Object model for network policy management
DC
First Claim
1. A system for managing policy services in an organization, the organization including a first network having a first set of resources and a second network remote from the first network having a second set of resources, the system comprising:
- a first edge device associated with the first network, the first edge device configured to manage policies for the first network and the first set of resources in accordance with first policy settings stored in a first database;
a second edge device associated with the second network, the second edge device configured to manage policies for the second network and the second set of resources in accordance with second policy settings stored in a second database; and
a central policy server defining the first and second policy settings and managing the first and second edge devices from a single location, the central policy server being associated with a central database storing configuration information of the first and second edge devices, wherein the central database is organized according to a hierarchical object oriented structure;
wherein;
the central policy server is configured to transmit, in response to a user command, a first policy settings update to the first edge device for storing in the first database and a second policy settings update to the second edge device for storing in the second database.
7 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A unified policy management system for an organization including a central policy server and remotely situated policy enforcers. A central database and policy enforcer databases storing policy settings are configured as LDAP databases adhering to a hierarchical object oriented structure. Such structure allows the policy settings to be defined in an intuitive and extensible fashion. Changes in the policy settings made at the central policy server are automatically transferred to the policy enforcers for updating their respective databases. Each policy enforcer collects and transmits health and status information in a predefined log format and transmits it to the policy server for efficient monitoring by the policy server. For further efficiencies, the policy enforcement functionalities of the policy enforcers are effectively partitioned so as to be readily implemented in hardware. The system also provides for dynamically routed VPNs where VPN membership lists are automatically created and shared with the member policy enforcers. Updates to such membership lists are also automatically transferred to remote VPN clients. The system further provides for fine grain access control of the traffic in the VPN by allowing definition of firewall rules within the VPN. In addition, policy server and policy enforcers may be configured for high availability by maintaining a backup unit in addition to a primary unit. The backup unit becomes active upon failure of the primary unit.
294 Citations
24 Claims
-
1. A system for managing policy services in an organization, the organization including a first network having a first set of resources and a second network remote from the first network having a second set of resources, the system comprising:
-
a first edge device associated with the first network, the first edge device configured to manage policies for the first network and the first set of resources in accordance with first policy settings stored in a first database;
a second edge device associated with the second network, the second edge device configured to manage policies for the second network and the second set of resources in accordance with second policy settings stored in a second database; and
a central policy server defining the first and second policy settings and managing the first and second edge devices from a single location, the central policy server being associated with a central database storing configuration information of the first and second edge devices, wherein the central database is organized according to a hierarchical object oriented structure;
wherein;
the central policy server is configured to transmit, in response to a user command, a first policy settings update to the first edge device for storing in the first database and a second policy settings update to the second edge device for storing in the second database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. In a system including a first network having a first set of resources and a second network remote from the first network having a second set of resources, the first network being associated with a first edge device and a first database, and the second network being associated with a second edge device and a second database, the system further including a central policy server in communication with the first and second edge devices, the central policy server being associated with a central database, a method for managing policy services in the system comprising:
-
storing configuration information of the first and second edge devices in the central database, the central database being organized in a hierarchical object oriented structure;
storing first policy settings in the first database;
storing second policy settings in the second database;
managing policies for the first network and the first set of resources from the first edge device in accordance with the first policy settings stored in the first database;
managing policies for the second network and the second set of resources from the second edge device in accordance with the second policy settings stored in the second database;
defining the first and second policy settings and managing the first and second edge devices from the central policy server;
generating by the central policy server in response to a user command, an update for the first policy settings and an update for the second policy settings;
transmitting, by the central policy server, the update for the first policy settings to the first edge device and the update for the second policy settings to the second edge device; and
storing the update to the first edge device in the first data base and the update to the second edge device in the second data base. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification
-
- Resources
-
Current AssigneeAlcatel-Lucent USA, Inc. (Nokia Corporation)
-
Original AssigneeAlcatel SA (Nokia Corporation)
-
InventorsIyer, Mahadevan, Apsani, Lavanya, Malviya, Pankaj
-
Primary Examiner(s)CANGIALOSI, SALVATORE A
-
Application NumberUS09/592,165Time in Patent Office1,919 DaysField of Search370/241.1, 370/395.5, 370/401, 370/466, 709223-225, 709/217, 707/202US Class Current370/466CPC Class CodesH04L 12/4641 Virtual LANs, VLANs, e.g. v...H04L 41/0233 Object-oriented techniques,...H04L 41/0893 Assignment of logical group...H04L 41/0894 Policy-based network config...H04L 41/22 comprising specially adapte...H04L 41/40 using virtualisation of net...H04L 45/00 Routing or path finding of ...H04L 45/22 Alternate routingH04L 45/586 of virtual routersH04L 47/10 Flow control; Congestion co...H04L 47/20 Traffic policingH04L 47/2441 relying on flow classificat...H04L 47/41 by acting on aggregated flo...H04L 61/4523 using lightweight directory...H04L 63/0227 Filtering policies mail mes...H04L 63/0263 Rule managementH04L 63/0272 Virtual private networksH04L 63/0442 wherein the sending and rec...H04L 63/061 for key exchange, e.g. in p...H04L 63/08 for authentication of entit...View All
