Application service policy compliance server
First Claim
1. A method of assessing application services compliance with network policies comprising:
- identifying a set of rules, each of the rules defining a desired state of the application services in an information network, wherein a plurality of rules define a policy and the policy includes a plurality of rules that identify network objects, a scope of the rule identifying which network objects it applies to, and a condition to test for satisfaction of the rule;
performing discovery on applications configured in a network environment, the applications coupled to services executing on hosts in the network environment, the discovery identifying configuration and topological data applicable to the rules, performing discovery on applications configured in the network environment further comprising;
invoking a host probe to query a host about configuration data; and
performing passive listening on hosts, passive listening including observing the communication flow between the hosts, wherein the configuration and topological data is state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule;
identifying dependencies between applications and services by determining consumers of the services dependent upon the services to serve the applications;
receiving notifications indicative of the discovered configuration and topological data, the notifications reflecting modification of a particular value of a network state of an application service;
comparing the received modified value with a desired intended value specified in a corresponding rule; and
identifying a rule breach, the breach indicative of the network state misaligned with a rule, by comparing a received modified value with the value corresponding to the desired state, identifying the rule breach further comprising;
identifying at least one of a violation or a vulnerability, a violation indicating a deviant state in the corresponding rule, a vulnerability indicating a rule potentially violating a value specified in a desired state in the corresponding rule;
identifying the policy to which the rule belongs;
identifying other breaches of rules in the identified policy to which the originally breached rule belongs; and
assessing the cumulative rule breaches of rules in a policy to compute if a policy violation had occurred.
9 Assignments
0 Petitions
Accused Products
Abstract
In a large network, it can be difficult to pinpoint and track down the causes of breaches of established policies. A compliance policy server allows traversal of notifications according to breaches, organizes the breaches (vulnerabilities and violations) according to severity and recurrence, and identifies related rules and application services and network entities which may be related to the breach. An integrated graphical user interface (GUI) provides efficient, timely traversal and analysis of rule breaches across the network to allow quick, efficient identification of the underlying cause or condition of the rule breach, as well as identify impact on application services and network entities. A discoverer gathers configuration data including notifications of changes, alerts, and conditions in the network that are pertinent to the rule breaches. A compliance engine evaluates the configuration and topological data against the rules to identify breaches. Collective breaches pertaining to a common application or service or dependency indicate a common underlying condition causing the breach, therefore providing efficient correction of the underlying condition.
-
Citations
15 Claims
-
1. A method of assessing application services compliance with network policies comprising:
-
identifying a set of rules, each of the rules defining a desired state of the application services in an information network, wherein a plurality of rules define a policy and the policy includes a plurality of rules that identify network objects, a scope of the rule identifying which network objects it applies to, and a condition to test for satisfaction of the rule; performing discovery on applications configured in a network environment, the applications coupled to services executing on hosts in the network environment, the discovery identifying configuration and topological data applicable to the rules, performing discovery on applications configured in the network environment further comprising; invoking a host probe to query a host about configuration data; and performing passive listening on hosts, passive listening including observing the communication flow between the hosts, wherein the configuration and topological data is state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule; identifying dependencies between applications and services by determining consumers of the services dependent upon the services to serve the applications; receiving notifications indicative of the discovered configuration and topological data, the notifications reflecting modification of a particular value of a network state of an application service; comparing the received modified value with a desired intended value specified in a corresponding rule; and identifying a rule breach, the breach indicative of the network state misaligned with a rule, by comparing a received modified value with the value corresponding to the desired state, identifying the rule breach further comprising; identifying at least one of a violation or a vulnerability, a violation indicating a deviant state in the corresponding rule, a vulnerability indicating a rule potentially violating a value specified in a desired state in the corresponding rule; identifying the policy to which the rule belongs; identifying other breaches of rules in the identified policy to which the originally breached rule belongs; and assessing the cumulative rule breaches of rules in a policy to compute if a policy violation had occurred. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A policy server operable to assess application compliance with network policies comprising:
-
a repository for storing an identified a set of rules, each of the rules defining a desired state of the network, wherein a plurality of rules define a policy and the policy includes a plurality of rules that identify network objects, a scope of the rule identifying which network objects it applies to, and a condition to test for satisfaction of the rule; a discoverer for performing discovery on applications configured in a network environment, the applications coupled to services executing on hosts in the network environment, the discovery identifying configuration and topological data applicable to the rules, the discoverer further operable to identify dependencies between applications and services by determining consumers of the services dependent upon the services to serve the applications, invoke a host probe to query a host about configuration data and perform passive listening on hosts including observing the communication flow between the hosts; an interface to the network for receiving notifications indicative of the discovered configuration and topological data, the notifications reflecting modification of a particular value of a network state; and a compliance engine for comparing the received modified value with a desired intended value specified in a corresponding rule, the compliance engine further operable for identifying a rule breach, the breach indicative of a network state misaligned with a rule, by comparing a received modified value with the value corresponding to the desired state, the configuration and topological data being state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule, wherein the compliance engine is further operable to identify a rule breach by identifying at least one of a violation or a vulnerability, a violation indicating a deviant state in the corresponding rule, a vulnerability indicating a rule potentially violating a value specified in a desired state in the corresponding rule, identifying the policy to which the rule belongs, identifying other breaches of rules in the identified policy to which the originally breached rule belongs, and assessing the cumulative rule breaches of rules in a policy to compute if a policy violation has occurred. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product having computer program code stored on a non-transitory computer readable storage medium, the computer program code embodied as encoded instructions on the storage medium that, when executed by a processor, causes a computer to assess application compliance with network policies, the computer program code comprising:
-
computer program code for identifying a set of rules, each of the rules defining a desired state of the network, wherein a plurality of rules define a policy and the policy includes a plurality of rules that identify network objects, a scope of the rule identifying which network objects it applies to, and a condition to test for satisfaction of the rule; computer program code for performing discovery on applications configured in a network environment, the applications coupled to services executing on hosts in the network environment, the discovery identifying configuration and topological data applicable to the rules, computer program code for performing discovery on applications configured in the network environment further comprising; computer program code for invoking a host probe to query a host about configuration data; and computer program code for performing passive listening on hosts, passive listening including observing the communication flow between the hosts, wherein the configuration and topological data is state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule; computer program code for identifying dependencies between applications and services by determining consumers of the services dependent upon the services to serve the applications; computer program code for receiving notifications indicative of the discovered configuration data, the notifications reflecting modification of a particular value of a network state; computer program code for comparing the received modified value with a desired intended value specified in a corresponding rule; and computer program code for identifying a rule breach, the breach indicative of a network state misaligned with a rule, by comparing a received modified value with the value corresponding to the desired state, the configuration data being state information including attributes having values, the attributes indicative of adherence to a desired state based on the values matching an expected value for a desired state reflected in the corresponding rule, computer program code for identifying the rule breach further comprising; computer program code for identifying at least one of a violation or a vulnerability, a violation indicating a deviant state in the corresponding rule, a vulnerability indicating a rule potentially violating a value specified in a desired state in the corresponding rule; computer program code for identifying the policy to which the rule belongs; computer program code for identifying other breaches of rules in the identified policy to which the originally breached rule belongs; and computer program code for assessing the cumulative rule breaches of rules in a policy to compute if a policy violation has occurred.
-
Specification