Method and apparatus for enforcing network security policies
First Claim
Patent Images
1. A system for establishing a security policy for a network, comprising:
- a network;
a server connected to the network;
a first machine-accessible file representing a network-wide security policy on the network;
first and second security tools connected to the network;
a translator operative to translate the first machine-accessible file into second and third machine-accessible files that are specific to the first and second security tools, respectively, and to transmit the second and third machine-accessible files to the first and second security tools, respectively, wherein the second machine-accessible file comprises a different language than the first machine-accessible file;
a security manager to receive a feedback issued by at least one of the first and second security tools and update the first machine-accessible file responsive to the feedback; and
a remote system security controller configured to;
receive a request for a connection to the network from a device;
determine if the device includes a third security tool, including;
authenticating a user of the device by the server;
determining by the server that the device includes a remote system security agent;
passing control from the server to the remote system security controller;
interrogating the device to determine if the device includes the third security tool; and
receiving a response from the device including a list of installed security tools, the list including the language of each of the installed security tools.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention is a system and method for applying a uniform network security policy. The security policy is described using a computer-readable file. The computer-readable file may be filtered and/or translated into other files that may be used as inputs to security devices. An example of one such security device is a remote system security controller, which is responsible for ensuring that remote devices outside the corporate network enforce the corporate security policy. In addition, the system is capable of updating the security policy of all network components based on feedback received from one or more devices.
73 Citations
31 Claims
-
1. A system for establishing a security policy for a network, comprising:
-
a network; a server connected to the network; a first machine-accessible file representing a network-wide security policy on the network; first and second security tools connected to the network; a translator operative to translate the first machine-accessible file into second and third machine-accessible files that are specific to the first and second security tools, respectively, and to transmit the second and third machine-accessible files to the first and second security tools, respectively, wherein the second machine-accessible file comprises a different language than the first machine-accessible file; a security manager to receive a feedback issued by at least one of the first and second security tools and update the first machine-accessible file responsive to the feedback; and a remote system security controller configured to; receive a request for a connection to the network from a device; determine if the device includes a third security tool, including; authenticating a user of the device by the server; determining by the server that the device includes a remote system security agent; passing control from the server to the remote system security controller; interrogating the device to determine if the device includes the third security tool; and receiving a response from the device including a list of installed security tools, the list including the language of each of the installed security tools. - View Dependent Claims (2, 3, 4)
-
-
5. A system for establishing a security policy for a network, comprising:
-
a network; a first machine-accessible file representing a network-wide security policy on the network, wherein the first machine-accessible file includes security definitions applicable to a plurality of security tools, the security definitions including at least one website identifier; an internal server connected to the network and operative to store internal corporate data; a proxy server connected to the network, the proxy server operative to block access to first data external to the network; a firewall connected to the network, the firewall operative to filter data requests originating external to the network; an intrusion detection system connected to the network, the intrusion detection system operative to monitor the network for external attacks; at least one workstation operative to access second data external to the network via the proxy server; a translator operative to translate the first machine-accessible file into second, third, and fourth machine-accessible files for the proxy sewer, firewall, and instruction detection system, respectively, and to transmit the second, third, and fourth machine-accessible files to the proxy sewer, firewall, and instruction detection system, respectively, wherein at least one of the second, third, and fourth machine-accessible files comprises a different language than the first machine-accessible file and wherein at least one of the second, third, and fourth machine-accessible files comprises fewer security definitions than the first machine-accessible file; a security manager to receive a feedback issued by at least one of the proxy server, firewall, and intrusion detection system and update the first machine-accessible file responsive to the feedback, wherein the feedback comprises at least one of a security alert and an update notification; and a remote system security controller configured to; receive a request for a connection to the network from a remote device; determine if the remote device includes a remote system security agent and at least one security tool, including; authenticating a user of the remote device by the proxy server determining by the proxy sewer that the remote device includes a remote system security agent passing control from the proxy server to the remote system security controller; interrogating the remote device to determine if the remote device includes the at least one security tool; and receiving a response from the remote device including a list of installed security tools, the list including the language of each of the installed security tools. - View Dependent Claims (6, 7, 8)
-
-
9. A method for enforcing security policy on a network, comprising:
-
generating a first machine-accessible file representing a network-wide security policy on a network; translating the first machine-accessible file into second and third machine-accessible files for first and second security tools, respectively, wherein the second machine-accessible file comprises a different language than the first machine-accessible file; transmitting the second and third machine-accessible files to the first and second security tools, wherein transmitting the second and third machine-accessible files includes transmitting the second machine-accessible file to a remote system security controller; receiving a feedback from at least one of the first and second security tools; updating the first machine-accessible file responsive to the feedback; receiving a request for a connection to the network from a device; determining by the remote system security controller if the device includes a third security tool to enforce the security policy, wherein determining by the remote system security controller if the device includes the third security tool to enforce the security policy comprises; authenticating a user of the device by a server; determining by the server that the device includes a remote system security agent; passing control from the server to the remote system security controller; interrogating the device to determine if the device includes the third security tool and receiving a response from the device including a list of installed security tools, the list including the language of each of the installed security tools; and granting by the remote system security controller the request for the connection to the network if the device includes the third security tool to enforce the security policy. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An article comprising a machine-accessible medium having associated data that, when accessed, results in a machine:
-
generating a first machine-accessible file representing a network-wide security policy on a network; translating the first machine-accessible file into second and third machine-accessible files for first and second security tools, respectively, wherein the second machine-accessible file comprises a different language than the first machine-accessible file; transmitting the second and third machine-accessible files to the first and second security tools, wherein transmitting the second and third machine-accessible files includes transmitting the second machine-accessible file to a remote system security controller; receiving a feedback from at least one of the first and second security tools; updating the first machine-accessible file responsive to the feedback; receiving a request for a connection to the network from a device; determining by the remote system security controller if the device includes a third security tool to enforce the security policy, wherein determining by the remote system security controller if the device includes the third security tool to enforce the security policy comprises; authenticating a user of the device by a server; determining by the server that the device includes a remote system security agent; passing control from the server to the remote system security controller; interrogating the device to determine if the device includes the third security tool; and receiving a response from the device including a list of installed security tools, the list including the language of each of the installed security tools; and granting by the remote system security controller the request for the connection to the network if the device includes the third security tool to enforce the security policy. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
Specification