System and method for dynamic network policy management

US 7,526,541 B2
Filed: 07/29/2003
Issued: 04/28/2009
Est. Priority Date: 07/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method of controlling the usage by an attached function of network services associated with a network system that includes the attached function, one or more other attached functions and one or more network infrastructure devices, the method comprising the steps of:

a. acquiring information about an attached function seeking access to the network services;

b. associating a level of trust with the information about the attached function;

c. granting to the attached function preliminary entry to the network system based upon the information acquired;

d. determining whether a stored policy history exists for the attached function;

e. if the stored policy history exists for the attached function, establishing in a network entry device or a central switching device of the network infrastructure connected to the attached function one or more static and dynamic policies for the attached function for network services usage based upon the stored policy history;

f. if no stored policy history exists for the attached function, establishing for the attached function one or more static and dynamic policies for network services usage;

g. monitoring the network system for triggers including triggers unrelated to the information acquired about the attached function;

h. modifying in the network entry device or the central switching device one or more static and dynamic policies for the attached function upon the detection of one or more of the monitored triggers wherein the decision whether to modify is made at the network entry device or the central switching device; and

i. saving set and modified policies associated with the attached function as the stored policy history for the attached function,wherein the attached function is connected directly to the network entry device or the central switching device and wherein a portion of the saved set and modified policies are stored on the network entry device or the central switch device to which the attached function is directly connected and a remainder of the saved set and modified policies are stored on another network infrastructure device to which the attached function is not directly connected.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that provides dynamic network policy management. The system enables a network administrator to regulate usage of network services upon initiation of and throughout network sessions. The system employs a method of identifying selectable characteristics of attached functions to establish static and dynamic policies, which policies may be amended before, during and after any session throughout the network based on the monitored detection of any of a number of specified triggering events or activities. Particular policies associated with a particular identified attached function in prior sessions may be cached or saved and employed in subsequent sessions to provide network usage permissions more rapidly in such subsequent sessions. The cached or saved policy information may also be used to identify network usage, control, and security. The system and method of the present invention provides static and dynamic policy allocation for network usage provisioning.

266 Citations

15 Claims

1. A method of controlling the usage by an attached function of network services associated with a network system that includes the attached function, one or more other attached functions and one or more network infrastructure devices, the method comprising the steps of:
- a. acquiring information about an attached function seeking access to the network services;
  
  b. associating a level of trust with the information about the attached function;
  
  c. granting to the attached function preliminary entry to the network system based upon the information acquired;
  
  d. determining whether a stored policy history exists for the attached function;
  
  e. if the stored policy history exists for the attached function, establishing in a network entry device or a central switching device of the network infrastructure connected to the attached function one or more static and dynamic policies for the attached function for network services usage based upon the stored policy history;
  
  f. if no stored policy history exists for the attached function, establishing for the attached function one or more static and dynamic policies for network services usage;
  
  g. monitoring the network system for triggers including triggers unrelated to the information acquired about the attached function;
  
  h. modifying in the network entry device or the central switching device one or more static and dynamic policies for the attached function upon the detection of one or more of the monitored triggers wherein the decision whether to modify is made at the network entry device or the central switching device; and
  
  i. saving set and modified policies associated with the attached function as the stored policy history for the attached function,wherein the attached function is connected directly to the network entry device or the central switching device and wherein a portion of the saved set and modified policies are stored on the network entry device or the central switch device to which the attached function is directly connected and a remainder of the saved set and modified policies are stored on another network infrastructure device to which the attached function is not directly connected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as claimed in claim 1 wherein the step of modifying for the attached function one or more of the static and dynamic policies is performed independent of any action of the attached function.
  - 3. The method as claimed in claim 1 wherein the step of modifying for the attached function one or more of the static and dynamic policies comprises the step of changing a static policy to a dynamic policy.
  - 4. The method as claimed in claim 1 wherein the step of modifying for the attached function one or more of the static and dynamic policies comprises the step of changing a dynamic policy to a static policy.
  - 5. The method as claimed in claim 1 wherein the static and dynamic policies relate to usage policies by the attached function of any network service and not solely ingress and egress to and from the network system by the attached function.
  - 6. The method as claimed in claim 1 wherein the step of modifying for the attached function one or more of the static and dynamic policies occurs per flow.
  - 7. The method as claimed in claim 1 wherein the step of modifying for the attached function one or more of the static and dynamic policies occurs per session.
  - 8. The method as claimed in claim 1 further comprising the step of establishing rules of hierarchy for saved and set and modified policies.
  - 9. The method as claimed in claim 1 further comprising the step of overriding saved set and modified policies stored on the another network infrastructure device with saved set and modified policies stored on the network entry device or the central switching device.
  - 10. The method as claimed in claim 1 further comprising the step of invalidating the saved set and modified policies upon the occurrence of a specified event.
  - 11. The method as claimed in claim 1 wherein the only static policy is that there are only dynamic policies.

12. A method of controlling the usage by an attached function of network services associated with a network system that includes the attached function, one or more other attached functions and one or more network infrastructure devices, the method comprising the steps of:
- a. acquiring information about an attached function seeking access to the network services;
  
  b. granting to the attached function preliminary entry to the network system based upon the information acquired;
  
  c. establishing in a network entry device or central switching device of the one or more network infrastructure devices connected to the attached function one or more static and dynamic policies for the attached function for network services usage;
  
  d. monitoring the network system for triggers including triggers unrelated to the information acquired about the attached function;
  
  e. modifying in the network entry device or the central switching device one or more of the static and dynamic policies for the attached function upon the detection of one or more of the monitored triggers, wherein the decision whether to modify is made at the network entry device or the central switching device;
  
  f. saving set and modified policies associated with the attached function as a stored policy history for the attached function, wherein the attached function is directly connected to the network entry device or the central switching device and wherein a portion of the saved set and modified policies are stored on the network entry device or the central switching device to which the attached function is directly connected and a remainder of the saved set and modified policies are stored on another network infrastructure device to which the attached function is not directly connected; and
  
  g. establishing rules of hierarchy for saved set and modified policies.
- View Dependent Claims (13, 14, 15)
- - 13. The method as claimed in claim 12 wherein the step of modifying for the attached function one or more of the static and dynamic policies is performed independent of any action of the attached function.
  - 14. The method as claimed in claim 12 further comprising the step of overriding saved set and modified policies stored on the another network infrastructure device with saved set and modified policies stored on the central switching device.
  - 15. The method as claimed in claim 12 further comprising the step of invalidating the saved set and modified policies upon the occurrence of a specified event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Roese, John J., Graham, Richard W.
Primary Examiner(s)
BOUTAH, ALINA A

Application Number

US10/629,331
Publication Number

US 20050027837A1
Time in Patent Office

2,100 Days
Field of Search

709223-225, 709227-229, 709243-244, 719/318, 726/1
US Class Current

709/223
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

System and method for dynamic network policy management

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

266 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

System and method for dynamic network policy management

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

266 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others