Automated configuration of network devices administered by policy enforcement

US 8,458,301 B1
Filed: 10/29/2010
Issued: 06/04/2013
Est. Priority Date: 10/30/2009
Status: Active Grant

First Claim

Patent Images

1. A system for automated configuration of devices within a network by policy enforcement comprising:

A server having;

a configuration module located at said server for initialization and configuration of a network;

a discovery module located at said server for discovery initialization of network infrastructure devices (NIDs) on said network;

an action module located at said server for action management of NIDs on said network;

a role module located at said server for role management characterizing said NIDs, interfaces, users, and endpoints on said network;

a profiling module located at said server for device profiling, identifying types of said endpoints connected to said NIDs on said network;

an external policy module located at said server for external policy notification whereby systems external to said network are configured to inform said system with events and alerts;

a compliance module located at said server for compliance of endpoints on said network by agent security policy; and

a correlation engine module located at said server for determining actions to apply to said NI Ds when trigger events occur, wherein said correlation comprises;

gathering connection time, endpoint status, identity of user logged into said endpoint, identity of endpoint owner and point of access NID or port role;

if said NID is configured for interface-based actions, most secure status representing all endpoints connected to said interface is computed, and if statusor role has action defined, and endpoint NID has same action applied, no action is taken;

if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved;

if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;

if said NID is configured for said interface-based actions, said most secure status representing all endpoints connected to said interface is computed, andif neither said status nor role has action defined, and said endpoint NID does not have previous action applied, no action is taken;

if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;

if said NID is configured for client-based actions, use individual endpoint status and if status or role has action defined, and endpoint NID has same action applied, no action is taken;

if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID doesnot have previous action applied, set action is executed and undo action parameters are saved;

if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;

if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does not have previous action applied, no action is taken; and

if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;

whereby said system controls connections between said endpoint devices and users with network infrastructure and information technology (IT) resources of said network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for dynamic device configuration enabling network and security administrators to define policies that indicate event and alert conditions within their networks. The policies incorporate information about network devices, endpoints connected to those devices, input from external security systems, local endpoint policy compliance, and date/time-of-day to determine whether to generate an event or alert. Events and alerts can be associated with actions that effect changes to network device configurations in order to maintain a desired operational state of the network.

Citations

18 Claims

1. A system for automated configuration of devices within a network by policy enforcement comprising:
- A server having;
  
  a configuration module located at said server for initialization and configuration of a network;
  
  a discovery module located at said server for discovery initialization of network infrastructure devices (NIDs) on said network;
  
  an action module located at said server for action management of NIDs on said network;
  
  a role module located at said server for role management characterizing said NIDs, interfaces, users, and endpoints on said network;
  
  a profiling module located at said server for device profiling, identifying types of said endpoints connected to said NIDs on said network;
  
  an external policy module located at said server for external policy notification whereby systems external to said network are configured to inform said system with events and alerts;
  
  a compliance module located at said server for compliance of endpoints on said network by agent security policy; and
  
  a correlation engine module located at said server for determining actions to apply to said NI Ds when trigger events occur, wherein said correlation comprises;
  
  gathering connection time, endpoint status, identity of user logged into said endpoint, identity of endpoint owner and point of access NID or port role;
  
  if said NID is configured for interface-based actions, most secure status representing all endpoints connected to said interface is computed, and if statusor role has action defined, and endpoint NID has same action applied, no action is taken;
  
  if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved;
  
  if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;
  
  if said NID is configured for said interface-based actions, said most secure status representing all endpoints connected to said interface is computed, andif neither said status nor role has action defined, and said endpoint NID does not have previous action applied, no action is taken;
  
  if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;
  
  if said NID is configured for client-based actions, use individual endpoint status and if status or role has action defined, and endpoint NID has same action applied, no action is taken;
  
  if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID doesnot have previous action applied, set action is executed and undo action parameters are saved;
  
  if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;
  
  if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does not have previous action applied, no action is taken; and
  
  if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;
  
  whereby said system controls connections between said endpoint devices and users with network infrastructure and information technology (IT) resources of said network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein said configuration comprises:
    - discovering network infrastructure devices (NID) by administrator;
      
      defining actions to perform on said discovered NIDs;
      
      defining roles to assign to endpoints connected to said discovered NIDs;
      
      defining endpoint profiles;
      
      configuring external security systems to provide notification when events/alerts occur; and
      
      defining endpoint security policies,wherein, when completely configured, defined actions are automatically performed for defined conditions.
  - 3. The system of claim 1, wherein said discovery comprises:
    - identifying types of discovered NIDs;
      
      creating model representations for said discovered NIDs;
      
      querying said discovered NIDs to learn of interfaces each said discovered NID supports;
      
      creating model representations for said interfaces; and
      
      creating groups.
  - 4. The system of claim 1, wherein said action management comprises:
    - creating actions for NID model types;
      
      andassigning actions to specific NID model instances for status transition states and roles.
  - 5. The system of claim 1, wherein said role management comprises:
    - creating roles characterizing users and endpoints; and
      
      associating said roles with actions for a group of NID or interface models.
  - 6. The system of claim 1, wherein said device profiling comprises:
    - creating device profiling rules;
      
      connection of an endpoint to at least one said NID;
      
      collecting endpoint profile data from said at least one NID;
      
      identifying endpoint type from said profiles;
      
      creating models for said endpoints;
      
      setting status of said model; and
      
      assigning a role for said model.
  - 7. The system of claim 1, wherein said external policy notification comprises:
    - configuring external systems to generate events and alerts directed to said system;
      
      identifying endpoint associated with said event or alert;
      
      setting status of said endpoint according to rules created by administrator.
  - 8. The system of claim 1, wherein said endpoint compliance by agent security policy comprises:
    - defining security policies identifying required and prohibited software;
      
      attempting to communicate with an agent on said endpoint;
      
      downloading an agent if none present;
      
      running said agent;
      
      obtaining information about said endpoint;
      
      selecting appropriate security policy;
      
      sending said appropriate security policy to said agent;
      
      executing said appropriate security policy by said agent on said endpoint;
      
      responding with results of execution of said appropriate security policy;
      
      determining status of said endpoint from said results; and
      
      setting status of endpoint model for said endpoint.

9. A method for automated configuration of devices within a network by policy enforcement comprising the steps of:
- configuring at a server, initialization of said network;
  
  initializing at said server, discovery of network infrastructure devices (NIDs) on said network;
  
  managing at said server, action of said NIDs on said network;
  
  managing at said server, roles characterizing said devices, users, and endpoints on said network;
  
  profiling at said server, said devices, identifying types of said endpoints connected to said NIDs on said network;
  
  external policy notification from said server, whereby systems external to said network are configured with policy notification from events and alerts;
  
  compliance of said endpoints by said server, on said network by agent security policy; and
  
  correlating at said server, whereby actions to apply to said NIDs when trigger events occur are determined, said correlating comprises;
  
  gathering connection time, endpoint status, identity of user logged into said endpoint, identity of endpoint owner and point of access NID or port role;
  
  if said NID is configured for interface-based actions, most secure status representing all endpoints connected to said interface is computed, and if status or role has action defined, and endpoint NID has same action applied, no action is taken;
  
  if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved;
  
  if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;
  
  if said NID is configured for said interface-based actions, said most secure status representing all endpoints connected to said interface is computed, andif neither said status nor role has action defined, and said endpoint NID does not have previous action applied, no action is taken;
  
  if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;
  
  if said NID is configured for client-based actions, use individual endpoint status and if status or role has action defined, and endpoint NID has same action applied, no action is taken;
  
  if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved;
  
  if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;
  
  if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does not have previous action applied, no action is taken; and
  
  if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;
  
  whereby endpoint devices and users are connected with network infrastructure and information technology (IT) resources of said network.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, wherein said initialization configuration comprises:
    - discovering said network infrastructure devices (NIDs) by administrator;
      
      defining actions to perform on said discovered NIDs;
      
      defining roles to assign to endpoints connect to said discovered NIDs;
      
      defining endpoint profiles;
      
      configuring external security systems to provide notification when events/alerts occur; and
      
      defining endpoint security policies,wherein, when completely configured, defined actions are automatically performed for defined conditions.
  - 11. The method of claim 9, wherein said discovery initialization comprises:
    - identifying types of said discovered NIDs;
      
      creating model representations for said discovered NIDs;
      
      querying said discovered NIDs to learn of interfaces each said discovered NID supports;
      
      creating model representations for said interfaces; and
      
      creating groups.
  - 12. The method of claim 9, wherein said action management comprises:
    - creating actions for NID model types;
      
      andassigning actions to specific NID model instances for status transition states and roles.
  - 13. The method of claim 9, wherein said role management comprises:
    - creating roles characterizing users and endpoints; and
      
      associating said roles with actions for a group of NID or interface models.
  - 14. The method of claim 9, wherein said device profiling comprises:
    - creating device profiling rules;
      
      connection of an endpoint to at least one said NID;
      
      collecting endpoint profile data from said at least one NID;
      
      identifying endpoint type from said profiles;
      
      creating models for said endpoints;
      
      setting status of said model; and
      
      assigning a role for said model.
  - 15. The method of claim 9, wherein said external policy notification comprises:
    - configuring external systems to generate events and alerts directed to said system;
      
      identifying endpoint associated with said event or alert;
      
      setting status of said endpoint according to rules created by administrator.
  - 16. The method of claim 9, wherein said compliance of endpoints by agent security policy comprises:
    - defining security policies identifying required and prohibited software;
      
      attempting to communicate with an agent on said endpoint;
      
      downloading an agent if none present;
      
      running said agent;
      
      obtaining information about said endpoint;
      
      selecting appropriate security policy;
      
      sending said appropriate security policy to said agent;
      
      executing said appropriate security policy by said agent on said endpoint;
      
      responding with results of execution of said appropriate security policy;
      
      determining status of said endpoint from said results; and
      
      setting status of endpoint model for said endpoint.
  - 17. The method of claim 9, wherein said endpoint devices comprise PCs, laptops, handheld devices, IP phones, game consoles, security cameras, HVAC systems, and hospital systems;
    - andsaid network infrastructure and IT resources comprise wireless LAN, wired LAN, WAN, VPN, internet, e-mail, databases, and DHCP/DNS.

18. An apparatus for automated computer network device configuration by policy enforcement comprising:
- a microprocessor operating on instructions of a configuration module for initialization configuration of said computer network;
  
  a discovery module for discovery initialization of network infrastructure devices (NIDs) on said computer network through at least one physical communication connection;
  
  an action module executed by a microprocessor for action management of access devices on said computer network;
  
  a role module for role management characterizing devices, users, and endpoints on said computer network;
  
  a profiling module for device profiling identifying types of said endpoints connected to said NIDs on said computer network through at least one physical communication connection;
  
  an external policy module for external policy notification whereby computer system components located external to said devices of said computer network are configured with policy notification from events and alerts;
  
  a compliance module for compliance of said endpoints on said computer network by agent security policy; and
  
  a correlation engine module for determining actions to apply to said NIDs when trigger events occur, wherein said correlation comprises;
  
  gathering connection time, endpoint status, identity of user logged into said endpoint, identity of endpoint owner and point of access NID or port role;
  
  if said NID is configured for interface-based actions, most secure status representing all endpoints connected to said interface is computed, and if status or role has action defined, and endpoint NID has same action applied, no action is taken;
  
  if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved;
  
  if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;
  
  if said NID is configured for said interface-based actions, said most secure status representing all endpoints connected to said interface is computed, andif neither said status nor role has action defined, and said endpoint NID does not have previous action applied, no action is taken;
  
  if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;
  
  if said NID is configured for client-based actions, use individual endpoint status and if status or role has action defined, and endpoint NID has same action applied, no action is taken;
  
  if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved;
  
  if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;
  
  if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does not have previous action applied, no action is taken; and
  
  if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;
  
  whereby said apparatus controls connectivity of said endpoint devices and users with said computer network infrastructure devices and information technology (IT) resources of said computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Bradford Networks Incorporated (Fortinet Inc.)
Inventors
Andrus, Frank D., Dupont, Eric P., Roemer, Howard J. Jr.
Primary Examiner(s)
BURGESS, BARBARA N

Application Number

US12/915,577
Time in Patent Office

949 Days
Field of Search

709/203, 709/217, 709/220, 709/221, 709/222, 709/223, 709/224
US Class Current

709/220
CPC Class Codes

H04L 41/0631   using root cause analysis; ...

H04L 41/0661   by reconfiguring faulty ent...

H04L 41/0816   the condition being an adap...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Automated configuration of network devices administered by policy enforcement

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Automated configuration of network devices administered by policy enforcement

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links