Method and apparatus providing unified compliant network audit

US 7,735,140 B2
Filed: 06/08/2005
Issued: 06/08/2010
Est. Priority Date: 06/08/2004
Status: Active Grant

First Claim

Patent Images

1. A method of performing a network security audit based on information flows among network elements, comprising the machine-implemented steps of:

obtaining a network inventory that identifies one or more network elements of a packet-switched network;

obtaining a list of ports;

determining, based at least in part on an examination of a running configuration of each of the one or more network elements, how information packets flow through each port in the list of ports for each of the one or more network elements;

determining a first threat level for each port in the list of ports for each of the network elements based at least in part on;

whether the running configuration indicates that the port is open or closed;

whether the running configuration indicates that the port, if open, has been configured with restrictions;

determining a second threat level for each of the one or more network elements based, at least in part, on the first threat levels associated with each port in the list of ports for that network element;

determining a third threat level for the network as a whole; and

providing a report of a network security audit based on the first, second and third threat levels;

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Information flow between network elements in a network enables a management system to capture a security knowledge base and to perform a static analysis of the network. In one embodiment, a method for performing a network security audit based on information flows among network elements comprises the machine-implemented steps of obtaining a network inventory that identifies one or more network elements of a packet-switched network; determining how information packets flow through the one or more network elements; determining a first threat level for each of the one or more network elements; determining a second threat level for the network as a whole; and providing a report of a network security audit based on the first and second threat levels.

82 Citations

View as Search Results

40 Claims

1. A method of performing a network security audit based on information flows among network elements, comprising the machine-implemented steps of:
- obtaining a network inventory that identifies one or more network elements of a packet-switched network;
  
  obtaining a list of ports;
  
  determining, based at least in part on an examination of a running configuration of each of the one or more network elements, how information packets flow through each port in the list of ports for each of the one or more network elements;
  
  determining a first threat level for each port in the list of ports for each of the network elements based at least in part on;
  
  whether the running configuration indicates that the port is open or closed;
  
  whether the running configuration indicates that the port, if open, has been configured with restrictions;
  
  determining a second threat level for each of the one or more network elements based, at least in part, on the first threat levels associated with each port in the list of ports for that network element;
  
  determining a third threat level for the network as a whole; and
  
  providing a report of a network security audit based on the first, second and third threat levels;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising receiving user input that defines a security policy;
    - retrieving running configuration from the network elements; and
      
      validating the security policy against the running configuration.
  - 3. The method of claim 2, wherein the security policy is defined for the network as a whole.
  - 4. The method of claim 2, wherein the security policy comprises one or more individual security policies that are defined for one or more respective network elements.
  - 5. The method of claim 2, wherein the security policy is validated for the network as a whole.
  - 6. The method of claim 2, wherein the security policy is validated for one or more individual network elements.
  - 7. The method of claim 2, wherein the security policy is defined based on a security template applicable to one or more network elements, wherein the templates define one or more automatic corrective actions that are performed in response to detecting a security breach at one or more network elements.
  - 8. The method of claim 7, wherein one or more alarms are raised in response to detecting a breach of the configured security policy for one or more network elements.
  - 9. The method of claim 1, wherein determining a first threat level comprises determining whether access to the port is restricted by an access control list.
  - 10. The method of claim 1, further comprising the machine-implemented steps of:
    - receiving user input that defines a security policy and a network monitoring policy;
      
      retrieving running configuration from the network elements;
      
      validating the security policy against the running configuration;
      
      based on the network monitoring policy, monitoring and auditing the network for one or more potential violations of the security policy; and
      
      automatically performing one or more corrective actions in response to identifying one or more potential violations of the security policy.

11. A computer-readable volatile or non-volatile medium for performing a network security audit based on information flows among network elements, comprising one or more sequences of computer program instructions, which instructions, when executed by one or more processors, cause the one or more processors to perform the steps of:
- obtaining a network inventory that identifies one or more network elements of a packet-switched network;
  
  obtaining a list of ports;
  
  determining, based at least in part on an examination of a running configuration of each of the one or more network elements, how information packets flow through each port in the list of ports for each of the one or more network elements;
  
  determining a first threat level for each port in the list of ports for each of the network elements based at least in part on;
  
  whether the running configuration indicates that the port is open or closed; and
  
  whether the running configuration indicates that the port, if open, has been configured with restrictions;
  
  determining a second threat level for each of the one or more network elements based, at least in part, on a status of one or more ports used by the one or more network elements and determining whether access to any port is restricted the first threat levels associated with each port in the list of ports for that network element;
  
  determining a third threat level for the network as a whole; and
  
  providing a report of a network security audit based on the first, second, and third threat levels.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer-readable volatile or non-volatile medium of claim 11, further comprising program instructions for receiving user input that defines a security policy;
    - retrieving running configuration from the network elements; and
      
      validating the security policy against the running configuration.
  - 13. The computer-readable volatile or non-volatile medium of claim 12, wherein the security policy is defined for the network as a whole.
  - 14. The computer-readable volatile or non-volatile medium of claim 12, wherein the security policy comprises one or more individual security policies that are defined for one or more respective network elements.
  - 15. The computer-readable volatile or non-volatile medium of claim 12, wherein the security policy is validated for the network as a whole.
  - 16. The computer-readable volatile or non-volatile medium of claim 12, wherein the security policy is validated for one or more individual network elements.
  - 17. The computer-readable volatile or non-volatile medium of claim 12, wherein the security policy is defined based on a security template applicable to one or more network elements, wherein the templates define one or more automatic corrective actions that are performed in response to detecting a security breach at one or more network elements.
  - 18. The computer-readable volatile or non-volatile medium of claim 17, wherein one or more alarms are raised in response to detecting a breach of the configured security policy for one or more network elements.
  - 19. The computer-readable volatile or non-volatile medium of claim 11, wherein determining a first threat level comprises determining whether access to the port is restricted by an access control list.
  - 20. The computer-readable volatile or non-volatile medium of claim 11, further comprising the machine-implemented steps of:
    - receiving user input that defines a security policy and a network monitoring policy;
      
      retrieving running configuration from the network elements;
      
      validating the security policy against the running configuration;
      
      based on the network monitoring policy, monitoring and auditing the network for one or more potential violations of the security policy; and
      
      automatically performing one or more corrective actions in response to identifying one or more potential violations of the security policy.

21. An apparatus configured for performing a network security audit based on information flows among network elements, comprising:
- security policy definition logic;
  
  a security policy database coupled to the security policy definition logic;
  
  security policy compliance logic coupled to the security policy database; and
  
  corrective action logic;
  
  wherein the security policy compliance logic comprises one or more computer program instructions for obtaining a network inventory that identifies one or more network elements of a packet-switched network;
  
  obtaining a list of ports;
  
  determining, based at least in part on an examination of a running configuration of each of the one or more network elements, how information packets flow through each port in the list of ports for each of the one or more network elements;
  
  determining a first threat level for each port in the list of ports for each of the network elements based at least in part on;
  
  whether the running configuration indicates that the port is open or closed;
  
  whether the running configuration indicates that the port, if open, has been configured with restrictions;
  
  determining a second threat level for each of the one or more network elements based, at least in part, on a the first threat levels associated with each port in the list of ports for that network element;
  
  determining a third threat level for the network as a whole; and
  
  providing a report of a network security audit based on the first second, and third threat levels.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The apparatus of claim 21, wherein the security policy compliance logic further comprises receiving user input that defines a security policy;
    - retrieving running configuration from the network elements; and
      
      validating the security policy against the running configuration.
  - 23. The apparatus of claim 22, wherein the security policy is defined for the network as a whole.
  - 24. The apparatus of claim 22, wherein the security policy comprises one or more individual security policies that are defined for one or more respective network elements.
  - 25. The apparatus of claim 22, wherein the security policy is validated for the network as a whole.
  - 26. The apparatus of claim 22, wherein the security policy is validated for one or more individual network elements.
  - 27. The apparatus of claim 22, wherein the security policy is defined based on a security template applicable to one or more network elements, wherein the templates define one or more automatic corrective actions that are performed in response to detecting a security breach at one or more network elements.
  - 28. The apparatus of claim 27, wherein one or more alarms are raised in response to detecting a breach of the configured security policy for one or more network elements.
  - 29. The apparatus of claim 22, wherein determining a first threat level comprises determining whether access to the port is restricted by an access control list.
  - 30. The apparatus of claim 21, further comprising the machine-implemented steps of:
    - receiving user input that defines a security policy and a network monitoring policy;
      
      retrieving running configuration from the network elements;
      
      validating the security policy against the running configuration;
      
      based on the network monitoring policy, monitoring and auditing the network for one or more potential violations of the security policy; and
      
      automatically performing one or more corrective actions in response to identifying one or more potential violations of the security policy.

31. An apparatus configured for performing a network security audit based on information flows among network elements, comprising:
- means for obtaining a network inventory that identifies one or more network elements of a packet-switched network;
  
  means for obtaining a list of ports;
  
  means for determining, based at least in part on an examination of a running configuration of each of the one or more network elements, how information packets flow through each port in the list of ports for each of the one or more network elements;
  
  means for determining a first threat level for each port in the list of ports for each of the network elements based at least in part on;
  
  whether the running configuration indicates that the port is open or closed;
  
  whether the running configuration indicates that the port, if open, has been configured with restrictions;
  
  means for determining a second threat level for each of the one or more network elements based, at least in part, on the first threat levels associated with each port in the list of ports for that network element;
  
  means for determining a third threat level for the network as a whole; and
  
  means for providing a report of a network security audit based on the first, second, and third threat levels.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The apparatus of claim 31, further comprising means for receiving user input that defines a security policy;
    - means for retrieving running configuration from the network elements; and
      
      means for validating the security policy against the running configuration.
  - 33. The apparatus of claim 32, wherein the security policy is defined for the network as a whole.
  - 34. The apparatus of claim 32, wherein the security policy comprises one or more individual security policies that are defined for one or more respective network elements.
  - 35. The apparatus of claim 32, wherein the security policy is validated for the network as a whole.
  - 36. The apparatus of claim 32, wherein the security policy is validated for one or more individual network elements.
  - 37. The apparatus of claim 32, wherein the security policy is defined based on a security template applicable to one or more network elements, wherein the templates define one or more automatic corrective actions that are performed in response to detecting a security breach at one or more network elements.
  - 38. The apparatus of claim 37, wherein one or more alarms are raised in response to detecting a breach of the configured security policy for one or more network elements.
  - 39. The apparatus of claim 32, wherein determining a first threat level comprises determining whether access to the port is restricted by an access control list.
  - 40. The apparatus of claim 31, further comprising the machine-implemented steps of:
    - receiving user input that defines a security policy and a network monitoring policy;
      
      retrieving running configuration from the network elements;
      
      validating the security policy against the running configuration;
      
      based on the network monitoring policy, monitoring and auditing the network for one or more potential violations of the security policy; and
      
      automatically performing one or more corrective actions in response to identifying one or more potential violations of the security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Venkatavaradhan, Parthasarathy, Somepalli, Prasanthi, Datla, Krishnam Raju, Beereddy, Srinivasa
Primary Examiner(s)
Kim; Jung
Assistant Examiner(s)
Lemma; Samson B

Application Number

US11/148,489
Publication Number

US 20050273851A1
Time in Patent Office

1,826 Days
Field of Search

726/1, 726/25, 726/14
US Class Current

726/25
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Method and apparatus providing unified compliant network audit

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

82 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus providing unified compliant network audit

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links