Managing multiple network security devices from a manager device

US 6,678,827 B1
Filed: 05/06/1999
Issued: 01/13/2004
Est. Priority Date: 05/06/1999
Status: Expired due to Term

First Claim

Patent Images

1. A computer-implemented method for a manager device to distribute security policy implementation information to multiple security devices for use in implementing a security policy, the distributing via multiple intermediate supervisor devices that are associated with the multiple security devices in such a manner that each security device has a current associated supervisor device, the method comprising, under control of the manager device and without manual intervention:

for each of the security devices, determining the currently associated supervisor device for that security device;

distributing a single copy of the security policy implementation information to each of the determined supervisor devices; and

indicating to each of the determined supervisor devices to distribute a copy of the security policy implementation information to the security devices with which the supervisor device is associated.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to a facility for using a security policy manager device to remotely manage multiple network security devices (NSDs). The manager device can also use one or more intermediate supervisor devices to assist in the management. Security for the communication of information between various devices can be provided in a variety of ways. The system allows the manager device to create a consistent security policy for the multiple NSDs by distributing a copy of a security policy template to each of the NSDs and by then configuring each copy of the template with NSD-specific information. For example, the manager device can distribute the template to multiple NSDs by sending a single copy of the template to a supervisor device associated with the NSDs and by then having the supervisor device update each of the NSDs with a copy of the template. Other information useful for implementing security policies can also be distributed to the NSDs in a similar manner. The system also allows a manager device to retrieve, analyze and display all of the network security information gathered by the various NSDs while implementing security policies. Each NSD can forward its network security information to a supervisor device currently associated with the NSD, and the manager device can retrieve network security information of interest from the one or more supervisor devices which store portions of the information and then aggregate the retrieved information in an appropriate manner.

437 Citations

47 Claims

1. A computer-implemented method for a manager device to distribute security policy implementation information to multiple security devices for use in implementing a security policy, the distributing via multiple intermediate supervisor devices that are associated with the multiple security devices in such a manner that each security device has a current associated supervisor device, the method comprising, under control of the manager device and without manual intervention:
- for each of the security devices, determining the currently associated supervisor device for that security device;
  
  distributing a single copy of the security policy implementation information to each of the determined supervisor devices; and
  
  indicating to each of the determined supervisor devices to distribute a copy of the security policy implementation information to the security devices with which the supervisor device is associated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the security policy implementation information is software to be executed by the security devices to control the implementing of the security policy.
  - 3. The method of claim 1 wherein the security policy implementation information is a security policy template that indicates the security information to be generated.
  - 4. The method of claim 3 including:
5. The method of claim 1 wherein the security policy implementation information is an instruction to be executed by the multiple security devices related to the implementing of the security policy.
6. The method of claim 1 wherein the security policy implementation information is information common to the multiple security devices, and wherein for each of the multiple security devices the common information is for configuring a security policy template for the security device with information specific to the security device.
7. The method of claim 1 wherein before the security policy implementation information is distributed to each of the multiple security devices, at least some of the multiple security devices have existing security policy implementation information of a similar type, and wherein for those security devices the security policy implementation information to be distributed will replace the existing security policy implementation information.
8. The method of claim 1 wherein before the security policy implementation information is distributed to each of the multiple security devices, at least some of the multiple security devices have existing security policy implementation information of a similar type, and wherein for those security devices the security policy implementation information to be distributed will supplement the existing security policy implementation information.
9. The method of claim 1 wherein the distributing of the security policy implementation information to each of the determined supervisor devices is performed in a manner such that the security policy implementation information is not accessible to other devices.
10. The method of claim 1 including displaying to a user a view of the multiple security devices and the supervisor devices currently associated with the security devices, and wherein the distributing of the security policy implementation information is in response to a visual selection by the user.

11. A method for a supervisor device to distribute security policy implementation information to multiple security devices for use in implementing a security policy, the method comprising:
- receiving from a manager device a single copy of security policy implementation information to be distributed to multiple security devices; and
  
  for each of the multiple security devices, if the supervisor device is associated with the security device, automatically distributing the security policy implementation information to the security device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11 wherein the security policy implementation information is software to be executed by the security devices to control the implementing of the security policy.
  - 13. The method of claim 11 wherein the security policy implementation information is a security policy template that indicates the security information to be generated.
  - 14. The method of claim 13 including:
15. The method of claim 13 including:
- before the security policy implementation information has been distributed to each of the security devices, for each security device configuring distinctly for that device a copy of the security policy implementation information that is to be distributed to that device.
16. The method of claim 13 including:
- for each of the security devices, sending to the security device a control instruction indicating an action to be taken with the security policy implementation information by the security device.
17. The method of claim 11 wherein the security policy implementation information is an instruction to be performed by the security devices related to the implementing of the security policy.
18. The method of claim 11 wherein the supervisor device distributes the security policy implementation information to a security device only when the supervisor device is associated with the security device as a primary supervisor device for the security device.
19. The method of claim 11 including when the supervisor device is not associated with one of the multiple security devices, distributing the security policy implementation information to another supervisor device to be distributed to the one security device.

20. A computer-implemented method for distributing control information to multiple security devices for use in controlling the operation of the multiple security devices, the method comprising:
- for each of the security devices, determining a supervisor device for the security device based at least in part on the determined supervisor device being currently associated with the security device;
  
  distributing the control information to each of the determined supervisor devices; and
  
  indicating to each of the determined supervisor devices to distribute the control information to the security devices with which the supervisor device is associated.
- View Dependent Claims (21)
- - 21. The method of claim 20 wherein after the control information is distributed to the security devices, the security devices operate in accordance with the control information.

22. A computer-implemented method for distributing security policy implementation information to multiple security devices for use in implementing a security policy, the method comprising:
- displaying to a user a view of the multiple security devices and of multiple supervisor devices;
  
  receiving from the user visual indications of multiple security devices to which the security policy implementation information is to be distributed;
  
  distributing the security policy implementation information to a supervisor device associated with each of the security devices; and
  
  indicating to the associated supervisor device to distribute the security policy implementation information to each of the security devices.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22 including:
24. The method of claim 22 wherein the view of the security devices and of the supervisor devices includes a visual indication of a supervisor device that is a primary host device for the security device.
25. The method of claim 22 wherein a visual indication for each of the multiple security devices is modified to indicate receipt by the security device of the security policy implementation information.

26. A computer-implemented method for distributing security policy implementation information to multiple security devices for use in implementing a security policy, the method comprising:
- displaying to a user a view of a manager device, the multiple security devices and of multiple supervisor devices;
  
  receiving from the user indications of multiple security devices to which the security policy implementation information is to be distributed; and
  
  displaying to the user an indication that the security policy implementation information is distributed to the multiple security devices, the distribution accomplished by the manager device sending the security policy implementation information to a supervisor device associated with each of the security devices and indicating to the associated supervisor device to distribute the security policy implementation information to each of the security devices.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method of claim 26 including:
28. The method of claim 26 wherein the view of the security devices and of the supervisor devices includes a visual indication that the associated supervisor device distributes the security policy implementation information to each of the security devices.
29. The method of claim 26 wherein a visual indication for each of the multiple security devices is modified to indicate receipt by the security device of the security policy implementation information.
30. The method of claim 26 wherein the multiple security devices to which the security policy implementation information is to be distributed are indicated from a selection by the user of the associated supervisor device.

31. A computer-readable medium whose contents cause a manager device to distribute security policy implementation information to multiple security devices for use in implementing a security policy, by automatically performing a method comprising:
- for each of the security devices, determining a supervisor device based at least in part on that supervisor device being currently associated with the security device;
  
  distributing the security policy implementation information to each of the determined supervisor devices; and
  
  indicating to each of the determined supervisor devices to distribute the security policy implementation information to the security devices with which the supervisor device is associated.
- View Dependent Claims (32, 33, 34, 35, 36)
- - 32. The computer-readable medium of claim 31 wherein the security policy implementation information is software to be executed by the security devices to control the implementing of the security policy.
  - 33. The computer-readable medium of claim 31 wherein the security policy implementation information is a security policy template that indicates the security information to be generated.
  - 34. The computer-readable medium of claim 33 wherein the contents further cause the manager device to, after the security policy implementation information has been distributed to each of the security devices, configure the security policy implementation information distinctly on each security device.
  - 35. The computer-readable medium of claim 31 wherein the security policy implementation information is an instruction to be executed by the multiple security devices related to the implementing of the security policy.
  - 36. The computer-readable medium of claim 31 wherein the contents further cause the manager device to display to a user a view of the multiple security devices and the supervisor devices currently associated with the security devices, and wherein the distributing of the security policy implementation information is in response to a visual selection by the user.

37. A computer system for distributing security policy implementation information to multiple security devices for use in implementing a security policy, comprising:
- a security device associator for determining for each of the security devices a supervisor device currently associated with the security device; and
  
  an information distributor for distributing the security policy implementation information to each of the determined supervisor devices, and for indicating to each of the determined supervisor devices to distribute the security policy implementation information to the security devices with which the supervisor device is associated.
- View Dependent Claims (38, 39, 40)
- - 38. The computer system of claim 37 wherein the security policy implementation information is software to be executed by the security devices to control the implementing of the security policy.
  - 39. The computer system of claim 37 wherein the security policy implementation information is a security policy template that indicates the security information to be generated.
  - 40. The computer system of claim 37 including a user interface component for displaying to a user a view of the multiple security devices and the supervisor devices currently associated with the security devices, and for receiving a visual selection by the user that controls the distributing of the security policy implementation information.

41. A generated data signal transmitted via a data transmission medium from a manager device to a supervisor device, the data signal including a single copy of security policy implementation information to be distributed by the supervisor device to multiple security devices, the security policy implementation information for use by the supervisor devices in implementing a security policy, so that the manager device can efficiently distribute information to multiple security devices via a supervisor device.
- View Dependent Claims (42, 43, 44)
- - 42. The data signal of claim 41 wherein the security policy implementation information is software to be executed by the security devices to control the implementing of the security policy.
  - 43. The data signal of claim 41 wherein the security policy implementation information is a security policy template that indicates the security information to be generated.
  - 44. The data signal of claim 41 including configuration information to be distributed by the supervisor device to at least one security device, the configuration information specific to the at least one security device, the configuration information for configuring distinctly for the at least one security device a copy of the security policy implementation information that is to be distributed to that device.

45. A computer-implemented method for automatically distributing security policy implementation information to multiple security devices for use in implementing a security policy, the method comprising, under control of a manager device:
- automatically distributing a security policy template to the multiple security devices, by identifying multiple supervisor devices based on a current association of each of the identified supervisor devices with at least one of the multiple security devices, at least one of the identified supervisor devices currently associated with multiple of the multiple security devices;
  
  distributing a single copy of the security policy template to each of the identified supervisor devices; and
  
  indicating to each of the identified supervisor devices to distribute a copy of the security policy template to the security devices with which the supervisor device is associated; and
  
  for each of at least some of multiple security devices, automatically configuring the security policy template on that security device in such a manner that the configured security policy template is distinct from configured security policy templates on other of the multiple security devices.
- View Dependent Claims (46, 47)
- - 46. The method of claim 45 wherein each of the multiple security devices has at least one currently associated identified supervisor device.
  - 47. The method of claim 45 wherein at least some of the multiple security devices each have a currently associated primary supervisor device and or more other currently associated supervisor devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Inventors
Bonn, David Wayne, Rothermel, Peter M., Marvais, Nick T.
Primary Examiner(s)
Hua, Ly V.

Application Number

US09/307,332
Time in Patent Office

1,713 Days
Field of Search

713/201, 713/200, 713/202, 713/164, 713/156, 713/155, 713/154, 713/158, 713/166, 713/172, 709/229, 709/223, 709/203, 709/225
US Class Current

726/6
CPC Class Codes

H04L 41/082   the condition being updates...

H04L 41/0843   based on generic templates

H04L 41/22   comprising specially adapte...

H04L 41/28   Restricting access to netwo...

H04L 63/20   for managing network securi...

H04L 9/40   Network security protocols

Managing multiple network security devices from a manager device

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

437 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Managing multiple network security devices from a manager device

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

437 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links