Managing policy rules in a network

US 6,880,005 B1
Filed: 03/31/2000
Issued: 04/12/2005
Est. Priority Date: 03/31/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A machine-implemented method, comprising:

obtaining policy rules, and simplifying said policy rules to form simplified policy rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said simplifying comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions; and

based on said simplified policy rules, creating an access control list adapted to configure a network device, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and

using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access filters comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Policy rules are disseminated on a network and are received by one or more devices on the network. Each device is configured with a proxy agent that translates the policy data into a format that is meaningful to the device. The agent translates the policy rules into an access list that generates permit and deny filters that determine the access that the device is allowed on the network.

278 Citations

18 Claims

1. A machine-implemented method, comprising:
- obtaining policy rules, and simplifying said policy rules to form simplified policy rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said simplifying comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions; and
  
  based on said simplified policy rules, creating an access control list adapted to configure a network device, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and
  
  using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access filters comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising expanding the policy rules into value groups that represent conditions occurring in the network device associated with the policy rules.
  - 3. The method of claim 2 wherein said simplifying comprises excluding conditions that would otherwise be implied by policy rules.
  - 4. The method of claim 3 further comprising resolving inconsistent conditions that result from expanding the policy rules and excluding the policy rule conditions.
  - 5. The method of claim 1 further comprising generating permit filters by combining the at least one of the arrays of the included conditions with the remaining arrays of included conditions.

6. A system comprising:
- a first device adapted to disseminate policy rules in a network; and
  
  a second device adapted to receive the policy rules disseminated on the network by the first device and adapted to perform operations comprising;
  
  simplifying said policy rules to form simplified policy rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said simplifying comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions;
  
  based on said simplified policy rules, creating an access control list adapted to configure a network device, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and
  
  using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access filters comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6 wherein the second device further comprises a permit filter.
  - 8. The system of claim 7 further comprising a plurality of data-storage devices adapted to permit access to the second device.
  - 9. The system of claim 6 wherein the second device further comprises a deny filter.
  - 10. The system of claim 9 further comprising a plurality of data-storage devices adapted to deny access to the second device.

11. An article comprising a computer-readable medium which stores computer executable instructions for managing policy rules on a network, the instructions causing a computing machine to perform operations comprising:
- simplifying policy rules to form simplified policy rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said simplifying comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions;
  
  based on said simplified policy rules, creating an access control list adapted to configure a network device, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and
  
  using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access filters comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device.
- View Dependent Claims (12, 13, 14)
- - 12. The article of claim 11 wherein the operations further comprise expanding the policy rules into value groups, wherein value groups represent conditions occurring in the network device associated with the policy rules.
  - 13. The article of claim 12 wherein the simplifying further includes excluding conditions that would otherwise be implied by the policy rules.
  - 14. The article of claim 13 wherein the simplifying further includes resolving inconsistent conditions that result from expanding the policy rules and excluding the policy rule conditions.

15. A network device, comprising:
- a configurable management process located on the network device having instructions to effect operations comprising;
  
  receiving policy rules in the network device;
  
  translating the policy rules into simplified rules, wherein a policy rule comprises one or more conditions and one or more values associated with the one or more conditions, the one or more conditions to be evaluated for network communications based on the one or more values, and said translating comprises eliminating at least one of any redundant conditions and values from the policy rule based at least in part on condition-type information of the one or more conditions;
  
  creating an access control list adapted to configure the network device from the simplified rules, including creating at least one array of included conditions and at least one array of excluded conditions from the policy rules; and
  
  using the access control list to generate access filters that configure the network device to control network communications in the network device, including generating, after redundancy checks, one or more deny filters by combining the at least one array of excluded conditions and the at least one array of included conditions, and wherein generating the access-filters further comprises adding one or more filters adapted to control access of a device to a component other than the network device in a network connected to the network device.
- View Dependent Claims (16, 17, 18)
- - 16. The device of claim 15 further comprising a connection to an external network.
  - 17. The device of claim 16 wherein the external network is a local area network.
  - 18. The device of claim 16 wherein the external network is the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company), Intel Corporation
Original Assignee
Hewlett-Packard Company (HP Inc.), Intel Corporation
Inventors
Shipley, Michael D., Bell, Carol A., Hahn, Scott D.
Primary Examiner(s)
Vaughn, Jr., William C.

Application Number

US09/539,927
Time in Patent Office

1,838 Days
Field of Search

709/224, 709/225, 709/223, 709/229, 713/201, 713/154, 713/153
US Class Current

709/225
CPC Class Codes

H04L 47/10 Flow control; Congestion co...

Managing policy rules in a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

278 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Managing policy rules in a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

278 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links