System and methodology for security policy arbitration

US 7,546,629 B2
Filed: 05/31/2002
Issued: 06/09/2009
Est. Priority Date: 03/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method for a particular device to apply a flexible security policy that is automatically adjusted over time as required for connection to different networks, the method comprising:

(a) receiving a request from the particular device for a connection to a particular network, said particular device applying an initial security policy selected from a plurality of security policies available for governing connections, each security policy governing connections with a specific set of constraints;

(b) based on said particular network and said plurality of security policies available to said particular device, determining a current merged policy to apply to said particular device for governing said connection to said particular network, by merging said initial security policy with at least one other of the security policies available for governing connections;

(c) allowing said connection to said particular network to proceed with said current merged policy applied to said particular device; and

(d) repeating steps (a)-(c) for a plurality of connections to different networks, thereby automatically adjusting the security policy applied to the particular device based on the particular device'"'"'s current connections.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system providing methods for a device to apply a security policy required for connection to a network is described. In response to receipt of a request from a device for connection to a particular network, a current policy to apply to said device for governing the connection to this particular network is determined from a plurality of available security policies available to the device. This current policy to apply to said device is generated by merging a plurality of security policies available for governing connections. After said current policy is applied to the device, the connection from the device to this particular network is allowed to proceed.

Citations

51 Claims

1. A method for a particular device to apply a flexible security policy that is automatically adjusted over time as required for connection to different networks, the method comprising:
- (a) receiving a request from the particular device for a connection to a particular network, said particular device applying an initial security policy selected from a plurality of security policies available for governing connections, each security policy governing connections with a specific set of constraints;
  
  (b) based on said particular network and said plurality of security policies available to said particular device, determining a current merged policy to apply to said particular device for governing said connection to said particular network, by merging said initial security policy with at least one other of the security policies available for governing connections;
  
  (c) allowing said connection to said particular network to proceed with said current merged policy applied to said particular device; and
  
  (d) repeating steps (a)-(c) for a plurality of connections to different networks, thereby automatically adjusting the security policy applied to the particular device based on the particular device'"'"'s current connections.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein said step of determining a current merged policy to apply includes determining a particular security policy required for connection to said particular network.
  - 3. The method of claim 1, wherein said step (b) includes merging a security policy previously active on said particular device and a security policy required for connection to said particular network.
  - 4. The method of claim 1, wherein said step of determining a current merged policy to apply includes merging each security policy required for governing a connection currently open at said particular device.
  - 5. The method of claim 1, wherein said step of determining a current merged policy to apply includes the substeps of:
    - examining each rule of each security policy available for governing connections; and
      
      for each rule, determining a setting to adopt in said current merged policy based upon settings of each said security policy.
  - 6. The method of claim 5, in which said substep of examining each rule of each security policy available for governing connections includes examining each security policy required for governing a connection currently open at said particular device.
  - 7. The method of claim 1, wherein said step of determining a current merged policy to apply includes evaluating each security setting of said plurality of security policies.
  - 8. The method of claim 1, wherein said plurality of security policies available to said particular device includes security policies available through connection to a network.
  - 9. The method of claim 1, wherein said plurality of security policies available for governing connections includes at least one security policy which is user configurable.
  - 10. The method of claim 1, wherein said step of determining a current merged policy to apply includes locating a particular security policy required for connection to said particular network.
  - 11. The method of claim 10, wherein said step of locating a particular security policy required for connection to said particular network includes downloading said security policy from said particular network.
  - 12. The method of claim 1, wherein said step of allowing said connection to said particular network to proceed with said current merged policy applied to said particular device, includes updating firewall settings on said particular device based upon said current merged policy.
  - 13. The method of claim 1, further comprising:
    - upon disconnection of said particular device from said particular network, determining a revised security policy to apply.
  - 14. The method of claim 13, wherein said step of determining a revised security policy to apply includes determining said revised security policy based upon security policies required for governing connections remaining open at said particular device.
  - 15. The method of claim 1, wherein said current merged security policy comprises a set of enforcement rules governing access to and from said particular device.

16. A method for a device to create and maintain a flexible security policy that is automatically revised over time as required to allow connection to a plurality of networks, the method comprising:
- providing a security enforcement module at a device, said security enforcement module enforcing an existing initial security policy;
  
  upon receipt of a request for connection of said device to a new network, determining at that moment in time a particular security policy required to be enforced to allow connection of said device to said new network;
  
  generating from existing security policies a revised security policy for enforcement by said security enforcement module, said revised security policy based upon merging said particular security policy and said initial security policy so that security settings currently appropriate for the device are activated and security settings currently inappropriate for the device are inactivated;
  
  applying said revised security policy to said security enforcement module to allow said device to connect to said new network with appropriate security; and
  
  as the device connects to different networks, automatically regenerating the revised security policy applied to the particular device based on the particular device'"'"'s then-current connections.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The method of claim 16, wherein said initial security policy includes a plurality of rules governing access at said device to be enforced by said security enforcement module.
  - 18. The method of claim 16, wherein said initial security policy includes an individual security policy adopted by a user of said device.
  - 19. The method of claim 16, wherein said step of determining a particular security policy required to be enforced includes identifying said particular security policy from a plurality of security policies available at said device.
  - 20. The method of claim 16, wherein said step of determining a particular security policy required to be enforced includes downloading said particular security rules from said new network.
  - 21. The method of claim 16, wherein said step of generating a revised security policy includes the substeps of:
    - examining each rule of said initial security policy and said particular security policy; and
      
      for each rule, determining a setting to adopt for said rule based upon settings of said initial security policy and said particular security policy.
  - 22. The method of claim 21, in which said substep of determining a setting to adopt for said rule includes adopting the most restrictive setting for said rule.
  - 23. The method of claim 21, in which said substep of determining a setting to adopt for said rule includes adopting a setting based upon a pre-selected ordering of said settings.
  - 24. The method of claim 21, in which said substep of determining a setting to adopt for said rule includes adopting a setting based upon intersecting permissive list settings.
  - 25. The method of claim 21, in which said substep of determining a setting to adopt for said rule includes adopting a setting based upon unioning restrictive list settings.
  - 26. The method of claim 16, wherein said initial security policy includes a revised security policy previously generated and applied to said security enforcement module.
  - 27. The method of claim 16, wherein said step of applying said revised security policy to said security enforcement module includes updating firewall settings of said security enforcement module on said device based upon said revised security policy.
  - 28. The method of claim 16, further comprising:
    - upon disconnection of said device from said new network, determining a revised security policy to apply based upon security policies required to be enforced as a result of network connections remaining active at said device.
  - 29. The method of claim 16, further comprising:
    - upon disconnection of said device from said new network, applying said initial security policy to said security enforcement module.

30. A system for regulating access at a computing system as required for connection to a network, the system comprising:
- a connection manager for receiving a request for connection to said network at said computing system and determining at that point in time an initial access policy which is required for connection to said network;
  
  a rules engine for automatically generating and repeatedly regenerating a current access policy for regulating access at said computing system as required for connection to different networks, so that security rules currently applied to the computing system are based on the computing system'"'"'s current connections, said current access policy being generated and repeatedly regenerated by merging a plurality of existing access policies available at said computing system, so that from time to time the rules engine automatically activates security rules that are required for current connections and deactivates security rules that are no longer required for current connections; and
  
  a security enforcement module for applying said current access policy for regulating access at said computing system.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 31. The system of claim 30, wherein said rules engine generates a current access policy by merging an access policy previously active at said computing system and an access policy required for connection to said network.
  - 32. The system of claim 30, wherein said rules engine generates a current access policy by merging each access policy required for connection to each network to which said computing system is currently connected.
  - 33. The system of claim 32, wherein each network to which said computing system is currently connected includes said network to which said computing system has requested a connection.
  - 34. The system of claim 30, wherein said connection manager includes a communication driver for identifying requests for connection to a network.
  - 35. The system of claim 30, wherein said rules engine generates a current access policy by performing the steps of:
    - examining each rule of each access policy available at said computing system; and
      
      for each rule, determining a setting to adopt in said current access policy based upon settings of each said available access policy.
  - 36. The system of claim 35 in which said step of determining a setting to adopt in said current access policy includes considering only available access policies required for connections currently open at said computing system.
  - 37. The system of claim 35, wherein said rules engine generates a current access policy by comparing each security setting of each rule of said plurality of available access policies.
  - 38. The system of claim 30, wherein said connection manager determines an access policy which is required for connection to said network by downloading said access policy from said network.
  - 39. The system of claim 30, wherein said security enforcement module includes a firewall application for selectively blocking access at said computing system based upon said current access policy.
  - 40. The system of claim 30, further comprising:
    - a supervisor module for verifying a computing system is applying an access policy required for connection to network prior to allowing said connection to said network.
  - 41. The system of claim 30, wherein said rules engine determines a revised access policy to apply upon disconnection of said computing system from said network.

42. A method for automatically and continually adjusting enforcement rules of a security enforcement module at a device as required from time to time to enable access to a plurality of different networks with appropriate security settings, the method comprising:
- providing an enforcement module at said device, said enforcement module applying an initial set of enforcement rules already existing at said device;
  
  upon receiving a trigger event comprising a request for access to a given network, determining particular enforcement rules required to be applied by said enforcement module to enable access to said network;
  
  responsive to said trigger event, automatically adjusting said initial set of enforcement rules by merging said initial set of enforcement rules with said particular enforcement rules required to enable access to said network;
  
  applying said adjusted enforcement rules to said enforcement module to enable said device to access said network with security settings that are appropriate at that moment in; and
  
  as the device connects to different networks, automatically readjusting the enforcement rules being applied to enable said device to access different networks with security settings that are appropriate at that moment in time.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 43. The method of claim 42, wherein said step of determining particular enforcement rules to apply includes locating said particular enforcement rules from a plurality of enforcement rules available to said enforcement module.
  - 44. The method of claim 42, wherein said step of determining particular enforcement rules required to enable access to said network includes downloading said particular enforcement rules from said network.
  - 45. The method of claim 42, wherein said step of merging said initial set of enforcement rules with said particular set of enforcement rules includes determining settings to adopt for each rule by evaluating settings of said initial set of enforcement rules and settings of said particular enforcement rules.
  - 46. The method of claim 45, in which said step of determining settings to adopt for each rule includes adopting the more restrictive setting of said initial set of enforcement rules and said particular enforcement rules.
  - 47. The method of claim 45, in which said step of determining settings to adopt for each rule includes adopting settings based upon a pre-selected ordering of said settings.
  - 48. The method of claim 45, in which said step of determining settings to adopt for each rule includes adopting settings based upon intersecting list settings for rules that are permissive.
  - 49. The method of claim 45, in which said step of determining settings to adopt for each rule includes adopting settings based upon concatenating list settings for rules that are restrictive.
  - 50. The method of claim 42, further comprising:
    - providing a security supervisor on said network, said security supervisor enforcing compliance with particular enforcement rules required to enable access to said network.
  - 51. The method of claim 42, further comprising:
    - upon termination of access to said network by said device, applying said initial set of enforcement rules for enforcement by said enforcement module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Kawamura, Kyle, Herrmann, Conrad, Haycock, Keith, Albert, Anthony
Primary Examiner(s)
Revak; Christopher A
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US10/159,820
Publication Number

US 20030177389A1
Time in Patent Office

2,566 Days
Field of Search

726/1, 726/2, 726 11- 15, 709/223
US Class Current

726/1
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/2876   Handling of subscriber poli...

H04L 63/0263   Rule management

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

System and methodology for security policy arbitration

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

System and methodology for security policy arbitration

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links