Method and apparatus for network wide policy-based analysis of configurations of devices

US 7,003,562 B2
Filed: 09/17/2001
Issued: 02/21/2006
Est. Priority Date: 03/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method, using an analysis platform, for analyzing a network having a plurality of network devices, the method comprising the steps of:

receiving a network policy pertaining to said network, wherein the network policy includes a set of required IP traffic associated with at least a first application on a first host application server;

receiving a topology of said network devices in said network;

receiving configuration data from at least a portion of said network devices;

creating a network configuration model for said network based on said topology and said configuration data received; and

analyzing a software simulation of the network in response to said network configuration model and said network policy to determine an existence of a violation of said network policy, wherein the software simulation of the network determines a set of simulated IP traffic for all traversable paths in the network configuration model, wherein analyzing the software simulation of said network comprises;

determining whether a set of simulated IP traffic to the first application on the first host application server in the network configuration model from the set of simulated IP traffic for all the traversable paths is identical to the set of required IP traffic associated with the first application on the first host application server; and

determining the existence of the violation of said network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model is not identical to the set of required IP traffic associated with the first application on the first host application server.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus for analyzing a network configuration against a corporate network policy and determining violation(s) against the corporate network policy. A report indicating the violation(s) can be generated indicating instances of the violation(s). An analysis platform reads in a network policy. The analysis platform collects configuration files from the relevant network devices in the network and builds up an internal instance of a network configuration model based on the configuration files and the network topology. The analysis platform analyzes this network configuration model according to the network policy and adds an entry to its final report each time that it detects a violation against the network policy in the network configuration model. The data in the entries pinpoints the cause of the deviation(s) from the network policy.

Citations

62 Claims

1. A method, using an analysis platform, for analyzing a network having a plurality of network devices, the method comprising the steps of:
- receiving a network policy pertaining to said network, wherein the network policy includes a set of required IP traffic associated with at least a first application on a first host application server;
  
  receiving a topology of said network devices in said network;
  
  receiving configuration data from at least a portion of said network devices;
  
  creating a network configuration model for said network based on said topology and said configuration data received; and
  
  analyzing a software simulation of the network in response to said network configuration model and said network policy to determine an existence of a violation of said network policy, wherein the software simulation of the network determines a set of simulated IP traffic for all traversable paths in the network configuration model, wherein analyzing the software simulation of said network comprises;
  
  determining whether a set of simulated IP traffic to the first application on the first host application server in the network configuration model from the set of simulated IP traffic for all the traversable paths is identical to the set of required IP traffic associated with the first application on the first host application server; and
  
  determining the existence of the violation of said network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model is not identical to the set of required IP traffic associated with the first application on the first host application server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. A method in accordance with claim 1, wherein when said violation exists, said method further comprising:
    - generating a report specifying said violation , wherein the violation indicates a potential security risk in the network configuration model.
  - 3. A method of claim 2 wherein analyzing the software simulation also comprises:
    - determining whether the set of simulated IP traffic to the first application on the first host application server in the network configuration model includes less than all of the set of required IP traffic; and
      
      determining the existence of the violation of said network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model includes less than all of the set of required IP traffic.
  - 4. A method of claim 3 wherein the violation indicates a problem with the network configuration model with respect to the first application on the first host application server.
  - 5. A method in accordance with claim 1, wherein said network configuration model comprises an entity-relationship model.
  - 6. A method in accordance with claim 5, wherein said network policy comprises IP capabilities and host application capabilities, said entity-relationship model employing said capabilities.
  - 7. A method in accordance with claim 6, wherein said step of analyzing comprises the step of generating a query pertaining to one of said capabilities.
  - 8. A method in accordance with claim 6, wherein said step of analyzing comprises the step of retrieving a query from a knowledge base associated with said analysis platform.
  - 9. A method in accordance with claim 1, wherein said step of analyzing comprises the step of simulating at least a portion of said network devices in said network.
  - 10. A method in accordance with claim 1, wherein said step of analyzing comprises the step of performing the software simulation of the network to determine the set of simulated IP traffic for all the traversable paths.
  - 11. A method in accordance with claim 1, wherein said step of receiving said configuration data comprises the step of receiving configuration data from a subset of said network devices in said network.
  - 12. A method in accordance with claim 11, wherein the subset of the network devices is determined by said network policy.
  - 13. A method in accordance with claim 11, wherein the subset of the network devices is determined by said topology.
  - 14. A method in accordance with claim 1 wherein analyzing the software simulation further comprises:
    - determining whether the set of simulated IP traffic to the first application on the first host application server in the network configuration model is limited to a type of traffic, wherein said network policy defines said host as being limited to said type of traffic.
  - 15. A method in accordance with claim 1, wherein said first host application server is selected from the group consisting of:
    - a mail server;
      
      a domain name server;
      
      an access control server; and
      
      a web server.
  - 16. A method in accordance with claim 14,wherein a second network device is coupled to said first application on the first host application server in the network configuration model for routing traffic thereto, andwherein said step of analyzing the software simulation further comprising the step of analyzing said second network device-to ensure that appropriate IP traffic is routed to said first application on the first host application server.
  - 17. A method in accordance with claim 16, wherein said second network device is selected from the group consisting of:
    - a router;
      
      a network switch; and
      
      a VPN device and a firewall.
  - 18. A method in accordance with claim 1,wherein said network policy describes an IP traffic routing sequence, andwherein said step of analyzing comprising the step of determining that routes taken by IP traffic in said network corresponds to said IP traffic routing sequence.
  - 19. A method in accordance wit claim 1,wherein one of said plurality of network devices comprises a host, andwherein said step of analyzing comprising the step of verifying that a configuration of said host corresponds to said network policy.
  - 20. A method of claim 1,wherein the network policy describing the set of required IP traffic associated with the first application on the first host application server comprises requirements of the first application operating on the first host application server, andwherein the requirements comprise network traffic to a second host application server.
  - 21. A method of claim 20, further comprising generating a report indicating a set of simulated inbound IP traffic directed to the first application on the first host application server, and a set of simulated outbound IP traffic output from the first application on the first host application server.

22. In a network having a plurality of network devices, a method, using an analysis platform for analyzing a proposed change to a configuration file of one of said network devices, the method comprising the steps of:
- receiving a network policy pertaining to said network, wherein the network policy comprises a set of required IP traffic appropriate for a first application on a first host application server;
  
  receiving a network configuration model for said network, wherein said network configuration model is based on a topology of said network and configuration data pertaining to at least a portion of said network devices;
  
  receiving said proposed change to said configuration file;
  
  creating an updated network configuration model based on said proposed change; and
  
  analyzing a software simulation of the network in response to said updated network configuration model in accordance with said network policy to determine the existence of a violation of said network policy, wherein the software simulation of the network determines a set of simulated IP traffic for all traversable paths in the updated network configuration model, wherein analyzing the software simulation comprises;
  
  determining a set of simulated IP traffic to the first application on the first host application server from the set of simulated IP traffic for all traversable paths;
  
  determining whether the set of simulated IP traffic to the first application on the first host application server in the updated network configuration model is identical to the set of required IP traffic; and
  
  determining the existence of the violation of said network policy when the set of simulated IP traffic to the first application on the first host application server in the updated network configuration model is not identical to the set of required IP traffic.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. A method in accordance with claim 22, wherein when said violation exists, said method farther comprising:
    - generating a report specifying said violation, wherein the violation indicates a problem with the proposed change to the network configuration model with respect to the first application on the first host application server.
  - 24. A method of claim 23 wherein analyzing the software simulation also comprises:
    - determining whether the set of simulated IP traffic to the first application on the first host application server in the updated network configuration model exceeds the set of required IP traffic; and
      
      determining the existence of the violation of said network policy when the set of simulated IP traffic to the first application on the first host application server in the updated network configuration model is less than all of or exceeds the set of required IP traffic.
  - 25. A method of claim 24 wherein the violation indicates a potential security risk with the proposed change to the network configuration model with respect to the first application on the first host application server.
  - 26. A method of claim 25, further comprising generating a report indicating a set of simulated inbound IP traffic directed to the first application on the first host application server, and a set of simulated outbound IP traffic output from the first application on the first host application server.
  - 27. A method of claim 26, wherein the network policy describing the set of required IP traffic associated with the first application on the first host application server comprises requirements of a host application operating on the first application on the first host application server, wherein the requirements comprise network traffic to a second host application server.
  - 28. A method in accordance with claim 22, wherein said step of analyzing comprises the step of retrieving a query from a knowledge base associated with said analysis platform.
  - 29. A method in accordance with claim 22, wherein said step of analyzing comprises the step of simulating at least a portion of said network devices in said network.
  - 30. A method in accordance with claim 22, wherein said step of analyzing comprises the step of determining predicted IP traffic flow through said network.
  - 31. A method in accordance wit claim 22, further comprising the step of uploading a configuration file containing said proposed change to said network device if no violation exists.
  - 32. A method in accordance with claim 22, wherein said step of receiving said network configuration model comprises the step of retrieving said network configuration model from a storage device associated with said analysis platform.

33. A method, using an analysis platform, for analyzing a software simulation of the network in response to a proposed change to a network policy pertaining to a network, the method comprising the steps of:
- receiving a network configuration model for said network, wherein said network configuration model is based on a topology of said network and configuration data pertaining to at least a portion of network devices in said network;
  
  receiving said proposed change;
  
  analyzing a software simulation of the network in response to a new network policy that incorporates said proposed change to determine the existence of a violation of said new network policy, wherein the software simulation of the network determines a set of simulated IP traffic for all traversable paths in the network configuration model;
  
  wherein the network policy comprises a set of required IP traffic appropriate for a first application host, andwherein analyzing the software simulation of the network comprises;
  
  determining a set of simulated IP traffic to the first application on the first host application server in response to the set of simulated IP traffic for all traversable pats;
  
  determining whether the set of simulated IP traffic to the first application on the first host application server in the network configuration model is identical to the set of required IP traffic; and
  
  determining the existence of a problem with the new network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model is not identical to the set of required IP traffic.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 34. A method in accordance with claim 33, wherein said step of analyzing comprises the step of retrieving a query from a knowledge base associated with said analysis platform.
  - 35. A method in accordance with claim 33, wherein said step of analyzing comprises the step of performing a software simulation of the network in response to the network configuration file.
  - 36. A method in accordance with claim 33, wherein said step of analyzing comprises the step of determining IP traffic flow through said network.
  - 37. A method in accordance with claim 33, wherein said step of receiving said network configuration model comprises the step of retrieving said network configuration model from a storage device associated with said analysis platform.
  - 38. A method of claim 33, wherein when said problem exists, said method further comprises generating a report specifying said problem, wherein the problem indicates a problem with the new network policy with respect to the first application on the first host application server.
  - 39. A method of claim 38 wherein analyzing the software simulation also comprises:
    - determining whether the set of simulated IP traffic to the first application on the first host application server in the network configuration model exceeds the set of required IP traffic; and
      
      determining the existence of the problem with the new network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model is less than all of or exceeds the set of required IP traffic.
  - 40. A method of claim 39 wherein the problem indicates a potential security risk with the new network policy with respect to the first application on the first host application server.
  - 41. A method of claim 40, further comprising generating a report indicating a set of simulated inbound IP traffic directed to the first application on the first host application server, and a set of simulated outbound IP traffic output from the first application on the first host application server.
  - 42. A method of claim 41, wherein the network policy describing the set of required IP traffic associated with the first application on the first host application server comprises requirements of the first application operating on the first host application server, wherein the requirements comprise network traffic to a second host application server.

43. A computer program stored on a computer readable medium, performed by a computer, for analyzing a network having a plurality of network devices, the computer program comprising:
- instructions for parsing a network policy file containing a network policy pertaining to said network, wherein the network policy describes a set of required IP traffic associated with a first application on the first host application server;
  
  instructions for parsing a network topology file containing a topology of said network devices in said network, wherein said network devices have associated configuration files;
  
  instructions for parsing associated configuration files of at least a subset of said network devices to obtain configuration data instructions for determining a network configuration model in response to said topology and said configuration data, wherein the network configuration model also comprises a set of simulated IP traffic associated with the first application associated with the first application server from a set of simulated IP traffic for all traversable paths in the network configuration model, wherein a software simulation of the network determines the set of simulated IP traffic for all traversable paths in the network configuration model;
  
  instructions for receiving a query for analyzing the set of simulated IP traffic associated wit the first application server, andinstructions for using said query to determine the existence of a problem in response to the query comprising instructions for comparing the set of simulated IP traffic associated with the first application on the first host application server to the set of required IP traffic associated with the first application on the first host application server.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 44. A computer program in accordance with claim 43, further comprising instructions for allowing a user to define said network devices in said network without using a programming language.
  - 45. A computer program in accordance with claim 43, further comprising instructions for collecting said topology of said network devices and creating a network topology file therefrom.
  - 46. A computer program in accordance with claim 43, wherein a configuration file of one of said network devices is changed to a new configuration file, said computer program further comprising:
    - instructions for creating a new network configuration model based on said new configuration file;
      
      instructions for generating a new query for analyzing said new network configuration model; and
      
      instructions for using said new query to determine the existence of a violation of said network policy.
  - 47. A computer program in accordance with claim 43, wherein said network policy is changed to a new network policy, said computer program further comprising:
    - instructions for generating a new query for analyzing said network configuration model in accordance with said new network policy; and
      
      instructions for using said new query to determine the existence of a violation of said new network policy.
  - 48. A computer program of claim 43, wherein the query comprises a change to the network policy;
    - wherein instructions for comparing the set of simulated IP traffic associated with the first application on the first host application server to the set of required IP traffic associated with the first application on the first host application server comprises;
      
      instructions for determining whether the set of simulated IP traffic to the first application on the first host application server in the network configuration model is limited to the set of required IP traffic; and
      
      instructions for determining a problem wit the change to the network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model Is not limited to the set of required IP traffic.
  - 49. A computer program of claim 48 wherein the problem indicates a potential security risk with the change to the network policy.
  - 50. A computer program of claim 43, wherein the query comprises a change to the network policy;
    - wherein instructions for comparing the set of simulated IP traffic associated with the first application on the first host application server to the set of required IP traffic associated with the first application on the first host application server comprises;
      
      instructions for determining whether the set of simulated IP traffic to the first application on the first host application server in the network configuration model includes less than all of the set of required IP traffic; and
      
      instructions determining a problem with the change to the network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model includes less than all of the set of required IP traffic.
  - 51. A computer program of claim 50, wherein the problem indicates a problem with the change to the network policy respect to the first application on the first host application server.
  - 52. A computer program of claim 43wherein the query comprises a change to the network configuration model;
    - wherein instructions for comparing the set of simulated IP traffic associated with the first application on the first host application server to the set of required IP traffic associated with the first application on the first host application server comprises;
      
      instructions for determining whether the set of simulated IP traffic to the first application on the first host application server in the network configuration model is limited to the set of required IP traffic; and
      
      instructions for determining a problem with the change to the network configuration model when the set of simulated IP traffic to the first application on the first host application server in the network configuration model is not limited to the set of required IP traffic.
  - 53. A computer program of claim 52 wherein the problem indicates a potential security risk with the change to the network configuration model.
  - 54. A computer program of claim 43,wherein the query comprises a change to the network policy;
    - wherein instructions for comparing the set of simulated IP traffic associated with the first application on the first host server to the set of required IP traffic associated with the first application on the first host server comprises;
      
      instructions for determining whether the set of simulated IP traffic to the first application on the first host application server in the network configuration model includes less than all of the set of required IP traffic; and
      
      instructions determining a problem wit the change to the network configuration model when the set of simulated IP traffic to the first application on the first host server in the network configuration model includes less than all of the set of required IP traffic.
  - 55. A computer program of claim 54, wherein the problem indicates a problem with the change to the network policy respect to the first application on the first host application server.

56. A computer program stored on a computer readable medium for processing data, comprising:
- instructions for receiving a network policy pertaining to a network wherein the network policy describes a set of required IP traffic associated with a first application on a first host server;
  
  instructions for receiving a topology of a plurality of network devices in said network;
  
  instructions for receiving configuration data from at least a portion of said plurality of network devices;
  
  instructions for creating a network configuration model for said network based on said topology and said configuration data received, wherein the network configuration model comprises a set of simulated IP traffic associated with the first host server determined in response to a set of simulated IP traffic for all traversable paths in the topology of the plurality of network devices, wherein the set of simulated IP traffic for all traversable paths in the topology is determined in response to a software simulation of the network;
  
  instructions for analyzing the set of simulated IP traffic associated with the first application on the first host server in accordance with said network policy to determine the existence of a violation of said network policy comprising;
  
  instructions for comparing the set of simulated IP traffic associated with the first application on the first host application server in the network configuration model to the required IP traffic associated with the first host server, andinstructions for generating a report specifying said violation if said violation exists.
- View Dependent Claims (57, 58, 59, 60, 61, 62)
- - 57. A computer program in accordance with claim 56, wherein said network configuration model comprises an entity-relationship model.
  - 58. A computer program in accordance with claim 57, wherein said network policy is expressed in terms of capabilities, said entity-relationship model employing said capabilities.
  - 59. A computer program in accordance with claim 58, further comprising instructions for retrieving a query pertaining to one of said capabilities from a knowledge base associated with said computer.
  - 60. A computer program in accordance wit claim 56, further comprising instructionsfor performing the software simulation of the network configuration model to determine the set of simulated IP traffic for all traversable paths in the topology of the plurality of network devices.
  - 61. The computer program of claim 56 wherein for comparing the set of simulated IP traffic associated with the first application on the first host server in the network configuration model to the required IP traffic associated with the first host server comprises:
    - instructions for determining whether the set of simulated IP traffic associated the first application on the first host server in the network configuration model exceeds the set of required IP traffic; and
      
      instructions for determining a the violation when the set of simulated IP traffic to the first application on the first host server is not limited to the set of required IP traffic.
  - 62. The computer program of claim 56 wherein for comparing the set of simulated IP traffic associated with the first application on the first host application server in the network configuration model to the required TIP traffic associated with the first host server comprises:
    - instructions for determining whether the set of simulated IP traffic associated the first application on the first host application server in the network configuration model includes less than all of the set of required IP traffic; and
      
      instructions for determining the violation when the set of simulated IP traffic to the first application on the first host application server in the network configuration model includes less than all of the set of required IP traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Redseal, Inc.
Original Assignee
Redseal Systems Incorporated
Inventors
Mayer, Alain Jules
Primary Examiner(s)
Lim, Krisna
Assistant Examiner(s)
REILLY, SEAN M

Application Number

US09/954,327
Publication Number

US 20020178246A1
Time in Patent Office

1,618 Days
Field of Search

709/203, 709220-224, 703/13, 703/21
US Class Current

709/223
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

62 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

62 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links