Method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network
First Claim
1. A method for deploying configuration instructions to security devices in order to implement a security policy in a network, the method comprising the computer-implemented steps of:
- detecting that implementing a security policy will cause an address translation alteration in a packet communicated between a management source and a plurality of security devices for implementing the security policy on the network;
identifying, from among the plurality of security devices, one or more sets of security devices that have one or more configuration dependencies as a result of the address translation alteration if the security policy is implemented; and
sending one or more configuration instructions from the management source to each of the one or more sets of security devices using an order that is determined based on the one or more configuration dependencies, resulting in implementing the security policy on the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network are disclosed. An address translation alteration performed on packets communicated between a management source and a plurality of security devices, resulting from implementation of a proposed new network security policy, is detected. One or more sets of security devices are identified that would each have one or more configuration dependencies as a result of the address translation alteration. Configuration instructions are sent from the management source to each of the one or more sets of security devices using an order determined by the identified configuration dependencies. The configuration instructions are used to implement the security policy on the network. As a result, firewalls and similar devices are properly configured for a new policy without inadvertently causing traffic blockages arising from configuration dependencies.
-
Citations
28 Claims
-
1. A method for deploying configuration instructions to security devices in order to implement a security policy in a network, the method comprising the computer-implemented steps of:
-
detecting that implementing a security policy will cause an address translation alteration in a packet communicated between a management source and a plurality of security devices for implementing the security policy on the network; identifying, from among the plurality of security devices, one or more sets of security devices that have one or more configuration dependencies as a result of the address translation alteration if the security policy is implemented; and sending one or more configuration instructions from the management source to each of the one or more sets of security devices using an order that is determined based on the one or more configuration dependencies, resulting in implementing the security policy on the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for deploying configuration instructions to security devices in order to implement a security policy in a network, the method comprising the computer-implemented steps of:
-
detecting that the security policy creates a change of one or more configuration dependencies as compared with an existing security policy, each configuration dependency corresponding to at least a first security device having to be configured before a second security device is configured in order for the first security device to receive its configuration instructions for implementing the security policy from a management source; and deploying configuration instructions to one or more security devices to implement the security policy according to an order determined by the one or more configuration dependencies. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A computer-readable medium for deploying configuration instructions to security devices in order to implement a security policy in a network, the computer-readable medium carrying instructions for implementing the steps of:
-
detecting that implementing a security policy will cause an address translation alteration in a packet communicated between a management source and a plurality of security devices for implementing the security policy on the network; identifying, from among the plurality of security devices, one or more sets of security devices that have one or more configuration dependencies as a result of the address translation alteration if the security device is implemented; and sending one or more configuration instructions from the management source to each of the one or more sets of security devices using an order that is determined based on the one or more configuration dependencies, resulting in implementing the security policy on the network. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer system for deploying configuration instructions to security devices in order to implement a security policy in a network, the computer system comprising:
-
means for detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices for implementing the security device on the network; means for identifying, from the plurality of security devices, one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration; and means for sending configuration instructions from the management source to each of the one or more sets of security devices in order to implement the security policy.
-
-
28. A management device for deploying configuration instructions to a plurality of security devices in order to implement a security policy on a network, the management device comprising:
a processor configured to; detect that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices for implementing the security device on the network; identify, from the plurality of security devices, one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration; and send configuration instructions from the management source to each of the one or more sets of security devices using an order that is determined by the one or more configuration dependencies, so as to implement the security policy on the network.
Specification