Method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network

US 7,093,283 B1
Filed: 02/15/2002
Issued: 08/15/2006
Est. Priority Date: 02/15/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for deploying configuration instructions to security devices in order to implement a security policy in a network, the method comprising the computer-implemented steps of:

detecting that implementing a security policy will cause an address translation alteration in a packet communicated between a management source and a plurality of security devices for implementing the security policy on the network;

identifying, from among the plurality of security devices, one or more sets of security devices that have one or more configuration dependencies as a result of the address translation alteration if the security policy is implemented; and

sending one or more configuration instructions from the management source to each of the one or more sets of security devices using an order that is determined based on the one or more configuration dependencies, resulting in implementing the security policy on the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network are disclosed. An address translation alteration performed on packets communicated between a management source and a plurality of security devices, resulting from implementation of a proposed new network security policy, is detected. One or more sets of security devices are identified that would each have one or more configuration dependencies as a result of the address translation alteration. Configuration instructions are sent from the management source to each of the one or more sets of security devices using an order determined by the identified configuration dependencies. The configuration instructions are used to implement the security policy on the network. As a result, firewalls and similar devices are properly configured for a new policy without inadvertently causing traffic blockages arising from configuration dependencies.

Citations

28 Claims

1. A method for deploying configuration instructions to security devices in order to implement a security policy in a network, the method comprising the computer-implemented steps of:
- detecting that implementing a security policy will cause an address translation alteration in a packet communicated between a management source and a plurality of security devices for implementing the security policy on the network;
  
  identifying, from among the plurality of security devices, one or more sets of security devices that have one or more configuration dependencies as a result of the address translation alteration if the security policy is implemented; and
  
  sending one or more configuration instructions from the management source to each of the one or more sets of security devices using an order that is determined based on the one or more configuration dependencies, resulting in implementing the security policy on the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as recited in claim 1, wherein sending configuration instructions from the management source to the one or more sets of security devices includes sending configuration instructions to multiple sets of security devices in parallel, wherein each of the multiple sets of security devices includes one or more configuration dependencies.
  - 3. A method as recited in claim 2, wherein:
    - identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration includes identifying a first network path that interconnects the management source and a first set of the one or more security devices in series, and a second network path that interconnects the management source and a second set of the one or more security devices in series; and
      
      sending configuration instructions to multiple sets of security devices in parallel includes sending configuration instructions to one or more security devices on the first network path and on the second network path concurrently, and independently of one another, using the order determined by the one or more configuration dependencies.
  - 4. A method as recited in claim 1, wherein:
    - identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration includes identifying a first network path that interconnects the management source and a first set of the one or more security devices in series, and a second network path that interconnects the management source and a second set of the one or more security devices in series;
      
      sending configuration instructions from the management source to each of the one or more sets of security devices includes sending configuration instructions to one or more security devices on the first network path and on the second network path in parallel; and
      
      sending configuration instructions to one or more security devices on the first network path includes sending configuration instructions to at least some of the security devices on the first network path sequentially, beginning with a first security device on the first network path that is ordered to be a last one of the security devices on the first network path to receive communications from the management source.
  - 5. A method as recited in claim 1, wherein:
    - detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices includes detecting that implementing the security policy will cause a natural address translation between the management source and one of the plurality of security devices.
  - 6. The method as recited in claim 1, wherein:
    - detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices includes detecting that implementing the security policy will cause a static address translation between the management source and one of the plurality of security devices.
  - 7. A method as recited in claim 1, wherein:
    - detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices includes detecting that implementing the security policy will cause a tunneling translation between the management source and one of the plurality of security devices.
  - 8. A method as recited in claim 1, wherein:
    - detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices includes detecting that implementing the security policy will cause a natural address translation;
      
      identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration includes identifying a first network path that interconnects the management source and a first set of the one or more security devices in series; and
      
      sending configuration instructions from the management source to one or more sets of security devices includes sending configuration instructions to at least some of the security devices on the first network sequentially, beginning with a first security device on the first network path that is ordered to be a last one of the security devices on the first network path to receive communications from the management source.
  - 9. A method as recited in claim 1, wherein:
    - detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices includes detecting that implementing the security policy will cause a static address translation on the first network path; and
      
      identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration includes identifying a first network path that interconnects the management source and a first set of the one or more security devices in series;
      
      sending configuration instructions from the management source to one or more sets of security devices includes sending configuration instructions to one or more security devices on the first network path using the order of either (i) sending configuration instructions to each security device of the first network path that is ordered in series between the management source and the static address translation before sending configuration instructions from the management source to any of the other security devices that are ordered in series after the static address translation, or (ii) sending configuration instructions to all of the other security devices that are ordered in series after the static address translation before sending configuration instructions from the management source to each security device that is ordered between the management source and the static address translation.
  - 10. A method as recited in claim 1, wherein:
    - detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices includes detecting that implementing the security policy will cause a tunneling translation on the first network path; and
      
      identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration includes identifying a first network path that interconnects the management source and a first set of the one or more security devices in series;
      
      sending configuration instructions from the management source to one or more sets of security devices includes sending configuration instructions to one or more security devices on the first network path using the order of either (i) sending configuration instructions to each security device of the first network path that is ordered in series between the management source and the static address translation before sending configuration instructions from the management source to any of the other security devices that are ordered in series after the static translation, or (ii) sending configuration instructions to all of the other security devices that are ordered in series after the static translation before sending configuration instructions from the management source to each security device that is ordered between the management source and the tunneling translation.

11. A method for deploying configuration instructions to security devices in order to implement a security policy in a network, the method comprising the computer-implemented steps of:
- detecting that the security policy creates a change of one or more configuration dependencies as compared with an existing security policy, each configuration dependency corresponding to at least a first security device having to be configured before a second security device is configured in order for the first security device to receive its configuration instructions for implementing the security policy from a management source; and
  
  deploying configuration instructions to one or more security devices to implement the security policy according to an order determined by the one or more configuration dependencies.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. A method as recited in claim 11, wherein deploying configuration instructions includes deploying, for a network path containing at least a first configuration dependency of the one or more configuration dependencies, configuration instructions to a first security device of the first configuration dependency before deploying configuration instructions to a second security device of the first configuration dependency, wherein the first security device has to be configured before the second security device in order for the first security device to receive its configuration instructions for implementing the security policy from the management source.
  - 13. A method as recited in claim 11, further comprising creating a schedule to implement the security policy to account for the change in the one or more configuration dependencies, and wherein deploying configuration instructions to one or more security devices includes using the schedule to deploy the configuration instructions.
  - 14. A method as recited in claim 13, wherein deploying configuration instructions includes deploying in parallel the configuration instructions to each of the first security devices in the one or more configuration dependencies.
  - 15. A method as recited in claim 11, wherein detecting that the security policy creates a change of one or more configuration dependencies from an existing security policy includes detecting the addition, deletion or modification of an address translation in a network path between the one or more security devices and the policy manager.
  - 16. A method as recited in claim 14, further comprising detecting the addition, deletion or modification of the address translation selected from an address translation type consisting of a natural address translation type, a reverse address translation type, and a tunnel translation.

17. A computer-readable medium for deploying configuration instructions to security devices in order to implement a security policy in a network, the computer-readable medium carrying instructions for implementing the steps of:
- detecting that implementing a security policy will cause an address translation alteration in a packet communicated between a management source and a plurality of security devices for implementing the security policy on the network;
  
  identifying, from among the plurality of security devices, one or more sets of security devices that have one or more configuration dependencies as a result of the address translation alteration if the security device is implemented; and
  
  sending one or more configuration instructions from the management source to each of the one or more sets of security devices using an order that is determined based on the one or more configuration dependencies, resulting in implementing the security policy on the network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. A computer-readable medium as recited in claim 17, wherein instructions for sending one or more configuration instructions from the management source to each of the one or more sets of security devices include instructions for sending configuration instructions to multiple sets of security devices in parallel, wherein each of the multiple sets of security devices includes one or more configuration dependencies.
  - 19. A computer-readable medium as recited in claim 18, wherein:
    - instructions for identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration include instructions for identifying a first network path that interconnects the management source and a first set of the one or more security devices in series, and a second network path that interconnects the management source and a second set of the one or more security devices in series; and
      
      instructions for sending one or more configuration instructions to multiple sets of security devices in parallel include instructions for sending configuration instructions to one or more security devices on the first network path and on the second network path concurrently, and independently of one another.
  - 20. A computer-readable medium as recited in claim 17, wherein:
    - instructions for identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration include instructions for identifying a first network path that interconnects the management source and a first set of the one or more security devices in series, and a second network path that interconnects the management source and a second set of the one or more security devices in series;
      
      instructions for sending one or more configuration instructions from the management source to each of the one or more sets of security devices 1 include sending configuration instructions to one or more security devices on the first network path and on the second network path in parallel, including for sending configuration instructions to at least some of the security devices on the first network path sequentially, beginning with a first security device on the first network path that is ordered to be a last one of the security devices on the first network path to receive communications from the management source.
  - 21. A computer-readable medium as recited in claim 17, wherein:
    - instructions for detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices include instructions for detecting that implementing the security policy will cause a natural address translation between the management source and one of the plurality of security devices.
  - 22. The computer-readable medium as recited in claim 17, wherein:
    - instructions for detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices include instructions for detecting that implementing the security policy will cause a static address translation between the management source and one of the plurality of security devices.
  - 23. A computer-readable medium as recited in claim 17, wherein:
    - instructions for detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices include instructions for detecting that implementing the security policy will cause a tunneling translation between the management source and one of the plurality of security devices.
  - 24. A computer-readable medium as recited in claim 17, wherein:
    - instructions for detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices include instructions for detecting that implementing the security policy will cause a natural address translation;
      
      instructions for identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration include instructions for identifying a first network path that interconnects the management source and a first set of the one or more security devices in series; and
      
      instructions for sending one or more configuration instructions from the management source to one or more sets of security devices include instructions for sending configuration instructions to at least some of the security devices on the first network sequentially, beginning with a first security device on the first network path that is ordered to be a last one of the security devices on the first network path to receive communications from the management source.
  - 25. A computer-readable medium as recited in claim 17, wherein:
    - instructions for detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices include instructions for detecting that implementing the security policy will cause a static address translation on the first network path;
      
      instructions for identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration include instructions for identifying a first network path that interconnects the management source and a first set of the one or more security devices in series; and
      
      instructions for sending configuration instructions from the management source to one or more sets of security devices include instructions for sending configuration instructions to one or more security devices on the first network path using the order of either (i) sending configuration instructions to each security device of the first network path that is ordered in series between the management source and the static address translation before sending configuration instructions from the management source to any of the other security devices that are ordered in series after the static address translation, or (ii) sending configuration instructions to all of the other security devices that are ordered in series after the static address translation before sending configuration instructions from the management source to each security device that is ordered between the management source and the static address translation.
  - 26. A computer-readable medium as recited in claim 17, wherein:
    - instructions for detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices include instructions for detecting that implementing the security policy will cause a tunneling translation on the first network path;
      
      instructions for identifying one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration include instructions for identifying a first network path that interconnects the management source and a first set of the one or more security devices in series; and
      
      instructions for configuration instructions from the management source to one or more sets of security devices include instructions for sending configuration instructions to one or more security devices on the first network path using the order of either (i) sending configuration instructions to each security device of the first network path that is ordered in series between the management source and the static address translation before sending configuration instructions from the management source to any of the other security devices that are ordered in series after the static translation, or (ii) sending configuration instructions to all of the other security devices that are ordered in series after the static translation before sending configuration instructions from the management source to each security device that is ordered between the management source and the tunneling translation.

27. A computer system for deploying configuration instructions to security devices in order to implement a security policy in a network, the computer system comprising:
- means for detecting that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices for implementing the security device on the network;
  
  means for identifying, from the plurality of security devices, one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration; and
  
  means for sending configuration instructions from the management source to each of the one or more sets of security devices in order to implement the security policy.

28. A management device for deploying configuration instructions to a plurality of security devices in order to implement a security policy on a network, the management device comprising:
- a processor configured to;
  
  detect that implementing the security policy will cause an address translation alteration between a management source and a plurality of security devices for implementing the security device on the network;
  
  identify, from the plurality of security devices, one or more sets of security devices that would each have one or more configuration dependencies as a result of the address translation alteration; and
  
  send configuration instructions from the management source to each of the one or more sets of security devices using an order that is determined by the one or more configuration dependencies, so as to implement the security policy on the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bhattacharya, Partha, Chen, Shigang
Primary Examiner(s)
Louis-Jacques, Jacques H.
Assistant Examiner(s)
Tran, Ellen C

Application Number

US10/078,061
Time in Patent Office

1,642 Days
Field of Search

713/153, 726/13, 726/14, 726/11, 726/6, 726/3, 726/12, 709/242
US Class Current

726/6
CPC Class Codes

H04L 63/104 Grouping of entities

H04L 63/20 for managing network securi...

Method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links