Method and apparatus for enforcing network security policies

US 7,448,067 B2
Filed: 09/30/2002
Issued: 11/04/2008
Est. Priority Date: 09/30/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system for establishing a security policy for a network, comprising:

a network;

a server connected to the network;

a first machine-accessible file representing a network-wide security policy on the network;

first and second security tools connected to the network;

a translator operative to translate the first machine-accessible file into second and third machine-accessible files that are specific to the first and second security tools, respectively, and to transmit the second and third machine-accessible files to the first and second security tools, respectively, wherein the second machine-accessible file comprises a different language than the first machine-accessible file;

a security manager to receive a feedback issued by at least one of the first and second security tools and update the first machine-accessible file responsive to the feedback; and

a remote system security controller configured to;

receive a request for a connection to the network from a device;

determine if the device includes a third security tool, including;

authenticating a user of the device by the server;

determining by the server that the device includes a remote system security agent;

passing control from the server to the remote system security controller;

interrogating the device to determine if the device includes the third security tool; and

receiving a response from the device including a list of installed security tools, the list including the language of each of the installed security tools.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is a system and method for applying a uniform network security policy. The security policy is described using a computer-readable file. The computer-readable file may be filtered and/or translated into other files that may be used as inputs to security devices. An example of one such security device is a remote system security controller, which is responsible for ensuring that remote devices outside the corporate network enforce the corporate security policy. In addition, the system is capable of updating the security policy of all network components based on feedback received from one or more devices.

73 Citations

View as Search Results

31 Claims

1. A system for establishing a security policy for a network, comprising:
- a network;
  
  a server connected to the network;
  
  a first machine-accessible file representing a network-wide security policy on the network;
  
  first and second security tools connected to the network;
  
  a translator operative to translate the first machine-accessible file into second and third machine-accessible files that are specific to the first and second security tools, respectively, and to transmit the second and third machine-accessible files to the first and second security tools, respectively, wherein the second machine-accessible file comprises a different language than the first machine-accessible file;
  
  a security manager to receive a feedback issued by at least one of the first and second security tools and update the first machine-accessible file responsive to the feedback; and
  
  a remote system security controller configured to;
  
  receive a request for a connection to the network from a device;
  
  determine if the device includes a third security tool, including;
  
  authenticating a user of the device by the server;
  
  determining by the server that the device includes a remote system security agent;
  
  passing control from the server to the remote system security controller;
  
  interrogating the device to determine if the device includes the third security tool; and
  
  receiving a response from the device including a list of installed security tools, the list including the language of each of the installed security tools.
- View Dependent Claims (2, 3, 4)
- - 2. A system according to claim 1, wherein the first and second security tools are drawn from a set including a proxy server, a firewall, an intrusion detection system, and a logging/monitoring device.
  - 3. A system according to claim 1, wherein the translator includes a filter operative to filter a first entry in the first machine-accessible file from the second machine-accessible file such that the first entry is not included in the second machine-accessible file, and to filter a second entry in the first machine-accessible file from the third machine-accessible file.
  - 4. A system according to claim 1, wherein the first machine-accessible file represents the network-wide security policy on the network for controlling interaction between a first machine internal to the network and a second machine external to the network.

5. A system for establishing a security policy for a network, comprising:
- a network;
  
  a first machine-accessible file representing a network-wide security policy on the network, wherein the first machine-accessible file includes security definitions applicable to a plurality of security tools, the security definitions including at least one website identifier;
  
  an internal server connected to the network and operative to store internal corporate data;
  
  a proxy server connected to the network, the proxy server operative to block access to first data external to the network;
  
  a firewall connected to the network, the firewall operative to filter data requests originating external to the network;
  
  an intrusion detection system connected to the network, the intrusion detection system operative to monitor the network for external attacks;
  
  at least one workstation operative to access second data external to the network via the proxy server;
  
  a translator operative to translate the first machine-accessible file into second, third, and fourth machine-accessible files for the proxy sewer, firewall, and instruction detection system, respectively, and to transmit the second, third, and fourth machine-accessible files to the proxy sewer, firewall, and instruction detection system, respectively, wherein at least one of the second, third, and fourth machine-accessible files comprises a different language than the first machine-accessible file and wherein at least one of the second, third, and fourth machine-accessible files comprises fewer security definitions than the first machine-accessible file;
  
  a security manager to receive a feedback issued by at least one of the proxy server, firewall, and intrusion detection system and update the first machine-accessible file responsive to the feedback, wherein the feedback comprises at least one of a security alert and an update notification; and
  
  a remote system security controller configured to;
  
  receive a request for a connection to the network from a remote device;
  
  determine if the remote device includes a remote system security agent and at least one security tool, including;
  
  authenticating a user of the remote device by the proxy serverdetermining by the proxy sewer that the remote device includes a remote system security agentpassing control from the proxy server to the remote system security controller;
  
  interrogating the remote device to determine if the remote device includes the at least one security tool; and
  
  receiving a response from the remote device including a list of installed security tools, the list including the language of each of the installed security tools.
- View Dependent Claims (6, 7, 8)
- - 6. A system according to claim 5, wherein the translator is operative to translate the first machine-accessible file into a fifth machine-accessible file for the remote system security controller.
  - 7. A system according to claim 5, wherein:
    - the system further comprises a logging/monitoring device to log communications between the workstations in the network and sources external to the network; and
      
      the translator is operative to translate the first machine-accessible file into a sixth machine-accessible file for the logging/monitoring device.
  - 8. A system according to claim 5, wherein the first machine-accessible file represents the network-wide security policy on the network for controlling interaction between a first machine internal to the network and a second machine external to the network.

9. A method for enforcing security policy on a network, comprising:
- generating a first machine-accessible file representing a network-wide security policy on a network;
  
  translating the first machine-accessible file into second and third machine-accessible files for first and second security tools, respectively, wherein the second machine-accessible file comprises a different language than the first machine-accessible file;
  
  transmitting the second and third machine-accessible files to the first and second security tools, wherein transmitting the second and third machine-accessible files includes transmitting the second machine-accessible file to a remote system security controller;
  
  receiving a feedback from at least one of the first and second security tools;
  
  updating the first machine-accessible file responsive to the feedback;
  
  receiving a request for a connection to the network from a device;
  
  determining by the remote system security controller if the device includes a third security tool to enforce the security policy, wherein determining by the remote system security controller if the device includes the third security tool to enforce the security policy comprises;
  
  authenticating a user of the device by a server;
  
  determining by the server that the device includes a remote system security agent;
  
  passing control from the server to the remote system security controller;
  
  interrogating the device to determine if the device includes the third security tool andreceiving a response from the device including a list of installed security tools, the list including the language of each of the installed security tools; and
  
  granting by the remote system security controller the request for the connection to the network if the device includes the third security tool to enforce the security policy.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. A method according to claim 9, wherein translating the first machine-accessible file includes filtering an entry in the first machine-accessible file from the second machine-accessible file.
  - 11. A method according to claim 9, wherein translating the first machine-accessible file includes translating the first machine-accessible file from a first language to a second language that is different from the first language and is recognizable to the first security tool.
  - 12. A method according to claim 9, wherein transmitting the second and third machine-accessible files includes transmitting the third machine-accessible file to at least one of a proxy server, a firewall, an intrusion detection system, and a logging/monitoring device.
  - 13. A method according to claim 9, the method further comprising denying by the remote system security controller the request for the connection to the network if the device lacks the third security tool to enforce the security policy.
  - 14. A method according to claim 9, wherein receiving a request includes receiving the request for a wireless connection to the network from the device.
  - 15. A method according to claim 9, wherein determining by the remote system security controller if the device includes the third security tool includes determining by the remote system security controller if the device includes at least an application monitoring tool, an intrusion detection tool, and a firewall tool.
  - 16. A method according to claim 15, wherein determining by the remote system security controller if the device includes the third security tool further includes determining by the remote system security controller if the device includes a session logging tool.
  - 17. A method according to claim 9, the method further comprising:
    - translating the second machine-accessible file into a fourth machine-accessible file for the third security tool on the device;
      
      transmitting the fourth machine-accessible file to the device; and
      
      applying the fourth machine-accessible file to the third security tool on the device.
  - 18. A method according to claim 17, wherein applying the fourth machine-accessible file includes changing a setting in the third security tool on the device.
  - 19. A method according to claim 9, wherein generating a first machine-accessible file representing a network-wide security policy on a network includes generating the first machine-accessible file representing the network-wide security policy on the network for controlling interaction between a first machine internal to the network and a second machine external to the network.
  - 20. A method according to claim 9 wherein authenticating the request comprises receiving a user identification and a password from the device.

21. An article comprising a machine-accessible medium having associated data that, when accessed, results in a machine:
- generating a first machine-accessible file representing a network-wide security policy on a network;
  
  translating the first machine-accessible file into second and third machine-accessible files for first and second security tools, respectively, wherein the second machine-accessible file comprises a different language than the first machine-accessible file;
  
  transmitting the second and third machine-accessible files to the first and second security tools, wherein transmitting the second and third machine-accessible files includes transmitting the second machine-accessible file to a remote system security controller;
  
  receiving a feedback from at least one of the first and second security tools;
  
  updating the first machine-accessible file responsive to the feedback;
  
  receiving a request for a connection to the network from a device;
  
  determining by the remote system security controller if the device includes a third security tool to enforce the security policy, wherein determining by the remote system security controller if the device includes the third security tool to enforce the security policy comprises;
  
  authenticating a user of the device by a server;
  
  determining by the server that the device includes a remote system security agent;
  
  passing control from the server to the remote system security controller;
  
  interrogating the device to determine if the device includes the third security tool; and
  
  receiving a response from the device including a list of installed security tools, the list including the language of each of the installed security tools; and
  
  granting by the remote system security controller the request for the connection to the network if the device includes the third security tool to enforce the security policy.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 22. An article according to claim 21, wherein the associated data for translating the first machine-accessible file includes associated data for filtering an entry in the first machine-accessible file from the second machine-accessible file.
  - 23. An article according to claim 21, wherein the associated data for translating the first machine-accessible file includes associated data for translating the first machine-accessible file from a first language to a second language that is different from the first language and is recognizable to the first security tool.
  - 24. An article according to claim 21, wherein the associated data for transmitting the second and third machine-accessible files includes associated data for transmitting the second and third machine-accessible files to the first and second security tools drawn from a set including a proxy server, a firewall, an intrusion detection system, and a logging/monitoring device.
  - 25. An article according to claim 21, the machine-accessible medium having further associated data that, when accessed, results in the machine denying by the remote system security controller the request for the connection to the network if the device lacks the third security tool to enforce the security policy.
  - 26. An article according to claim 21, wherein the associated data for receiving a request includes associated data for receiving the request for a wireless connection to the network from the device.
  - 27. An article according to claim 21, wherein the associated data for determining by the remote system security controller if the device includes the third security tool includes associated data for determining by the remote system security controller if the device includes at least an application monitoring tool, an intrusion detection tool, and a firewall tool.
  - 28. An article according to claim 27, wherein the associated data for determining by the remote system security controller if the device includes the third security tool further includes associated data for determining by the remote system security controller if the device includes a session logging tool.
  - 29. An article according to claim 21, the machine-accessible medium having further associated data that, when accessed, results in the machine:
    - translating the second machine-accessible file into a fourth machine-accessible file for the third security tool on the device;
      
      transmitting the fourth machine-accessible file to the device; and
      
      applying the fourth machine-accessible file to the third security tool on the device.
  - 30. An article according to claim 29, wherein the associated data for applying the fourth machine-accessible file includes the associated data for changing a setting in the third security tool on the device.
  - 31. An article according to claim 21, wherein generating a first machine-accessible file representing a network-wide security policy on a network includes generating the first machine-accessible file representing the network-wide security policy on the network for controlling interaction between a first machine internal to the network and a second machine external to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Yadav, Satyendra
Primary Examiner(s)
COLIN, CARL G

Application Number

US10/261,828
Publication Number

US 20040064727A1
Time in Patent Office

2,227 Days
Field of Search

713/150, 726/6, 726/12, 726/34, 726/26, 726/25, 726/1, 709/223
US Class Current

726/1
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/20 for managing network securi...

Method and apparatus for enforcing network security policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

73 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for enforcing network security policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links