Method and apparatus for comparing access control lists for configuring a security policy on a network

US 7,636,937 B1
Filed: 01/11/2002
Issued: 12/22/2009
Est. Priority Date: 01/11/2002
Status: Active Grant

First Claim

Patent Images

1. A method of comparing access control lists to configure a security policy on a network, the method comprising the computer-implemented steps of:

subtracting a particular access control entry from another access control entry, wherein both the particular access control entry and said another control entry are two access control entries of multiple first access control entries and wherein the first access control entries, including the particular access control entry and said another access control entry, are all of access control entries as specified in a first access control list;

identifying one or more first sub-entries in the first access control list, wherein the one or more first sub-entries include each of overlapping sections and non-overlapping sections of all of the first access control entries and wherein at least one of the one or more first sub-entries is derived from results of subtracting the particular access control entry from said another access control entry; and

programmatically determining whether the first access control list is functionally equivalent to a second access control list by determining whether each of the first sub-entries in the first access control list is contained by one or more entries of multiple second access control entries in the second access control list;

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Two or more access control lists that are syntactically or structurally different may be compared for functional or semantic equivalence in order to configure a security policy on a network. A first access control list is programmatically determined to be functionally equivalent to a second access control list for purpose of configuring or validating security policies on a network. In one embodiment, a box data representation facilitates comparing entries and sub-entries of the lists.

Citations

16 Claims

1. A method of comparing access control lists to configure a security policy on a network, the method comprising the computer-implemented steps of:
- subtracting a particular access control entry from another access control entry, wherein both the particular access control entry and said another control entry are two access control entries of multiple first access control entries and wherein the first access control entries, including the particular access control entry and said another access control entry, are all of access control entries as specified in a first access control list;
  
  identifying one or more first sub-entries in the first access control list, wherein the one or more first sub-entries include each of overlapping sections and non-overlapping sections of all of the first access control entries and wherein at least one of the one or more first sub-entries is derived from results of subtracting the particular access control entry from said another access control entry; and
  
  programmatically determining whether the first access control list is functionally equivalent to a second access control list by determining whether each of the first sub-entries in the first access control list is contained by one or more entries of multiple second access control entries in the second access control list;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1, wherein identifying one or more first sub-entries in the first access control list comprises:
    - identifying a dimensional range and a policy action for each entry in the first access control list;
      
      identifying all overlapping dimensional ranges in the first access control list, each overlapping dimensional range corresponding to where the dimensional ranges of entries in the first access control list overlap;
      
      identifying all non-overlapping dimensional ranges in the first access control list, each of the non-overlapping dimensional ranges corresponding to dimensional ranges of entries in the first access control list that do not overlap dimensional ranges of other entries in the first access control list;
      
      identifying a policy action for each identified overlapping dimensional range in the first access control list; and
      
      identifying a policy action for each identified non-overlapping dimensional range of the first access control list.
  - 3. A method as recited in claim 2, wherein identifying a dimensional range and a policy action for each entry in the first access control list includes identifying a source address range and a destination address range for communication packets specified by each of the entries in the first access control list.
  - 4. A method as recited in claim 2, wherein identifying a dimensional range and a policy action for each entry in the first access control list includes identifying a source port range and a destination port range for communication packets specified by each of the entries in the first access control list.
  - 5. A method as recited in claim 2, wherein identifying a dimensional range and a policy action for each entry in the first access control list includes identifying a communication protocol for communication packets specified by each of the entries in the first access control list.
  - 6. A method as recited in claim 1, further comprising determining that the first access control list is functionally equivalent to the second access control list in response to a determination that each of the first sub-entries is contained by one or more entries of the second access control list.
  - 7. A method as recited in claim 1, further comprising:
    - identifying second sub-entries in the second access control list, wherein the second sub-entries identified from the second access control list comprise (i) disjoint entries of the second entries or (ii) overlapping sections identified from the second entries or (iii) non-overlapping sections identified from the second entries; and
      
      wherein determining whether each of the first sub-entry in the first access control list is contained by one or more entries of the second access control list includes determining whether the each of the first sub-entries in the first access control list is contained by one or more of the second sub-entries identified from the second control list.
  - 8. A method as recited in claim 7, wherein identifying second sub-entries in the second access control list comprises:
    - identifying a dimensional range and a policy action for each entry in the second access control list;
      
      identifying all overlapping dimensional ranges in the second access control list, each overlapping dimensional range corresponding to where the dimensional ranges of entries in the second access control list overlap;
      
      identifying all non-overlapping dimensional ranges in the second access control list, each of the non-overlapping dimensional ranges corresponding to dimensional ranges of entries in the second access control list that do not overlap dimensional ranges of other entries in the second access control list;
      
      identifying a policy action for each identified overlapping dimensional range of the second access control list; and
      
      identifying a policy action for each identified non-overlapping dimensional range of the second access control list.

9. A policy server communicatively coupled to security devices in a network to configure a security policy on a network, the policy server comprising:
- a processor;
  
  a network interface that communicatively couples the processor to the network to receive flows of packets therefrom;
  
  a memory; and
  
  sequences of instructions in the memory which, when executed by the processor, cause the processor to carry out the steps of;
  
  subtracting a particular access control entry from another access control entry, wherein both the particular access control entry and said another control entry are two access control entries of multiple first access control entries and wherein the first access control entries, including the particular access control entry and said another access control entry, are all of access control entries as specified in a first access control list;
  
  identifying one or more first sub-entries in the first access control list, wherein the one or more first sub-entries include each of overlapping sections and non-overlapping sections of all of the first access control entries and wherein at least one of the one or more first sub-entries is derived from results of subtracting the particular access control entry from said another access control entry; and
  
  programmatically determining whether the first access control list is functionally equivalent to a second access control list by determining whether each of the first sub-entries in the first access control list is contained by one or more entries of multiple second access control entries in the second access control list.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A policy server as recited in claim 9, wherein said sequence of instructions further comprising instructions for performing determining that the first access control list is functionally equivalent to the second access control list in response to a determination that each of the first sub-entries is contained by one or more entries of the second access control list.
  - 11. A policy server as recited in claim 9,wherein said sequence of instructions further comprising instructions for performing identifying second sub-entries in the second access control list, wherein the second sub-entries identified from the second access control list comprise (i) disjoint entries of the second entries or (ii) overlapping sections identified from the second entries or (iii) non-overlapping sections identified from the second entries;
    - andwherein said instructions for performing determining whether each of the first sub-entry in the first access control list is contained by one or more entries of the second access control list include instructions for performing determining whether the each of the first sub-entries in the first access control list is contained by one or more of the second sub-entries identified from the second control list.
  - 12. A policy server as recited in claim 11, wherein said instructions for performing identifying second sub-entries in the second access control list comprise:
    - instructions for performing identifying a dimensional range and a policy action for each entry in the second access control list;
      
      instructions for performing identifying all overlapping dimensional ranges in the second access control list, each overlapping dimensional range corresponding to where the dimensional ranges of entries in the second access control list overlap;
      
      instructions for performing identifying all non-overlapping dimensional ranges in the second access control list, each of the non-overlapping dimensional ranges corresponding to dimensional ranges of entries in the second access control list that do not overlap dimensional ranges of other entries in the second access control list;
      
      instructions for performing identifying a policy action for each identified overlapping dimensional range of the second access control list; and
      
      instructions for performing identifying a policy action for each identified non-overlapping dimensional range of the second access control list.
  - 13. A policy server as recited in claim 9, wherein said instructions for performing identifying one or more first sub-entries in the first access control list comprise:
    - instructions for performing identifying a dimensional range and a policy action for each entry in the second access control list;
      
      instructions for performing identifying all overlapping dimensional ranges in the second access control list, each overlapping dimensional range corresponding to where the dimensional ranges of entries in the second access control list overlap;
      
      instructions for performing identifying all non-overlapping dimensional ranges in the second access control list, each of the non-overlapping dimensional ranges corresponding to dimensional ranges of entries in the second access control list that do not overlap dimensional ranges of other entries in the second access control list;
      
      instructions for performing identifying a policy action for each identified overlapping dimensional range in the second access control list; and
      
      instructions for performing identifying a policy action for each identified non-overlapping dimensional range of the second access control list.
  - 14. A policy server as recited in claim 13, wherein said instructions for performing identifying a dimensional range and a policy action for each entry in the first access control list include instructions for performing identifying a source address range and a destination address range for communication packets specified by each of the entries in the first access control list.
  - 15. A policy server as recited in claim 13, wherein said instructions for performing identifying a dimensional range and a policy action for each entry in the first access control list include instructions for performing identifying a source port range and a destination port range for communication packets specified by each of the entries in the first access control list.
  - 16. A policy server as recited in claim 13, wherein said instructions for performing identifying a dimensional range and a policy action for each entry in the first access control list include instructions for performing identifying a communication protocol for communication packets specified by each of the entries in the first access control list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bhattacharya, Partha, Chen, Shigang
Primary Examiner(s)
Revak; Christopher A
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US10/044,019
Time in Patent Office

2,902 Days
Field of Search

709220-225, 713200-208
US Class Current

726/2
CPC Class Codes

G06F 21/604 Tools and structures for ma...

H04L 63/0263 Rule management

Method and apparatus for comparing access control lists for configuring a security policy on a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for comparing access control lists for configuring a security policy on a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links