Application service policy compliance server

US 8,024,772 B1
Filed: 09/28/2007
Issued: 09/20/2011
Est. Priority Date: 09/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method of assessing application services compliance with network policies comprising:

identifying a set of rules, each of the rules defining a desired state of the application services in an information network, wherein a plurality of rules define a policy and the policy includes a plurality of rules that identify network objects, a scope of the rule identifying which network objects it applies to, and a condition to test for satisfaction of the rule;

performing discovery on applications configured in a network environment, the applications coupled to services executing on hosts in the network environment, the discovery identifying configuration and topological data applicable to the rules, performing discovery on applications configured in the network environment further comprising;

invoking a host probe to query a host about configuration data; and

performing passive listening on hosts, passive listening including observing the communication flow between the hosts, wherein the configuration and topological data is state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule;

identifying dependencies between applications and services by determining consumers of the services dependent upon the services to serve the applications;

receiving notifications indicative of the discovered configuration and topological data, the notifications reflecting modification of a particular value of a network state of an application service;

comparing the received modified value with a desired intended value specified in a corresponding rule; and

identifying a rule breach, the breach indicative of the network state misaligned with a rule, by comparing a received modified value with the value corresponding to the desired state, identifying the rule breach further comprising;

identifying at least one of a violation or a vulnerability, a violation indicating a deviant state in the corresponding rule, a vulnerability indicating a rule potentially violating a value specified in a desired state in the corresponding rule;

identifying the policy to which the rule belongs;

identifying other breaches of rules in the identified policy to which the originally breached rule belongs; and

assessing the cumulative rule breaches of rules in a policy to compute if a policy violation had occurred.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a large network, it can be difficult to pinpoint and track down the causes of breaches of established policies. A compliance policy server allows traversal of notifications according to breaches, organizes the breaches (vulnerabilities and violations) according to severity and recurrence, and identifies related rules and application services and network entities which may be related to the breach. An integrated graphical user interface (GUI) provides efficient, timely traversal and analysis of rule breaches across the network to allow quick, efficient identification of the underlying cause or condition of the rule breach, as well as identify impact on application services and network entities. A discoverer gathers configuration data including notifications of changes, alerts, and conditions in the network that are pertinent to the rule breaches. A compliance engine evaluates the configuration and topological data against the rules to identify breaches. Collective breaches pertaining to a common application or service or dependency indicate a common underlying condition causing the breach, therefore providing efficient correction of the underlying condition.

Citations

15 Claims

1. A method of assessing application services compliance with network policies comprising:
- identifying a set of rules, each of the rules defining a desired state of the application services in an information network, wherein a plurality of rules define a policy and the policy includes a plurality of rules that identify network objects, a scope of the rule identifying which network objects it applies to, and a condition to test for satisfaction of the rule;
  
  performing discovery on applications configured in a network environment, the applications coupled to services executing on hosts in the network environment, the discovery identifying configuration and topological data applicable to the rules, performing discovery on applications configured in the network environment further comprising;
  
  invoking a host probe to query a host about configuration data; and
  
  performing passive listening on hosts, passive listening including observing the communication flow between the hosts, wherein the configuration and topological data is state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule;
  
  identifying dependencies between applications and services by determining consumers of the services dependent upon the services to serve the applications;
  
  receiving notifications indicative of the discovered configuration and topological data, the notifications reflecting modification of a particular value of a network state of an application service;
  
  comparing the received modified value with a desired intended value specified in a corresponding rule; and
  
  identifying a rule breach, the breach indicative of the network state misaligned with a rule, by comparing a received modified value with the value corresponding to the desired state, identifying the rule breach further comprising;
  
  identifying at least one of a violation or a vulnerability, a violation indicating a deviant state in the corresponding rule, a vulnerability indicating a rule potentially violating a value specified in a desired state in the corresponding rule;
  
  identifying the policy to which the rule belongs;
  
  identifying other breaches of rules in the identified policy to which the originally breached rule belongs; and
  
  assessing the cumulative rule breaches of rules in a policy to compute if a policy violation had occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the services execute on hosts responsive to the applications, the applications defining consumers of the services, each of the services servicing at least one application, further comprising:
    - identifying application services paths defined by the dependencies employed by the applications for invoking the services, the application services paths including hosts and consumers of the services;
      
      identifying dependencies, the dependencies including direct and indirect consumers, that access the services servicing the application on the hosts responsible for hosting the application; and
      
      computing a compliance state on the hosts resulting from the invoked services, the compliance state indicative of adherence to the rules, further including identifying consumers of services at hosts from the identified application services paths and computed loads providing a plurality of services to multiple applications.
  - 3. The method of claim 2 wherein the applications support user functions such that a compliance state indicating substantial rule violations results in reduced host performance on behalf of users, further comprising:
    - identifying indirect consumers based on the dependencies; and
      
      traversing the breaches to identify an underlying condition causing the slowdown.
  - 4. The method of claim 1, further comprising:
    - identifying a set of related breaches corresponding to a particular breach, the related breaches based on rules applicable to a network entity causing the particular breach;
      
      presenting the identified set of related breaches to an operator;
      
      receiving a selection of a related breach in the identified set;
      
      presenting a set of related breaches, the related breaches affecting a common application services path or network entity; and
      
      traversing the identified set of rule breaches in an iterative manner to identify conditions underlying the set of related breaches.
  - 5. The method of claim 4 wherein the rules further define a condition testing an intended state, further comprising:
    - identifying a breached rule;
      
      determining the condition of the rule triggering the breach; and
      
      testing the condition with respect to other rules affected by the same condition to identify the set of related breaches.
  - 6. The method of claim 1 wherein the applications couple to the services via links, further comprising:
    - identifying the links to a particular service;
      
      analyzing the notifications pertaining to the particular service; and
      
      computing a condition common to a plurality of the notifications as a cause of the breach.
  - 7. The method of claim 6 wherein the links further comprise physical links, virtual links, and logical links, further comprising:
    - enumerating a set of logical links and virtual links via an abstraction model applied to the physical links;
      
      computing an application services path defined by the logical links and virtual links;
      
      identifying at least one physical link underlying the application services path;
      
      assessing rules pertaining to the application services path; and
      
      assessing rules pertaining to the identified physical link to determine breaches affecting the logical and virtual links.

8. A policy server operable to assess application compliance with network policies comprising:
- a repository for storing an identified a set of rules, each of the rules defining a desired state of the network, wherein a plurality of rules define a policy and the policy includes a plurality of rules that identify network objects, a scope of the rule identifying which network objects it applies to, and a condition to test for satisfaction of the rule;
  
  a discoverer for performing discovery on applications configured in a network environment, the applications coupled to services executing on hosts in the network environment, the discovery identifying configuration and topological data applicable to the rules, the discoverer further operable to identify dependencies between applications and services by determining consumers of the services dependent upon the services to serve the applications, invoke a host probe to query a host about configuration data and perform passive listening on hosts including observing the communication flow between the hosts;
  
  an interface to the network for receiving notifications indicative of the discovered configuration and topological data, the notifications reflecting modification of a particular value of a network state; and
  
  a compliance engine for comparing the received modified value with a desired intended value specified in a corresponding rule, the compliance engine further operable for identifying a rule breach, the breach indicative of a network state misaligned with a rule, by comparing a received modified value with the value corresponding to the desired state, the configuration and topological data being state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule, wherein the compliance engine is further operable to identify a rule breach by identifying at least one of a violation or a vulnerability, a violation indicating a deviant state in the corresponding rule, a vulnerability indicating a rule potentially violating a value specified in a desired state in the corresponding rule, identifying the policy to which the rule belongs, identifying other breaches of rules in the identified policy to which the originally breached rule belongs, and assessing the cumulative rule breaches of rules in a policy to compute if a policy violation has occurred.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The server of claim 8 wherein the services execute on hosts responsive to the applications, the applications defining consumers of the services, each of the services servicing at least one application, further comprising:
    - identifying application services paths defined by the dependencies employed by the applications for invoking the services, the application services paths including hosts and consumers of the services;
      
      computing a load on the hosts resulting from the invoked services; and
      
      identifying consumers of services at hosts from the identified paths and computed loads providing a plurality of services to multiple applications.
  - 10. The server of claim 9 wherein the applications support user functions such that an application slowdown results in reduced throughput on behalf of users, the discoverer further operable to:
    - identify indirect consumers based on the dependencies; and
      
      traverse the breaches to identify an underlying condition causing the slowdown.
  - 11. The server of claim 8 wherein the compliance engine is further operable to:
    - identify a set of related breaches corresponding to a particular breach, the related breaches based on rules applicable to a network entity causing the particular breach;
      
      present the identified set of related breaches to an operator;
      
      receive a selection of a related breach in the identified set;
      
      present a set of related breaches, the related breaches affecting a common path or network entity; and
      
      traverse the identified rule breaches in an iterative manner to identify conditions underlying the set of related breaches.
  - 12. The server of claim 11 wherein the rules further define a condition testing an intended state, further comprising:
    - identifying a breached rule;
      
      determining the condition of the rule triggering the breach; and
      
      testing the condition with respect to other rules affected by the same condition to identify the set of related breaches.
  - 13. The server of claim 8 wherein the applications couple to the services via links, further comprising:
    - identifying the links to a particular service;
      
      identifying the direct and indirect consumers (dependencies) to a particular service residing on a host;
      
      analyzing the notifications pertaining to the particular service; and
      
      computing a condition common to a plurality of the notifications as a cause of the breach.
  - 14. The server of claim 13 wherein the links further comprise physical links, virtual links, and logical links, further comprising:
    - enumerating a set of logical links via an abstraction model applied to the physical links;
      
      computing an application services path defined by the logical links and virtual links;
      
      identifying at least one physical link underlying the path;
      
      assessing rules pertaining to the application services path; and
      
      assessing rules pertaining to the identified physical link to determine breaches affecting the logical link.

15. A computer program product having computer program code stored on a non-transitory computer readable storage medium, the computer program code embodied as encoded instructions on the storage medium that, when executed by a processor, causes a computer to assess application compliance with network policies, the computer program code comprising:
- computer program code for identifying a set of rules, each of the rules defining a desired state of the network, wherein a plurality of rules define a policy and the policy includes a plurality of rules that identify network objects, a scope of the rule identifying which network objects it applies to, and a condition to test for satisfaction of the rule;
  
  computer program code for performing discovery on applications configured in a network environment, the applications coupled to services executing on hosts in the network environment, the discovery identifying configuration and topological data applicable to the rules, computer program code for performing discovery on applications configured in the network environment further comprising;
  
  computer program code for invoking a host probe to query a host about configuration data; and
  
  computer program code for performing passive listening on hosts, passive listening including observing the communication flow between the hosts, wherein the configuration and topological data is state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule;
  
  computer program code for identifying dependencies between applications and services by determining consumers of the services dependent upon the services to serve the applications;
  
  computer program code for receiving notifications indicative of the discovered configuration data, the notifications reflecting modification of a particular value of a network state;
  
  computer program code for comparing the received modified value with a desired intended value specified in a corresponding rule; and
  
  computer program code for identifying a rule breach, the breach indicative of a network state misaligned with a rule, by comparing a received modified value with the value corresponding to the desired state, the configuration data being state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule, computer program code for identifying the rule breach further comprising;
  
  computer program code for identifying at least one of a violation or a vulnerability, a violation indicating a deviant state in the corresponding rule, a vulnerability indicating a rule potentially violating a value specified in a desired state in the corresponding rule;
  
  computer program code for identifying the policy to which the rule belongs;
  
  computer program code for identifying other breaches of rules in the identified policy to which the originally breached rule belongs; and
  
  computer program code for assessing the cumulative rule breaches of rules in a policy to compute if a policy violation has occurred.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Lim, Ju-Lien, Yehuda, Hanna, Artzi, Amanuel Ronen
Primary Examiner(s)
PEARSON, DAVID J

Application Number

US11/863,940
Time in Patent Office

1,453 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

H04L 41/069   using logs of notifications...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/22   comprising specially adapte...

Application service policy compliance server

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Application service policy compliance server

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links