System, method and computer program product for rule based network security policies
First Claim
1. A method for providing network security features, comprising:
- identifying a plurality of network objects;
retrieving rule sets associated with at least one of the identified network objects, the rule sets including a plurality of policy rules that govern actions relating to the identified network objects;
reconciling overlapping policy rules of the rule sets amongst the network objects; and
executing the reconciled rule sets;
wherein the rule sets are combined into a single rule set, and duplicate policy rules of the rule sets are removed;
wherein a user is notified of conflicting policy rules of the rule sets;
wherein included is a first graphical user interface that allows a user to associate the network objects with the rule sets, a second graphical user interface that allows the user to create associations of the rule sets and the network objects for a firewall, a third graphical user interface that is displayed upon selection of a network object, a fourth graphical user interface for creating and editing the rule sets, a fifth graphical user interface for configuring a new policy rule for being added to one of the rule sets, a sixth graphical user interface for adding a new network object, and a seventh graphical user interface for editing one of the network objects.
13 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product are provided for affording network security features. A plurality of network objects are identified. Rule sets associated with one or more of the identified network objects are retrieved. Each rule set includes a plurality of policy rules that govern actions relating to the identified network objects. Overlapping policy rules of the rule sets are reconciled amongst the network objects. The reconciled rule sets are executed. A computer program product and a method are also provided for establishing network security. A plurality of network objects of a network and a plurality of rule sets are provided. The network objects are associated with the rule sets. The rule sets include a plurality of policy rules that govern actions relating to the identified network objects during operation of the network.
-
Citations
26 Claims
-
1. A method for providing network security features, comprising:
-
identifying a plurality of network objects;
retrieving rule sets associated with at least one of the identified network objects, the rule sets including a plurality of policy rules that govern actions relating to the identified network objects;
reconciling overlapping policy rules of the rule sets amongst the network objects; and
executing the reconciled rule sets;
wherein the rule sets are combined into a single rule set, and duplicate policy rules of the rule sets are removed;
wherein a user is notified of conflicting policy rules of the rule sets;
wherein included is a first graphical user interface that allows a user to associate the network objects with the rule sets, a second graphical user interface that allows the user to create associations of the rule sets and the network objects for a firewall, a third graphical user interface that is displayed upon selection of a network object, a fourth graphical user interface for creating and editing the rule sets, a fifth graphical user interface for configuring a new policy rule for being added to one of the rule sets, a sixth graphical user interface for adding a new network object, and a seventh graphical user interface for editing one of the network objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product for providing network security features, comprising:
-
(a) computer code for identifying a plurality of network objects;
(b) computer code for retrieving rule sets associated with at least one of the identified network objects, the rule sets including a plurality of policy rules that govern actions relating to the identified network objects;
(c) computer code for reconciling overlapping policy rules of the rule sets amongst the network objects; and
(d) computer code for executing the reconciled rule sets;
wherein the rule sets are combined into a single rule set, and duplicate policy rules of the rule sets are removed;
wherein a user is notified of conflicting policy rules of the rule sets;
wherein included is a first graphical user interface that allows a user to associate the network objects with the rule sets, a second graphical user interface that allows the user to create associations of the rule sets and the network objects for a firewall, a third graphical user interface that is displayed upon selection of a network object, a fourth graphical user interface for creating and editing the rule sets, a fifth graphical user interface for configuring a new policy rule for being added to one of the rule sets, a sixth graphical user interface for adding a new network object, and a seventh graphical user interface for editing one of the network objects. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A rule based network security system for providing network security features, comprising:
-
(a) logic for identifying a plurality of network objects;
(b) logic for retrieving rule sets associated with at least one of the identified network objects, the rule sets including a plurality of policy rules that govern actions relating to the identified network objects;
(c) logic for reconciling overlapping policy rules of the rule sets amongst the network objects; and
(d) logic for executing the reconciled rule sets;
wherein the rule sets are combined into a single rule set, and duplicate policy rules of the rule sets are removed;
wherein a user is notified of conflicting policy rules of the rule sets;
wherein included is a first graphical user interface that allows a user to associate the network objects with the rule sets, a second graphical user interface that allows the user to create associations of the rule sets and the network objects for a firewall, a third graphical user interface that is displayed upon selection of a network object, a fourth graphical user interface for creating and editing the rule sets, a fifth graphical user interface for configuring a new policy rule for being added to one of the rule sets, a sixth graphical user interface for adding a new network object, and a seventh graphical user interface for editing one of the network objects.
-
-
18. A method for establishing network security, comprising the steps of:
-
(a) providing a plurality of network objects of a network and a plurality of rule sets; and
(b) associating the network objects with the rule sets;
(c) wherein the rule sets include a plurality of policy rules that govern actions relating to the identified network objects during operation of the network;
wherein included is at least three graphical user interfaces selected from the group consisting of a first graphical user interface that allows a user to associate the network objects with the rule sets, a second graphical user interface that allows the user to create associations of the rule sets and the network objects for a firewall, a third graphical user interface that is displayed upon selection of a network object, a fourth graphical user interface for creating and editing the rule sets, a fifth graphical user interface for configuring a new policy rule for being added to one of the rule sets, a sixth graphical user interface for adding a new network object, and a seventh graphical user interface for editing one of the network objects. - View Dependent Claims (19, 20, 21)
-
-
22. A computer program product for establishing network security, comprising:
-
(a) computer code for providing a plurality of network objects of a network and a plurality of rule sets; and
(b) computer code for associating the network objects with the rule sets;
(c) wherein the rule sets include a plurality of policy rules that govern actions relating to the identified network objects during operation of the network;
wherein a plurality of the rule sets are combined into a single rule set, and duplicate policy rules of the rule sets are removed;
wherein a user is notified of conflicting policy rules of the rule sets;
wherein included is a first graphical user interface that allows a user to associate the network objects with the rule sets, a second graphical user interface that allows the user to create associations of the rule sets and the network objects for a firewall, a third graphical user interface that is displayed upon selection of a network object, a fourth graphical use interface for creating and editing the rule sets, a fifth graphical user interface for configuring a new policy rule for being added to one of the rule sets, a sixth graphical user interface for adding a new network object, and a seventh graphical user interface for editing one of the network objects. - View Dependent Claims (23, 24, 25)
-
-
26. A method for providing network security features, comprising the step of:
-
(a) identifying a plurality of network objects;
(b) retrieving rule sets associated with at least one of the identified network objects, the rule sets including a plurality of policy rules that govern actions relating to the identified network objects;
(c) reconciling overlapping policy rules of the rule sets amongst the network objects; and
(d) executing the reconciled rule sets;
wherein the rule sets are combined into a single rule set, and duplicate policy rules of the rule sets are removed;
wherein a user is notified of conflicting policy rules of the rule sets;
wherein included is a first graphical user interface that allows a user to associate the network objects with the rule sets, a second graphical user interface that allows the user to create associations of the rule sets and the network objects for a firewall, a third graphical user interface that is displayed upon selection of a network object, a fourth graphical user interface for creating and editing the rule sets, a fifth graphical user interface for configuring a new policy rule for being added to one of the rule sets, a sixth graphical user interface for adding a new network object, and a seventh graphical user interface for editing one of the network objects.
-
Specification