Method and apparatus for reducing the number of tunnels used to implement a security policy on a network
First Claim
1. A method for reducing a number of tunnels used to implement a security policy on a network, the method comprising:
- selecting a set of tunnels for exchanging data packets between a first security device and a second security device;
each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel;
determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels;
determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and
in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device;
wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network.
1 Assignment
0 Petitions
Accused Products
Abstract
According to one embodiment, the number of tunnels on a network may be reduced. A set of tunnels are selected which exchange data packets between a first security device and a second security device. Each tunnel in the set of tunnels specify a dimensional range for data packets that are subject to that tunnel. A super tunnel is determined to replace the set of tunnels, so that a dimensional range of the data packets that are made subject to the super tunnel encompass a dimensional range of the data packets that were made subject to the set of tunnels. A determination is made as to whether the super tunnel excludes data packets that are permitted by the first security device and the second security device, but not subject to any one of the tunnels other than tunnels in the set of tunnels. In response to determining that the tunnel excludes data packets that are permitted by the first security device and the second security device, but not subject to any one of the tunnels in the set of tunnels, the super tunnel is implemented between the first security device and the second security device.
-
Citations
34 Claims
-
1. A method for reducing a number of tunnels used to implement a security policy on a network, the method comprising:
-
selecting a set of tunnels for exchanging data packets between a first security device and a second security device;
each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel;determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels; determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device; wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for reducing the number of tunnels used to implement a security policy on a network, the method comprising:
-
identifying a super tunnel for servicing all of the data packets that are permissible by a plurality of select entries in a crypto-access control list of a first security device; determining whether the super tunnel can be implemented on the first security device without affecting data packets that are to pass through the first security device as clear traffic; determining whether the super tunnel can be implemented on the first security device without affecting data packets that are to pass through the first security device and be controlled by entries other than the plurality of select entries; in response to determining that the super tunnel can be implemented on the first security device without affecting data packets that are to pass through the first security device as clear traffic, and without affecting data packets that are to pass through the first security device and be serviced using entries other than the plurality of select entries, identifying on a second security device a corresponding plurality of select entries in a peer to the crypto-access control list on the first security device; determining whether the super tunnel can be implemented on the second security device without affecting data packets that are to pass through the second security device as clear traffic; determining whether the super tunnel can be implemented on the second security device without affecting data packets that are to pass through the second security device and be serviced using entries other than the corresponding plurality of select entries of the peer to the crypto-access control; and in response to determining that the super tunnel can be implemented on the first security device and on the second security device, implementing the tunnel to service select data packets that are permitted on the first security device and on the second security device. - View Dependent Claims (11, 12)
-
-
13. A computer system configured to reduce a number of tunnels used to implement a security policy on a network, the computer system comprising:
-
one or more storage mediums to store a first crypto-access control list associated with a first security device, and a second crypto-access control associated with a second security device, the second crypto-access control list being associated in the storage medium as a peer for the first crypto-access control list; a processor programmed to; identify a plurality of select entries in the first crypto-access control list that service a first plurality of data packets; determine a single entry to service the first plurality of data packets instead of the plurality of select entries; determine that the single entry does not service data packets permitted by the first security device other than data packets in the first plurality of data packets; identify a corresponding plurality of select entries of the second crypto-access control list on the second security device that service a second plurality of data packets; determine that the single entry does not service data packets permitted by the second security device other than data packets in the second plurality of data packets; and configure the first crypto-access control list and the second crypto-access control list to implement the single entry to service the first plurality of data packets and the second plurality of data packets. - View Dependent Claims (14, 15)
-
-
16. A computer-readable storage medium for reducing a number of tunnels used to implement a security policy on a network, the computer-readable medium carrying instructions for performing the steps of:
-
selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel; determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels; determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels; and in response to determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device; wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network.
-
-
17. An apparatus for reducing a number of tunnels used to implement a security policy on a network, the apparatus comprising:
-
means for selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel; means for determining a super tunnel to replace the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels; means for determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels; and means for implementing the super tunnel between the first security device and the second security device in response to determining that the super tunnel would, if implemented, tunnel data packets that are otherwise subject only to tunnels in the set of tunnels; wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. An apparatus for reducing a number of tunnels used to implement a security policy on a network, the apparatus comprising:
-
one or more processors; and a computer-readable storage medium coupled to one or more of the processors and comprising one or more stored sequences of instructions which, when executed by one or more of the processors, cause one or more of the processors to perform steps comprising; selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel; determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels; determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device; wherein implementing the super tunnel reduces the number of tunnels used to implement the security policy on the network. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
-
33. An apparatus for reducing a number of tunnels used to implement a security policy on a network, the apparatus comprising:
-
one or more processors; and a computer-readable storage medium coupled to one or more of the processors and comprising one or more stored sequences of instructions which, when executed by one or more of the processors, cause one or more of the processors to perform steps comprising; selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel; determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels, wherein determining the super tunnel for the set of tunnels includes determining a single entry in a crypto-access control list to replace a plurality of entries in the crypto-access control list corresponding to the set of tunnels, so that a first set of dimensional ranges specified by the single entry would encompass the data packets that were made subject to the set of tunnels; determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device.
-
-
34. An apparatus for reducing a number of tunnels used to implement a security policy on a network, the apparatus comprising:
-
one or more processors; and a computer-readable storage medium coupled to one or more of the processors and comprising one or more stored sequences of instructions which, when executed by one or more of the processors, cause one or more of the processors to perform steps comprising; selecting a set of tunnels for exchanging data packets between a first security device and a second security device, each tunnel in the set of tunnels specifying a dimensional range for data packets that are subject to that tunnel, wherein selecting the set of tunnels for exchanging data packets between the first security device and the second security device includes selecting a set of entries in an list associated with one of the first security device and the second security device, each entry at least partially defining one of the tunnels in the set of tunnels; determining a super tunnel for the set of tunnels, so that a dimensional range of the data packets that would be made subject to the super tunnel encompasses a dimensional range of the data packets that are subject to the set of tunnels, wherein determining the super tunnel for the set of tunnels includes determining a single entry in the list that may replace the set of entries; determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels; and in response to determining that the super tunnel would, if implemented, tunnel data packets that are subject only to tunnels in the set of tunnels, implementing the super tunnel between the first security device and the second security device; wherein the list is one of an access control list and a crypto-access control list.
-
Specification