Associative policy model

US 7,308,706 B2
Filed: 10/28/2002
Issued: 12/11/2007
Est. Priority Date: 10/28/2002
Status: Active Grant

First Claim

Patent Images

1. A method for implementing an associative policy, the method comprising:

providing a policy on a policy server, the policy having a plurality of service definitions, wherein each service definition contains first and second relational components;

providing first and second network entities;

operatively coupling the first and second network entities to the policy server;

dynamically associating the first network entity with the second network entity from within the policy server, wherein associating includes;

selecting a service definition from the plurality of service definitions to apply to the first and second network entities;

sending a message from the policy server to the first network entity binding the first relational component of the selected service definition in the policy to the first network entity, andsending a message from the policy server to the second network entity binding the second relational component of the selected service definition in the policy to the second network entity; and

enforcing the policy on the first and second network entities.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for an associative policy model are provided. One embodiment of the present invention provides a method for implementing an associative policy. In this embodiment, the method includes providing a policy on a policy server, the policy having a service definition that contains first and second relational components, providing first and second network entities, operatively coupling the first and second network entities to the policy server, dynamically associating the first network entity with the second network entity (wherein such associating includes binding the first relational component of the service definition in the policy to the first network entity, and binding the second relational component of the service definition in the policy to the second network entity), and enforcing the policy on the first and second network entities.

Citations

47 Claims

1. A method for implementing an associative policy, the method comprising:
- providing a policy on a policy server, the policy having a plurality of service definitions, wherein each service definition contains first and second relational components;
  
  providing first and second network entities;
  
  operatively coupling the first and second network entities to the policy server;
  
  dynamically associating the first network entity with the second network entity from within the policy server, wherein associating includes;
  
  selecting a service definition from the plurality of service definitions to apply to the first and second network entities;
  
  sending a message from the policy server to the first network entity binding the first relational component of the selected service definition in the policy to the first network entity, andsending a message from the policy server to the second network entity binding the second relational component of the selected service definition in the policy to the second network entity; and
  
  enforcing the policy on the first and second network entities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein providing a policy on a policy server includes providing a security policy on a policy server.
  - 3. The method of claim 1, wherein the service definition corresponds to a service.
  - 4. The method of claim 1, wherein each of the first and second relational components includes one or more packet filtering rulesets.
  - 5. The method of claim 1, wherein the first relational component is a client relational component and the second relational component is a server relational component, and wherein the first and second network entities are a server device and a client device, respectively.
  - 6. The method of claim 1, wherein the first and second network entities are selected from a group consisting of devices, users, and software packages.
  - 7. The method of claim 1, wherein the first and second network entities are first and second members of a virtual private group (VPG), respectively.
  - 8. The method of claim 1, wherein the first and second network entities are a member of a first VPG and a member of a second VPG, respectively.
  - 9. The method of claim 1, wherein the first and second network entities are associated with one or more device sets.
  - 10. The method of claim 1, wherein providing first and second network entities includes assigning Internet Protocol (IP) addresses to those entities dynamically.
  - 11. The method of claim 1, wherein each of the first and second network entities include a network interface device for managing an embedded firewall, wherein the embedded firewall is embedded in a network interface device.
  - 12. The method of claim 1, wherein operatively coupling the first and second network entities to the policy server includes sending the Internet Protocol (IP) addresses of the first and second network entities to the policy server.
  - 13. The method of claim 1, wherein operatively coupling the first and second network entities to the policy server includes:
    - binding a first user to the first network entity, the first user being associated with a first role;
      
      binding a second user to the second network entity, the second user being associated with a second role;
      
      identifying a first Internet Protocol (IP) address of the first network entity;
      
      identifying a second IP address of the second network entity;
      
      sending the first role and first IP address information to the policy server; and
      
      sending the second role and second IP address information to the policy server.

14. A method for managing an associative policy on a policy server, the method comprising:
- providing a policy having a service definition, wherein the service definition has one or more rulesets that each contain one or more placeholders;
  
  specifying a role associated with each ruleset;
  
  operatively coupling one or more devices to the policy server; and
  
  upon such coupling,receiving boot and role information from the coupled devices;
  
  converting the policy into one or more device policies by inserting device information into the placeholders for rulesets corresponding to each of the coupled devices, anddistributing the device policies to the corresponding devices.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14, wherein providing a policy having a service definition includes providing a security policy having a service definition.
  - 16. The method of claim 14, wherein the service definition has one or more rulesets, and wherein each ruleset includes one or more packet filtering rules.
  - 17. The method of claim 14, wherein specifying a role associated with each ruleset includes specifying a role selected from a group including one or more of a client role, a server role, a peer-to-peer role, and a single-ended role.
  - 18. The method of claim 14, wherein the one or more devices are members of a virtual private group (VPG).
  - 19. The method of claim 14, wherein operatively coupling one or more devices to the policy server includes operatively coupling first and second devices to the policy server, wherein the first device is a member of a first VPG, and wherein the second device is a member of a second VPG.
  - 20. The method of claim 14, wherein the one or more coupled devices have dynamically assigned IP addresses.
  - 21. The method of claim 14, wherein operatively coupling one or more devices to the policy server includes operatively coupling one or more wireless devices to the policy server.

22. A computer-implemented method on a policy server, the method comprising:
- providing a master policy on the policy server, the master policy having a first component and a second component;
  
  binding the policy server to a first device to obtain information about the first device;
  
  binding the policy server to a second device to obtain information about the second device;
  
  creating a first policy on the policy server using the first component of the master policy and the information about the second device;
  
  creating a second policy on the policy server using the second component of the master policy and the information about the first device;
  
  sending the first policy to the first device; and
  
  sending the second policy to the second device.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The computer-implemented method of claim 22, wherein:
    - binding the policy server to a first device to obtain information about the first device includes binding the policy server to a client device to obtain information about the client device; and
      
      binding the policy server to a second device to obtain information about the second device includes binding the policy server to a server device to obtain information about the server device.
  - 24. The computer-implemented method of claim 22, wherein providing a master policy on the policy server includes providing a master security policy on the policy server.
  - 25. The computer-implemented method of claim 22, wherein binding the policy server to a first device to obtain information about the first device includes obtaining Internet Protocol (IP) address information about the first device.
  - 26. The computer-implemented method of claim 22, wherein binding the policy server to a second device to obtain information about the second device includes obtaining IP address information about the second device.
  - 27. The computer-implemented method of claim 22, wherein the master policy further includes a third component, and wherein the method further comprises:
    - binding the policy server to a third device to obtain information about the third device;
      
      creating a third policy on the policy server using the third component of the master policy and the information about the first and second devices; and
      
      sending the third policy to the third device,wherein the first, second, and third devices are peer-to-peer devices.

28. A computer-implemented method on a client, the method comprising:
- obtaining boot information for the client;
  
  obtaining role information for a user on the client;
  
  sending the boot information and the role information to a policy server;
  
  obtaining a client-specific security policy from the policy server; and
  
  enforcing the client-specific security policy on the client,wherein the client-specific security policy includes security information about a server that is associated with the client, andwherein the security information is based on boot information and role information for the server.
- View Dependent Claims (29, 30, 31)
- - 29. The computer-implemented method of claim 28, wherein obtaining boot information for the client includes obtaining an Internet Protocol (IP) address of the client.
  - 30. The computer-implemented method of claim 29, wherein the IP address of the client is dynamically assigned.
  - 31. The computer-implemented method of claim 28, wherein the method further comprises authenticating the role information for the user on the client.

32. A policy server, comprising:
- a master security policy having a client component and a server component;
  
  an interface to couple the policy server with a server device and a client device; and
  
  wherein the policy server is operable to;
  
  obtain server information about the server device;
  
  obtain client information about the client device;
  
  create a client policy using the client component of the master security policy and the server information;
  
  create a server policy using the server component of the master security policy and the client information;
  
  send the client policy to the client device; and
  
  send the server policy to the server device.

33. A computer-implemented method on a server, the method comprising:
- obtaining boot information for the server;
  
  obtaining role information for the services provided by the server;
  
  sending the boot information and the role information to a policy server;
  
  obtaining a server-specific security policy from the policy server; and
  
  enforcing the server-specific security policy on the server,wherein the server-specific security policy includes security information about one or more clients that are associated with the server, andwherein the security information is based on boot information and role information for the one or more clients.
- View Dependent Claims (34, 35, 36, 37)
- - 34. The computer-implemented method of claim 33, wherein obtaining boot information for the server includes obtaining an Internet Protocol (IP) address of the server.
  - 35. The computer-implemented method of claim 34, wherein obtaining an IP address of the server includes assigning the IP address dynamically.
  - 36. The computer-implemented method of claim 33, wherein obtaining role information for the services includes authenticating the role information for the services on the server.
  - 37. The computer-implemented method of claim 33, wherein the services provided by the server include one or more services selected from a group of services including one or more of a email service, a sales database service, a network basic input/output system (NetBIOS) service, or a web service.

38. A computer-implemented method on a policy server, the method comprising:
- receiving boot information for a server;
  
  receiving role information for the services provided by the server;
  
  receiving boot information for one or more clients associated with the server;
  
  receiving role information for a user on one or more of the clients;
  
  creating a server-specific security policy from a master security policy wherein the server-specific security policy includes security information about one or more of the clients that are associated with the server, and wherein the security information is based on boot information and role information for each client;
  
  creating a client-specific security policy form a master security policy wherein the client-specific security policy includes security information about the server, and wherein the security information is based on boot information and role information for the server;
  
  sending the server-specific security policy to the server; and
  
  sending the client-specific security policy to each client.
- View Dependent Claims (39, 40)
- - 39. The computer-implemented method of claim 38, wherein receiving boot information for the server includes receiving an Internet Protocol (IP) address of the server.
  - 40. The computer-implemented method of claim 38, wherein receiving boot information for the client includes receiving an Internet Protocol (IP) address of the client.

41. A system, comprising:
- a network;
  
  a first network entity coupled to the network;
  
  a second network entity coupled to the network; and
  
  a policy server coupled to the network, the policy server having a associative policy;
  
  wherein the policy server is operable to;
  
  receive boot and role information from the first network entity;
  
  receive boot and role information from the second network entity;
  
  create a first network entity specific policy utilizing the received boot and role information from the first and second network entities;
  
  create a second network entity specific policy utilizing the received boot and role information from the first and second network entities;
  
  send the first entity policy to the first network entity; and
  
  send the second entity policy to the second network entity.
- View Dependent Claims (42, 43, 44, 45, 46, 47)
- - 42. The system of claim 41, wherein the associative policy is a security policy that includes a first set of rules and a second set of rules, and each of the set of rules having one or more placeholders.
  - 43. The system of claim 42, wherein the creation of network entity specific policies includes inserting entity information received from the first and second network entities into the placeholders of the first and second set of rules.
  - 44. The system of claim 41, wherein the associative policy contains one or more service definitions.
  - 45. The system of claim 41, wherein the first network entity includes a first computer and a first network interface device, and wherein the second network entity includes a second computer and a second network interface device.
  - 46. The system of claim 45, wherein the first and second network interface devices each include an embedded firewall for authorizing data packets.
  - 47. The system of claim 41, wherein the first network entity includes a first computer having a first software component, and wherein the second network entity includes a second computer having a second software component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Markham, Thomas R., Bogle, Jessica J., Payne, Charles N. Jr.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Sandoval; Kristin D.

Application Number

US10/281,843
Publication Number

US 20040083382A1
Time in Patent Office

1,870 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

Associative policy model

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Associative policy model

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links