Method and apparatus for security policy management

US 7,882,537 B2
Filed: 06/20/2005
Issued: 02/01/2011
Est. Priority Date: 06/21/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A security policy management system comprising:

a processor, configured to operate the security policy management system;

setting information storage means for storing setting information representing settings with regard to security functions of devices included in a network system to be managed; and

general-purpose security policy generating means for generating a security policy including a description expressed in a format independent of descriptions depending on particular devices, based on the setting information stored in said setting information storage means,wherein the general-purpose security policy generating means describes a content of each item in a model obtained by modeling an operation of a device having a security function to generate the security policy, the model being represented as a set of items which are described in the security policy,wherein the content of each item in the model is derived from an expression which is included in the setting information stored in the setting information storage means, by using knowledge with regard to descriptive specification for the setting information stored in the setting information storage means, andwherein, when the setting information to an item for which a default value has been prescribed is omitted, the default value is used to describe the security policy with regard to the item for which the default value has been prescribed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security policy management system for deriving a security policy from setting details of security devices as components of an information system includes a setting information storage unit for storing setting information representing settings with regard to security functions of devices included in a network system to be managed, and a general-purpose security policy generator for generating a security policy including a description expressed in a format independent of descriptions depending on particular devices, based on the setting information stored in the setting information storage unit.

195 Citations

49 Claims

1. A security policy management system comprising:
- a processor, configured to operate the security policy management system;
  
  setting information storage means for storing setting information representing settings with regard to security functions of devices included in a network system to be managed; and
  
  general-purpose security policy generating means for generating a security policy including a description expressed in a format independent of descriptions depending on particular devices, based on the setting information stored in said setting information storage means,wherein the general-purpose security policy generating means describes a content of each item in a model obtained by modeling an operation of a device having a security function to generate the security policy, the model being represented as a set of items which are described in the security policy,wherein the content of each item in the model is derived from an expression which is included in the setting information stored in the setting information storage means, by using knowledge with regard to descriptive specification for the setting information stored in the setting information storage means, andwherein, when the setting information to an item for which a default value has been prescribed is omitted, the default value is used to describe the security policy with regard to the item for which the default value has been prescribed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system according to claim 1, further comprising:
    - setting information inputting means for inputting said setting information and storing said setting information in said setting information storage means.
  - 3. The system according to claim 2, further comprising:
    - setting information inputting subroutine storage means for storing a setting information inputting subroutine for inputting said setting information, with regard to each of said devices;
      
      wherein said setting information inputting means reads the setting information inputting subroutine corresponding to each of the devices from which the setting information is to be collected, and inputs said setting information according to the read setting information inputting subroutine.
  - 4. The system according to claim 2, further comprising:
    - a device from which setting information is to be collected;
      
      said device including setting information sending means for extracting setting information of the device and sending the extracted setting information to said setting information inputting means.
  - 5. The system according to claim 2, further comprising:
    - security policy generating subroutine storage means for storing, with regard to each of said devices, a security policy generating subroutine for generating a security policy including a description expressed in a format independent of descriptions depending on particular devices;
      
      wherein said general-purpose security policy generating means reads the security policy generating subroutine corresponding to a device holding said setting information from said security policy generating subroutine storage means based on the setting information inputted by said setting information inputting means, and generates said security policy according to said security policy generating subroutine.
  - 6. The system according to claim 1, further comprising:
    - an analytical knowledge database for storing information used to analyze details of the security policy generated by said general-purpose security policy generating means; and
      
      security policy analyzing means for analyzing details of the security policy generated based on said setting information, using the information stored in said analytical knowledge database.
  - 7. The system according to claim 6, further comprising:
    - security policy analyzing subroutine storage means for storing, with regard to each of the security functions, a security policy analyzing subroutine for analyzing details of the security policy generated by said general-purpose security policy generating means;
      
      wherein said security policy analyzing means reads said security policy analyzing subroutine for each of security functions from said security policy analyzing subroutine storage means, and analyzes details of the security policy generated by said general-purpose security policy generating means according to said security policy analyzing subroutine.
  - 8. The system according to claim 7, wherein said security policy analyzing subroutine storage means stores a security policy analyzing subroutine for identifying information of a source of a packet and information of a destination of a packet, which information permits the packets to pass, as a security policy analyzing subroutine corresponding to a packet filtering function, based on information of a source of a packet, information of a destination of a packet, protocol information, and information as to whether packets are to pass or not, said information being described in the security policy;
    - andwherein said security policy analyzing means identifies information of a source of a packet and information of a destination of a packet, which information permits the packets to pass, according to said security policy analyzing subroutine.
  - 9. The system according to claim 8, further comprising:
    - output means for outputting the analyzed result generated by said security policy analyzing means;
      
      wherein said security policy analyzing means controls said output means to display a diagram representing the information of the source of the packet and the information of the destination of the packet, which information permits the packets to pass, in a two-dimensional area having a horizontal axis representing either values which can be taken by the information of the source of the packet or values which can be taken by the information of the destination of the packet, and a vertical axis representing the other values.
  - 10. The system according to claim 8, further comprising:
    - output means for outputting the analyzed result generated by said security policy analyzing means;
      
      wherein said security policy analyzing means controls said output means to display a diagram in an area defined by a first axis representing values which can be taken by the information of the source of the packet and a second axis representing values which can be taken by the information of the destination of the packet, said diagram representing, on the first axis, the information of the source of the packet, which information permits the packets to pass and representing, on the second axis, the information of the destination of the packet, which information permits the packets to pass.
  - 11. The system according to claim 6, further comprising:
    - security policy comparing means for, when said security policy analyzing means generates a plurality of analyzed results of security policies with regard to one security function, comparing said analyzed results and identifying a difference between the security policies of respective devices which are analyzed by said security policy analyzing means.
  - 12. The system according to claim 11, further comprising:
    - comparing subroutine storage means for storing, with regard to each of security functions, a comparing subroutine for comparing the analyzed results generated by said security policy analyzing means;
      
      wherein said security policy comparing means reads said comparing subroutine for each of the security functions from said comparing subroutine storage means, and compares said analyzed results and identifies a difference between the security policies of respective devices which are analyzed by said security policy analyzing means, according to said comparing subroutine.
  - 13. The system according to claim 6, further comprising:
    - analyzed result storage means for storing in advance an analyzed result of a security policy with regard to a security function; and
      
      security policy comparing means for, when said security policy analyzing means generates at least one analyzed result of a security policy, comparing the analyzed result stored in said analyzed result storage means and the analyzed result generated by said security policy analyzing means with each other.
  - 14. The system according to claim 6, further comprising:
    - security policy integrating means for, when said security policy analyzing means generates a plurality of analyzed results of security policies with regard to the same type of security function, further analyzing said analyzed results and deriving an analyzed result for entire security policies.
  - 15. The system according to claim 14, further comprising:
    - integrating subroutine storage means for storing, with regard to each of the security functions, an integrating subroutine for further analyzing the analyzed results;
      
      wherein said security policy integrating means reads the integrating subroutine for each of the security functions from said integrating subroutine storage means, further analyzes said analyzed results and derives an analyzed result for entire security policies according to the integrating subroutine.
  - 16. The system according to claim 14, wherein said security policy integrating means further analyzes the respective analyzed results of security policies generated based on setting information of a plurality of devices for performing packet filtering, and identifies packets which are permitted to pass through said devices.
  - 17. The system according to claim 6, further comprising:
    - analyzed result storage means for storing in advance an analyzed result of a security policy with regard to a security function; and
      
      security policy integrating means for, when said security policy analyzing means generates at least one analyzed result of a security policy, analyzing the analyzed result stored in said analyzed result storage means and the analyzed result generated by said security policy analyzing means, and deriving an analyzed result for entire security policies.
  - 18. The system according to claim 6, further comprising:
    - security policy interlinking means for referring to security policies generated based on setting information of a plurality of devices having different security functions or analyzed results of said security policies, and relating the security policies generated based on the setting information of said devices to each other.
  - 19. The system according to claim 18, further comprising:
    - interlinking subroutine storage means for storing, with regard to each combination of the different security functions, an interlinking subroutine for relating the security policies generated based on the setting information of a plurality of devices having different security functions to each other;
      
      wherein said security policy interlinking means reads the interlinking subroutine for each combination of the different security functions from said interlinking subroutine storage means, and relates said security policies to each other according to said interlinking subroutine.
  - 20. The system according to claim 18, wherein said interlinking subroutine storage means identifies an unmatch between the security policies generated based on the setting information of a plurality of devices having different security functions.
  - 21. The system according to claim 1, wherein generating the security policy includes the steps of:
    - obtaining the model;
      
      defining objects and actions on the model; and
      
      describing rules included in the setting information of one of the device as attributes to the objects and the actions.

22. A security policy management system comprising:
- a processor, configured to operate the security policy management system;
  
  setting information inputting means for inputting setting information representing settings with regard to security functions of devices included in a network system to be managed; and
  
  general-purpose security policy generating means for generating a security policy including a description expressed in a format independent of descriptions depending on particular devices, based on the setting information inputted by said setting information inputting means,wherein the general-purpose security policy generating means describes a content of each item in a model obtained by modeling an operation of a device having a security function to generate the security policy, the model being represented as a set of items which are described in the security policy,wherein the content of each item in the model is derived from an expression which is included in the setting information stored in the setting information storage means, by using knowledge with regard to descriptive specification for the setting information stored in the setting information storage means, andwherein, when the setting information to an item for which a default value has been prescribed is omitted, the default value is used to describe the security policy with regard to the item for which the default value has been prescribed.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 23. The system according to claim 22, further comprising:
    - setting information inputting subroutine storage means for storing a setting information inputting subroutine for inputting said setting information, with regard to each of said devices;
      
      wherein said setting information inputting means reads the setting information inputting subroutine corresponding to each of the devices from which the setting information is to be collected, and inputs said setting information according to the read setting information inputting subroutine.
  - 24. The system according to claim 22, further comprising:
    - a device from which setting information is to be collected;
      
      said device including setting information sending means for extracting setting information of the device and sending the extracted setting information to said setting information inputting means.
  - 25. The system according to claim 22, further comprising:
    - security policy generating subroutine storage means for storing, with regard to each of said devices, a security policy generating subroutine for generating a security policy including a description expressed in a format independent of descriptions depending on particular devices;
      
      wherein said general-purpose security policy generating means reads the security policy generating subroutine corresponding to a device holding said setting information from said security policy generating subroutine storage means based on the setting information inputted by said setting information inputting means, and generates said security policy according to said security policy generating subroutine.
  - 26. The system according to claim 22, further comprising:
    - an analytical knowledge database for storing information used to analyze details of the security policy generated by said general-purpose security policy generating means; and
      
      security policy analyzing means for analyzing details of the security policy generated based on said setting information, using the information stored in said analytical knowledge database.
  - 27. The system according to claim 26, further comprising:
    - security policy analyzing subroutine storage means for storing, with regard to each of the security functions, a security policy analyzing subroutine for analyzing details of the security policy generated by said general-purpose security policy generating means;
      
      wherein said security policy analyzing means reads said security policy analyzing subroutine for each of security functions from said security policy analyzing subroutine storage means, and analyzes details of the security policy generated by said general-purpose security policy generating means according to said security policy analyzing subroutine.
  - 28. The system according to claim 27, wherein said security policy analyzing subroutine storage means stores a security policy analyzing subroutine for identifying information of a source of a packet and information of a destination of a packet, which information permits the packets to pass, as a security policy analyzing subroutine corresponding to a packet filtering function, based on information of a source of a packet, information of a destination of a packet, protocol information, and information as to whether packets are to pass or not, said information being described in the security policy;
    - andwherein said security policy analyzing means identifies information of a source of a packet and information of a destination of a packet, which information permits the packets to pass, according to said security policy analyzing subroutine.
  - 29. The system according to claim 28, further comprising:
    - output means for outputting the analyzed result generated by said security policy analyzing means;
      
      wherein said security policy analyzing means controls said output means to display a diagram representing the information of the source of the packet and the information of the destination of the packet, which information permits the packets to pass, in a two-dimensional area having a horizontal axis representing either values which can be taken by the information of the source of the packet or values which can be taken by the information of the destination of the packet, and a vertical axis representing the other values.
  - 30. The system according to claim 28, further comprising:
    - output means for outputting the analyzed result generated by said security policy analyzing means;
      
      wherein said security policy analyzing means controls said output means to display an image in an area defined by a first axis representing values which can be taken by the information of the source of the packet and a second axis representing values which can be taken by the information of the destination of the packet, said diagram representing, on the first axis, the information of the source of the packet, which information permits the packets to pass and representing, on the second axis, the information of the destination of the packet, which information permits the packets to pass.
  - 31. The system according to claim 26, further comprising:
    - security policy comparing means for, when said security policy analyzing means generates a plurality of analyzed results of security policies with regard to one security function, comparing said analyzed results and identifying a difference between the security policies of respective devices which are analyzed by said security policy analyzing means.
  - 32. The system according to claim 31, further comprising:
    - comparing subroutine storage means for storing, with regard to each of security functions, a comparing subroutine for comparing the analyzed results generated by said security policy analyzing means;
      
      wherein said security policy comparing means reads said comparing subroutine for each of the security functions from said comparing subroutine storage means, and compares said analyzed results and identifies a difference between the security policies of respective devices which are analyzed by said security policy analyzing means, according to said comparing subroutine.
  - 33. The system according to claim 26, further comprising:
    - analyzed result storage means for storing in advance an analyzed result of a security policy with regard to a security function; and
      
      security policy comparing means for, when said security policy analyzing means generates at least one analyzed result of a security policy, comparing the analyzed result stored in said analyzed result storage means and the analyzed result generated by said security policy analyzing means with each other.
  - 34. The system according to claim 26, further comprising:
    - security policy integrating means for, when said security policy analyzing means generates a plurality of analyzed results of security policies with regard to the same type of security function, further analyzing said analyzed results and deriving an analyzed result for entire security policies.
  - 35. The system according to claim 34, further comprising:
    - integrating subroutine storage means for storing, with regard to each of the security functions, an integrating subroutine for further analyzing the analyzed results;
      
      wherein said security policy integrating means reads the integrating subroutine for each of the security functions from said integrating subroutine storage means, further analyzes said analyzed results and derives an analyzed result for entire security policies according to the integrating subroutine.
  - 36. The system according to claim 34, wherein said security policy integrating means further analyzes the respective analyzed results of security policies generated based on setting information of a plurality of devices for performing packet filtering, and identifies packets which are permitted to pass through said devices.
  - 37. The system according to claim 26, further comprising:
    - analyzed result storage means for storing in advance an analyzed result of a security policy with regard to a security function; and
      
      security policy integrating means for, when said security policy analyzing means generates at least one analyzed result of a security policy, analyzing the analyzed result stored in said analyzed result storage means and the analyzed result generated by said security policy analyzing means, and deriving an analyzed result for entire security policies.
  - 38. The system according to claim 26, further comprising:
    - security policy interlinking means for referring to security policies generated based on setting information of a plurality of devices having different security functions or analyzed results of said security policies, and relating the security policies generated based on the setting information of said devices to each other.
  - 39. The system according to claim 38, further comprising:
    - interlinking subroutine storage means for storing, with regard to each combination of the different security functions, an interlinking subroutine for relating the security policies generated based on the setting information of a plurality of devices having different security functions to each other;
      
      wherein said security policy interlinking means reads the interlinking subroutine for each combination of the different security functions from said interlinking subroutine storage means, and relates said security policies to each other according to said interlinking subroutine.
  - 40. The system according to claim 38, wherein said interlinking subroutine storage means identifies an unmatch between the security policies generated based on the setting information of a plurality of devices having different security functions.
  - 41. The system according to claim 22, wherein generating the security policy includes the steps of:
    - obtaining the model;
      
      defining objects and actions on the model; and
      
      describing rules included in the setting information of one of the device as attributes to the objects and the actions.

42. A method of managing a security policy, comprising the steps of:
- storing setting information representing settings with regard to security functions of devices included in a network system to be managed in a setting information storage unit; and
  
  generating a security policy including a description expressed in a format independent of descriptions depending on particular devices, by describing a content of each item in a model based on the stored setting information with a general-purpose security policy generating unit, the model being obtained by modeling an operation of a device having a security function, and the model being represented as a set of items which are described in the security policy,wherein the content of each item in the model is derived from expression which is included in the setting information, by using knowledge with regard to descriptive specification for the setting information, andwherein, when the setting information to an item for which a default value has been prescribed is omitted, the default value is used to describe the security policy with regard to the item for which the default value has been prescribed.
- View Dependent Claims (43)
- - 43. The method according to claim 42, wherein generating the security policy includes the steps of:
    - obtaining the model;
      
      defining objects and actions on the model; and
      
      describing rules included in the setting information of one of the device as attributes to the objects and the actions.

44. A method of managing a security policy, comprising the steps of:
- inputting setting information representing settings with regard to security functions of devices included in a network system to be managed into setting information storage unit; and
  
  generating a security policy including a description expressed in a format independent of descriptions depending on particular devices, by describing a content of each item in a model based on the inputted setting information with a general-purpose security policy generating unit, the model being obtained by modeling an operation of a device having a security function, and the model being represented as a set of items which are described in the security policy,wherein the content of each item in the model is derived from expression which is included in the setting information, by using knowledge with regard to descriptive specification for the setting information, andwherein, when the setting information to an item for which a default value has been prescribed is omitted, the default value is used to describe the security policy with regard to the item for which the default value has been prescribed.
- View Dependent Claims (45)
- - 45. The method according to claim 44, wherein generating the security policy includes the steps of:
    - obtaining the model;
      
      defining objects and actions on the model; and
      
      describing rules included in the setting information of one of the device as attributes to the objects and the actions.

46. A computer-readable medium having a program product for enabling a computer to execute a process comprising the steps of:
- storing setting information representing settings with regard to security functions of devices included in a network system to be managed; and
  
  generating a security policy including a description expressed in a format independent of descriptions depending on particular devices, by describing a content of each item in a model based on the stored setting information, the model being obtained by modeling an operation of a device having a security function, and the model being represented as a set of items which are described in the security policy,wherein the content of each item in the model is derived from an expression which is included in the setting information, by using knowledge with regard to descriptive specification for the setting information, andwherein, when the setting information to an item for which a default value has been prescribed is omitted, the default value is used to describe the security policy with regard to the item for which the default value has been prescribed.
- View Dependent Claims (47)
- - 47. The computer-readable medium according to claim 46, wherein generating the security policy includes the steps of:
    - obtaining the model;
      
      defining objects and actions on the model; and
      
      describing rules included in the setting information of one of the devices as attributes to the objects and the actions.

48. A computer-readable medium having a program product for enabling a computer to execute a process comprising the steps of:
- inputting setting information representing settings with regard to security functions of devices included in a network system to be managed; and
  
  generating a security policy including a description expressed in a format independent of descriptions depending on particular devices, by describing a content of each item in a model based on the inputted setting information, the model being obtained by modeling an operation of a device having a security function, and the model being represented as a set of items which are described in the security policy,wherein the content of each item in the model is derived from an expression which is included in the setting information, by using knowledge with regard to descriptive specification for the setting information, andwherein, when the setting information to an item for which a default value has been prescribed is omitted, the default value is used to describe the security policy with regard to the item for which the default value has been prescribed.
- View Dependent Claims (49)
- - 49. The computer-readable medium according to claim 48, wherein generating the security policy includes the steps of:
    - obtaining the model;
      
      defining objects and actions on the model; and
      
      describing rules included in the setting information of one of the devices as attributes to the objects and the actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Matsuda, Katsushi, Okajo, Sumitaka
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/155,767
Publication Number

US 20050283823A1
Time in Patent Office

2,052 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

Method and apparatus for security policy management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

195 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for security policy management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

195 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links