Managing policy rules in a network
First Claim
Patent Images
1. A machine-implemented method, comprising:
- obtaining policy rules, and simplifying said policy rules to form simplified policy rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said simplifying comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions; and
based on said simplified policy rules, creating an access control list adapted to configure a network device, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and
using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access filters comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device.
3 Assignments
0 Petitions
Accused Products
Abstract
Policy rules are disseminated on a network and are received by one or more devices on the network. Each device is configured with a proxy agent that translates the policy data into a format that is meaningful to the device. The agent translates the policy rules into an access list that generates permit and deny filters that determine the access that the device is allowed on the network.
-
Citations
18 Claims
-
1. A machine-implemented method, comprising:
-
obtaining policy rules, and simplifying said policy rules to form simplified policy rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said simplifying comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions; and
based on said simplified policy rules, creating an access control list adapted to configure a network device, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and
using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access filters comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
a first device adapted to disseminate policy rules in a network; and
a second device adapted to receive the policy rules disseminated on the network by the first device and adapted to perform operations comprising;
simplifying said policy rules to form simplified policy rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said simplifying comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions;
based on said simplified policy rules, creating an access control list adapted to configure a network device, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and
using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access filters comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An article comprising a computer-readable medium which stores computer executable instructions for managing policy rules on a network, the instructions causing a computing machine to perform operations comprising:
-
simplifying policy rules to form simplified policy rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said simplifying comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions;
based on said simplified policy rules, creating an access control list adapted to configure a network device, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and
using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access filters comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device. - View Dependent Claims (12, 13, 14)
-
-
15. A network device, comprising:
-
a configurable management process located on the network device having instructions to effect operations comprising;
receiving policy rules in the network device;
translating the policy rules into simplified rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said translating comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions;
creating an access control list adapted to configure the network device from the simplified rules, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and
using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access-filters further comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device. - View Dependent Claims (16, 17, 18)
-
Specification