×

Application service policy compliance server

  • US 8,024,772 B1
  • Filed: 09/28/2007
  • Issued: 09/20/2011
  • Est. Priority Date: 09/28/2007
  • Status: Active Grant
First Claim
Patent Images

1. A method of assessing application services compliance with network policies comprising:

  • identifying a set of rules, each of the rules defining a desired state of the application services in an information network, wherein a plurality of rules define a policy and the policy includes a plurality of rules that identify network objects, a scope of the rule identifying which network objects it applies to, and a condition to test for satisfaction of the rule;

    performing discovery on applications configured in a network environment, the applications coupled to services executing on hosts in the network environment, the discovery identifying configuration and topological data applicable to the rules, performing discovery on applications configured in the network environment further comprising;

    invoking a host probe to query a host about configuration data; and

    performing passive listening on hosts, passive listening including observing the communication flow between the hosts, wherein the configuration and topological data is state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule;

    identifying dependencies between applications and services by determining consumers of the services dependent upon the services to serve the applications;

    receiving notifications indicative of the discovered configuration and topological data, the notifications reflecting modification of a particular value of a network state of an application service;

    comparing the received modified value with a desired intended value specified in a corresponding rule; and

    identifying a rule breach, the breach indicative of the network state misaligned with a rule, by comparing a received modified value with the value corresponding to the desired state, identifying the rule breach further comprising;

    identifying at least one of a violation or a vulnerability, a violation indicating a deviant state in the corresponding rule, a vulnerability indicating a rule potentially violating a value specified in a desired state in the corresponding rule;

    identifying the policy to which the rule belongs;

    identifying other breaches of rules in the identified policy to which the originally breached rule belongs; and

    assessing the cumulative rule breaches of rules in a policy to compute if a policy violation had occurred.

View all claims
  • 9 Assignments
Timeline View
Assignment View
    ×
    ×