Method and apparatus for reducing the number of tunnels used to implement a security policy on a network

US 7,107,613 B1
Filed: 03/27/2002
Issued: 09/12/2006
Est. Priority Date: 03/27/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for reducing a number of tunnels used to implement a security policy on a network, the method comprising:

selecting a set of tunnels for exchanging data packets between a first security device and a second security device;

each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel;

determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels;

determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and

in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device;

wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, the number of tunnels on a network may be reduced. A set of tunnels are selected which exchange data packets between a first security device and a second security device. Each tunnel in the set of tunnels specify a dimensional range for data packets that are subject to that tunnel. A super tunnel is determined to replace the set of tunnels, so that a dimensional range of the data packets that are made subject to the super tunnel encompass a dimensional range of the data packets that were made subject to the set of tunnels. A determination is made as to whether the super tunnel excludes data packets that are permitted by the first security device and the second security device, but not subject to any one of the tunnels other than tunnels in the set of tunnels. In response to determining that the tunnel excludes data packets that are permitted by the first security device and the second security device, but not subject to any one of the tunnels in the set of tunnels, the super tunnel is implemented between the first security device and the second security device.

Citations

34 Claims

1. A method for reducing a number of tunnels used to implement a security policy on a network, the method comprising:
- selecting a set of tunnels for exchanging data packets between a first security device and a second security device;
  
  each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel;
  
  determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels;
  
  determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and
  
  in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device;
  
  wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein:
    - selecting a set of tunnels for exchanging data packets between a first security device and a second security device includes selecting a set of entries in an access control list associated with one of the first security device or the second security device, each entry at least partially defining one of the tunnels in the set of tunnels; and
      
      determining a super tunnel for the set of tunnels includes determining a single entry in the access control list that may replace the set of entries.
  - 3. The method of claim 1, wherein:
    - selecting a set of tunnels for exchanging data packets between a first security device and a second security device includes selecting a set of entries in a crypto-access control list associated with one of the first security device or the second security device, each entry at least partially defining one of the tunnels in the set of tunnels; and
      
      determining a super tunnel for the set of tunnels includes determining a single entry in the crypto-access control list that may replace the set of entries.
  - 4. The method of claim 1, wherein determining a super tunnel for the set of tunnels includes determining a single entry in a crypto-access control list to replace a plurality of entries in the crypto-access control list corresponding to the set of tunnels, so that a first set of dimensional ranges specified by the single entry would encompass the data packets that were made subject to the set of tunnels.
  - 5. The method of claim 1, wherein:
    - determining a super tunnel for the set of tunnels includes determining a single entry in a crypto-access control list to replace a plurality of entries in the crypto-access control list corresponding to the set of tunnels, at least one of the source address range, the destination address range, and the service range specified by the single entry would encompass the data packets that are subject to the set of tunnels.
  - 6. The method of claim 1, wherein determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels includes determining that data packets, permitted on at least one of the first security device and the second security device and designated for a tunnel other than one of the tunnels in the set of tunnels, would not made subject to the super tunnel if the super tunnel is implemented.
  - 7. The method of claim 1, wherein determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels includes determining whether data packets that are designated as clear traffic on least one of the first security device and the second security device, would not be subject to the super tunnel.
  - 8. The method of claim 1, wherein:
    - selecting a set of tunnels includes selecting a first set of entries in a crypto-access control list on the first security device, each of the first set of entries forming one end for one of the tunnels in the set of tunnels;
      
      determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels includes;
      
      identifying a peer to the crypto-access control list, the peer containing a second set of entries, each of the second set of entries forming another end for one of the tunnels in the set of tunnels; and
      
      determining that data packets permitted by both the first security device and the second security device and designated for a tunnel other than one of the tunnels in the set of tunnels are not made subject to the super tunnel.
  - 9. The method of claim 1, further comprising:
    - selecting a set of tunnels includes selecting a first set of entries in a crypto-access control list on the first security device, each of the first set of entries forming one end for one of the tunnels in the set of tunnels;
      
      determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels includes;
      
      identifying a peer to the crypto-access control list, the peer containing a second set of entries, each of the second set of entries forming another end for one of the tunnels in the set of tunnels;
      
      determining that data packets designated by both the first security device and the second security device as clear traffic are not made subject to the super tunnel.

10. A method for reducing the number of tunnels used to implement a security policy on a network, the method comprising:
- identifying a super tunnel for servicing all of the data packets that are permissible by a plurality of select entries in a crypto-access control list of a first security device;
  
  determining whether the super tunnel can be implemented on the first security device without affecting data packets that are to pass through the first security device as clear traffic;
  
  determining whether the super tunnel can be implemented on the first security device without affecting data packets that are to pass through the first security device and be controlled by entries other than the plurality of select entries;
  
  in response to determining that the super tunnel can be implemented on the first security device without affecting data packets that are to pass through the first security device as clear traffic, and without affecting data packets that are to pass through the first security device and be serviced using entries other than the plurality of select entries, identifying on a second security device a corresponding plurality of select entries in a peer to the crypto-access control list on the first security device;
  
  determining whether the super tunnel can be implemented on the second security device without affecting data packets that are to pass through the second security device as clear traffic;
  
  determining whether the super tunnel can be implemented on the second security device without affecting data packets that are to pass through the second security device and be serviced using entries other than the corresponding plurality of select entries of the peer to the crypto-access control; and
  
  in response to determining that the super tunnel can be implemented on the first security device and on the second security device, implementing the tunnel to service select data packets that are permitted on the first security device and on the second security device.
- View Dependent Claims (11, 12)
- - 11. The method as recited in claim 10, further comprising determining a tunnel for controlling all of the data packets that are permissible by each entry in the crypto-access control list of the first security device.
  - 12. The method of claim 10, further comprising determining whether the super tunnel can be implemented on the first security device without affecting data packets that are to pass through the first security device and be serviced by entries in another crypto-access control list of the first security device.

13. A computer system configured to reduce a number of tunnels used to implement a security policy on a network, the computer system comprising:
- one or more storage mediums to store a first crypto-access control list associated with a first security device, and a second crypto-access control associated with a second security device, the second crypto-access control list being associated in the storage medium as a peer for the first crypto-access control list;
  
  a processor programmed to;
  
  identify a plurality of select entries in the first crypto-access control list that service a first plurality of data packets;
  
  determine a single entry to service the first plurality of data packets instead of the plurality of select entries;
  
  determine that the single entry does not service data packets permitted by the first security device other than data packets in the first plurality of data packets;
  
  identify a corresponding plurality of select entries of the second crypto-access control list on the second security device that service a second plurality of data packets;
  
  determine that the single entry does not service data packets permitted by the second security device other than data packets in the second plurality of data packets; and
  
  configure the first crypto-access control list and the second crypto-access control list to implement the single entry to service the first plurality of data packets and the second plurality of data packets.
- View Dependent Claims (14, 15)
- - 14. A computer system as recited in claim 13, wherein the processor is configured to determine that the single entry does not service data packets permitted by the first security device other than data packets in the first plurality of data packets by (i) determining that data packets designated to be passed through the first security device as clear traffic are not affected by the single entry, and (ii) determining that data packets designated to be controlled by entries other than the plurality of select entries in the first crypto-access control list are not affected by the single entry.
  - 15. A computer system as recited in claim 13, wherein the processor is configured to determine that the single entry does not service data packets permitted by the second security device other than data packets in the second plurality of data packets by (i) determining that data packets designated to be passed through the second security device as clear traffic are not affected by the single entry, and (ii) determining that data packets designated to be controlled by entries other than entries in the corresponding plurality of select entries in the second crypto-access control list are not affected by the single entry.

16. A computer-readable storage medium for reducing a number of tunnels used to implement a security policy on a network, the computer-readable medium carrying instructions for performing the steps of:
- selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel;
  
  determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels;
  
  determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels; and
  
  in response to determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device;
  
  wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network.

17. An apparatus for reducing a number of tunnels used to implement a security policy on a network, the apparatus comprising:
- means for selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel;
  
  means for determining a super tunnel to replace the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels;
  
  means for determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels; and
  
  means for implementing the super tunnel between the first security device and the second security device in response to determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels;
  
  wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17, wherein:
    - the means for selecting a set of tunnels for exchanging data packets between a first security device and a second security device include means for selecting a set of entries in an access control list associated with one of the first security device or the second security device, each entry at least partially defining one of the tunnels in the set of tunnels; and
      
      the means for determining a super tunnel for the set of tunnels include means for determining a single entry in the access control list that may replace the set of entries.
  - 19. The apparatus of claim 17, wherein:
    - the means for selecting a set of tunnels for exchanging data packets between a first security device and a second security device include means for selecting a set of entries in a crypto-access control list associated with one of the first security device or the second security device, each entry at least partially defining one of the tunnels in the set of tunnels; and
      
      the means for determining a super tunnel for the set of tunnels include means for determining a single entry in the crypto-access control list that may replace the set of entries.
  - 20. The apparatus of claim 17, wherein the means for determining a super tunnel for the set of tunnels include means for determining a single entry in a crypto-access control list to replace a plurality of entries in the crypto-access control list corresponding to the set of tunnels, so that a first set of dimensional ranges specified by the single entry would encompass the data packets that were made subject to the set of tunnels.
  - 21. The apparatus of claim 17, wherein the means for determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels include means for determining that data packets, permitted on at least one of the first security device and the second security device and designated for a tunnel other than one of the tunnels in the set of tunnels, would not made subject to the super tunnel if the super tunnel is implemented.
  - 22. The apparatus of claim 17, wherein the means for determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels include means for determining whether data packets that are designated as clear traffic on least one of the first security device and the second security device would not be subject to the super tunnel.
  - 23. The apparatus of claim 17, wherein:
    - the means for selecting a set of tunnels includes means for selecting a first set of entries in a crypto-access control list on the first security device, each of the first set of entries forming one end for one of the tunnels in the set of tunnels;
      
      the means for determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels include;
      
      means for identifying a peer to the crypto-access control list, the peer containing a second set of entries, each of the second set of entries forming another end for one of the tunnels in the set of tunnels; and
      
      means for determining that data packets permitted by both the first security device and the second security device and designated for a tunnel other than one of the tunnels in the set of tunnels are not made subject to the super tunnel.
  - 24. The apparatus of claim 17, wherein:
    - the means for selecting a set of tunnels include means for selecting a first set of entries in a crypto-access control list on the first security device, each of the first set of entries forming one end for one of the tunnels in the set of tunnels;
      
      the means for determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels include;
      
      means for identifying a peer to the crypto-access control list, the peer containing a second set of entries, each of the second set of entries forming another end for one of the tunnels in the set of tunnels; and
      
      means for determining that data packets designated by both the first security device and the second security device as clear traffic are not made subject to the super tunnel.

25. An apparatus for reducing a number of tunnels used to implement a security policy on a network, the apparatus comprising:
- one or more processors; and
  
  a computer-readable storage medium coupled to one or more of the processors and comprising one or more stored sequences of instructions which, when executed by one or more of the processors, cause one or more of the processors to perform steps comprising;
  
  selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel;
  
  determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels;
  
  determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and
  
  in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device;
  
  wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The apparatus of claim 25, wherein:
    - selecting a set of tunnels for exchanging data packets between a first security device and a second security device includes selecting a set of entries in an access control list associated with one of the first security device or the second security device, each entry at least partially defining one of the tunnels in the set of tunnels; and
      
      determining a super tunnel for the set of tunnels includes determining a single entry in the access control list that may replace the set of entries.
  - 27. The apparatus of claim 25, wherein:
    - selecting a set of tunnels for exchanging data packets between a first security device and a second security device includes selecting a set of entries in a crypto-access control list associated with one of the first security device or the second security device, each entry at least partially defining one of the tunnels in the set of tunnels; and
      
      determining a super tunnel for the set of tunnels includes determining a single entry in the crypto-access control list that may replace the set of entries.
  - 28. The apparatus of claim 25, wherein determining a super tunnel for the set of tunnels includes determining a single entry in a crypto-access control list to replace a plurality of entries in the crypto-access control list corresponding to the set of tunnels, so that a first set of dimensional ranges specified by the single entry would encompass the data packets that were made subject to the set of tunnels.
  - 29. The apparatus of claim 25, wherein determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels includes determining that data packets, permitted on at least one of the first security device and the second security device and designated for a tunnel other than one of the tunnels in the set of tunnels, would not made subject to the super tunnel if the super tunnel is implemented.
  - 30. The apparatus of claim 25, wherein determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels includes determining whether data packets that are designated as clear traffic on least one of the first security device and the second security device would not be subject to the super tunnel.
  - 31. The apparatus of claim 25, wherein:
    - selecting a set of tunnels includes selecting a first set of entries in a crypto-access control list on the first security device, each of the first set of entries forming one end for one of the tunnels in the set of tunnels;
      
      determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels includes;
      
      identifying a peer to the crypto-access control list, the peer containing a second set of entries, each of the second set of entries forming another end for one of the tunnels in the set of tunnels; and
      
      determining that data packets permitted by both the first security device and the second security device and designated for a tunnel other than one of the tunnels in the set of tunnels are not made subject to the super tunnel.
  - 32. The apparatus of claim 25, wherein:
    - selecting a set of tunnels includes selecting a first set of entries in a crypto-access control list on the first security device, each of the first set of entries forming one end for one of the tunnels in the set of tunnels;
      
      determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels includes;
      
      identifying a peer to the crypto-access control list, the peer containing a second set of entries, each of the second set of entries forming another end for one of the tunnels in the set of tunnels;
      
      determining that data packets designated by both the first security device and the second security device as clear traffic are not made subject to the super tunnel.

33. An apparatus for reducing a number of tunnels used to implement a security policy on a network, the apparatus comprising:
- one or more processors; and
  
  a computer-readable storage medium coupled to one or more of the processors and comprising one or more stored sequences of instructions which, when executed by one or more of the processors, cause one or more of the processors to perform steps comprising;
  
  selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel;
  
  determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels, wherein determining the super tunnel for the set of tunnels includes determining a single entry in a crypto-access control list to replace a plurality of entries in the crypto-access control list corresponding to the set of tunnels, so that a first set of dimensional ranges specified by the single entry would encompass the data packets that were made subject to the set of tunnels;
  
  determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and
  
  in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device.

34. An apparatus for reducing a number of tunnels used to implement a security policy on a network, the apparatus comprising:
- one or more processors; and
  
  a computer-readable storage medium coupled to one or more of the processors and comprising one or more stored sequences of instructions which, when executed by one or more of the processors, cause one or more of the processors to perform steps comprising;
  
  selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel, wherein selecting the set of tunnels for exchanging data packets between the first security device and the second security device includes selecting a set of entries in an list associated with one of the first security device and the second security device, each entry at least partially defining one of the tunnels in the set of tunnels;
  
  determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels, wherein determining the super tunnel for the set of tunnels includes determining a single entry in the list that may replace the set of entries;
  
  determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and
  
  in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device;
  
  wherein the list is one of an access control list and a crypto-access control list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Hinrichs, Susan, Bhattacharya, Partha, Chen, Shigang
Primary Examiner(s)
Smithers, Matthew

Application Number

US10/109,387
Time in Patent Office

1,630 Days
Field of Search

726/14, 726/15, 726/13, 709/241
US Class Current

726/14
CPC Class Codes

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 67/14   Session management for real...

Method and apparatus for reducing the number of tunnels used to implement a security policy on a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for reducing the number of tunnels used to implement a security policy on a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links