device in the policy segment.
  - 40. The system for generating a plurality of policies of claim 39, wherein the management application further comprises:
41. The system for generating a plurality of policies of claim 40, wherein the management application further comprises:
- a logic module for building a policy for each device in a paired list of devices; and
  
  a logic module for writing the policy for each device in a paired list of devices to a Light Weight Directory Protocol be (LDAP) server device.
45. The system for generating a plurality of policies of claim 37 wherein an Internet Protocol Security (IPsec) policy segment topology connection type is a specific device pair configuration between two devices in the policy segment.
46. The system for generating a plurality of policies of claim 45, wherein the management application further comprises:
- a logic module for expanding the device list to individual VPN devices; and
  
  a logic module for building a paired list of devices representing a single device to single device relationship between the two devices in the expanded list.
47. The system for generating a plurality of policies of claim 46, wherein the management application further comprises:
- a logic module for building a policy for each device in a paired list of devices; and
  
  a logic module for writing the policy for each device in a paired list of devices to a Light Weight Directory Access Protocol (LDAP) server device.
48. The system for generating a plurality of policies of claim 37 wherein the policy segment policy template contains the condition and action references that are used to generate policies for the policy segment.
49. The system for generating a plurality of policies of claim 37 wherein the policy condition includes a validity period and a traffic profile template.
50. The system for generating a plurality of policies of claim 49 wherein the traffic profile template includes all the attributes of a traffic profile except device specific information such as IP addresses.
51. The system for generating a plurality of policies of claim 37 wherein the policy action is at least one of an IPsec action, a Differential Services (DiffServ) action or a Reservation Setup Protocol (RSVP) action.
52. The system for generating a plurality of policies of claim 37 further comprising for a DiffServ or RSVP policy segment:
- a logic module for expanding the device list to individual VPN devices;
  
  a logic module for building a policy for each device in the device list; and
  
  a logic module for writing the policy for each device to a Light Weight Directory Protocol (LDAP) server device.
53. The system for generating a plurality of policies of claim 52 further including for each bi-directional policy:
- a logic module for building a second policy for the corresponding device; and
  
  a logic module for writing the second policy to the LDAP server device.
54. The system for generating a plurality of policies of claim 37 wherein the server device uses a Light Weight Directory Access Protocol (LDAP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Harrison, Bret Elliott, Reed, William Donald, Temoshenko, Leo
Primary Examiner(s)
Trammell, James P.
Assistant Examiner(s)
CHEUNG, MARY DA ZHI WANG

Application Number

US09/481,831
Time in Patent Office

1,168 Days
Field of Search

713/200-201, 707/8-10
US Class Current

726/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 47/24   Traffic characterised by sp...

H04L 63/02   for separating internal fro...

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

System and method for generation VPN network policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

156 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for generation VPN network policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links