Analysis of distributed policy rule-sets for compliance with global policy
First Claim
1. A computer-implemented method for analysis of distributed device rule-sets for compliance with global policies, the method executable by a computer having a processor and memory, comprising:
- receiving from an administrator a network topology with a plurality of reachable, intercommunicating elements and associated parameters required to secure the intercommunication with one or more access control elements of the network topology;
establishing connections to the access control elements to capture a snapshot configuration of device rule-sets of the one or more access control elements;
receiving from the administrator a set of global access constraints with reference to the plurality of access control elements;
generating a multi-layered rule graph that captures network interconnectivity and data flow among the intercommunicating elements, where each of a plurality of nodes in the multi-layered rule graph represents a possible access decision by an access control element and paths of the multi-layered rule graph represent sequences of access decisions;
conducting statistical analysis using model-based importance sampling of the multi-layered rule graph to determine violations by the device rule-sets that fail to comply with the set of global access constraints, the importance sampling quantitatively characterizing a level of compliance with the global access constraints without conducting analysis of all potential paths of the multi-layered rule graph; and
providing results of the statistical analysis to the administrator through a graphical user interface (GUI) of the computer as the results are obtained so that the administrator can watch the progress of the analysis.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for analysis of distributed device rule-sets for compliance with global policies includes enabling an administrator to specify a network topology with intercommunicating elements and parameters required to secure the intercommunication with access control elements of the network topology; establishing connections to the access controls elements to capture a snapshot configuration of device rule-sets of the access control elements; enabling the administrator to specify a set of global access constraints with reference to the access control elements; enabling the administrator to select between exhaustive analysis and statistical analysis; conducting the selected analysis to determine violations by the device rule-sets that fail to comply with the set of global access constraints, wherein statistical analysis quantitatively characterizes a level of compliance without conducting analysis of all potential network paths; and providing results of the selected analysis to the administrator through a graphical user interface (GUI) as the results are obtained.
161 Citations
34 Claims
-
1. A computer-implemented method for analysis of distributed device rule-sets for compliance with global policies, the method executable by a computer having a processor and memory, comprising:
-
receiving from an administrator a network topology with a plurality of reachable, intercommunicating elements and associated parameters required to secure the intercommunication with one or more access control elements of the network topology; establishing connections to the access control elements to capture a snapshot configuration of device rule-sets of the one or more access control elements; receiving from the administrator a set of global access constraints with reference to the plurality of access control elements; generating a multi-layered rule graph that captures network interconnectivity and data flow among the intercommunicating elements, where each of a plurality of nodes in the multi-layered rule graph represents a possible access decision by an access control element and paths of the multi-layered rule graph represent sequences of access decisions; conducting statistical analysis using model-based importance sampling of the multi-layered rule graph to determine violations by the device rule-sets that fail to comply with the set of global access constraints, the importance sampling quantitatively characterizing a level of compliance with the global access constraints without conducting analysis of all potential paths of the multi-layered rule graph; and providing results of the statistical analysis to the administrator through a graphical user interface (GUI) of the computer as the results are obtained so that the administrator can watch the progress of the analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for analyzing distributed policy rule-sets for compliance with global policies, the system comprising:
-
a graphical user interface (GUI) through which an administrator specifies a network topology with a plurality of reachable, intercommunicating elements and associated parameters required to secure the intercommunication with one or more access control elements of the network topology; an analysis engine in communication with the GUI and with the plurality of elements, the analysis engine including a processor operable to unify a plurality of device rule-sets associated with the one or more access control elements, and to convert the device rule-sets into a software language format presentable to the administrator through the GUI; and a memory to store an administrator-specified global access policy (GAP) that includes a plurality of global access constraints with reference to the plurality of elements, and to store the plurality of access policy rules; wherein the processor is operable to; generating a multi-layered rule graph that captures network interconnectivity and data flow among the intercommunicating elements, where each of a plurality of nodes in the multi-layered rule graph represents a possible access decision by an access control element and paths of the multi-layered rule graph represent sequences of access decisions; conduct statistical analysis using model-based importance sampling of the multi-layered rule graph to determine violations by the device rule-sets that fail to comply with the GAP, the importance sampling quantitatively characterizing a level of compliance with the GAP without conducting analysis of all potential paths of the multi-layered rule graph; and provide results of the selected compliance analysis in real time to the GUI for viewing by the administrator as the results are obtained. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory computer readable medium including machine-readable instructions executable by a processor that causes a computer including the processor and memory to perform the operations of:
-
enabling an administrator to specify a network topology with a plurality of reachable, intercommunicating elements and associated parameters required to secure the intercommunication with one or more access control elements of the network topology; establishing connections to the access control elements to capture a snapshot configuration of device rule-sets of the one or more access control elements; enabling the administrator to specify a set of global access constraints with reference to the plurality of access control elements; generating a multi-layered rule graph that captures network interconnectivity and data flow among the intercommunicating elements, where each of a plurality of nodes in the multi-layered rule graph represents a possible access decision by an access control element and paths of the multi-layered rule graph represent sequences of access decisions; conducting statistical analysis using model-based importance sampling of the multi-layered rule graph to determine violations by the device rule-sets that fail to comply with the set of global access constraints, the importance sampling quantitatively characterizing a level of compliance with the global access constraints without conducting analysis of all potential paths of the multi-layered rule graph; and providing results of the selected analysis to the administrator in real time through a graphical user interface (GUI) as the results are obtained so that the administrator can watch the progress of the analysis. - View Dependent Claims (26, 27)
-
-
28. A computer-implemented method for analysis of distributed device rule-sets for compliance with global policies, the method executable by a computer having a processor and memory, comprising:
-
receiving from an administrator a network topology with a plurality of reachable, intercommunicating elements and associated parameters required to secure the intercommunication with one or more access control elements of the network topology; establishing connections to the access control elements to capture a snapshot configuration of device rule-sets of the one or more access control elements; receiving from the administrator a set of global access constraints with reference to the plurality of access control elements; generating a multi-layered rule graph that captures network interconnectivity and data flow among the intercommunicating elements, where each of a plurality of nodes in the multi-layered rule graph represents a possible access decision by an access control element and paths of the multi-layered rule graph represent sequences of access decisions; receiving a selection to perform model-based statistical analysis to determine violations by the device rule-sets that fail to comply with the set of global access constraints, where statistical analysis quantitatively characterizes a level of compliance without conducting analysis of all potential paths of the network topology; conducting the statistical analysis by selecting a probability distribution that biases sampling paths having device rule-sets that increase the likelihood of discovering violations of the global access constraints in the device rule-sets of sampled paths; and providing results of the statistical analysis to the administrator as the results are obtained. - View Dependent Claims (29, 30, 31, 32, 33, 34)
-
Specification