Automated configuration of network devices administered by policy enforcement
First Claim
Patent Images
1. A system for automated configuration of devices within a network by policy enforcement comprising:
- A server having;
a configuration module located at said server for initialization and configuration of a network;
a discovery module located at said server for discovery initialization of network infrastructure devices (NIDs) on said network;
an action module located at said server for action management of NIDs on said network;
a role module located at said server for role management characterizing said NIDs, interfaces, users, and endpoints on said network;
a profiling module located at said server for device profiling, identifying types of said endpoints connected to said NIDs on said network;
an external policy module located at said server for external policy notification whereby systems external to said network are configured to inform said system with events and alerts;
a compliance module located at said server for compliance of endpoints on said network by agent security policy; and
a correlation engine module located at said server for determining actions to apply to said NI Ds when trigger events occur, wherein said correlation comprises;
gathering connection time, endpoint status, identity of user logged into said endpoint, identity of endpoint owner and point of access NID or port role;
if said NID is configured for interface-based actions, most secure status representing all endpoints connected to said interface is computed, and if statusor role has action defined, and endpoint NID has same action applied, no action is taken;
if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved;
if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;
if said NID is configured for said interface-based actions, said most secure status representing all endpoints connected to said interface is computed, andif neither said status nor role has action defined, and said endpoint NID does not have previous action applied, no action is taken;
if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;
if said NID is configured for client-based actions, use individual endpoint status and if status or role has action defined, and endpoint NID has same action applied, no action is taken;
if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID doesnot have previous action applied, set action is executed and undo action parameters are saved;
if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved;
if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does not have previous action applied, no action is taken; and
if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters;
whereby said system controls connections between said endpoint devices and users with network infrastructure and information technology (IT) resources of said network.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for dynamic device configuration enabling network and security administrators to define policies that indicate event and alert conditions within their networks. The policies incorporate information about network devices, endpoints connected to those devices, input from external security systems, local endpoint policy compliance, and date/time-of-day to determine whether to generate an event or alert. Events and alerts can be associated with actions that effect changes to network device configurations in order to maintain a desired operational state of the network.
-
Citations
18 Claims
-
1. A system for automated configuration of devices within a network by policy enforcement comprising:
-
A server having; a configuration module located at said server for initialization and configuration of a network; a discovery module located at said server for discovery initialization of network infrastructure devices (NIDs) on said network; an action module located at said server for action management of NIDs on said network; a role module located at said server for role management characterizing said NIDs, interfaces, users, and endpoints on said network; a profiling module located at said server for device profiling, identifying types of said endpoints connected to said NIDs on said network; an external policy module located at said server for external policy notification whereby systems external to said network are configured to inform said system with events and alerts; a compliance module located at said server for compliance of endpoints on said network by agent security policy; and a correlation engine module located at said server for determining actions to apply to said NI Ds when trigger events occur, wherein said correlation comprises; gathering connection time, endpoint status, identity of user logged into said endpoint, identity of endpoint owner and point of access NID or port role; if said NID is configured for interface-based actions, most secure status representing all endpoints connected to said interface is computed, and if status or role has action defined, and endpoint NID has same action applied, no action is taken; if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved; if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved; if said NID is configured for said interface-based actions, said most secure status representing all endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does not have previous action applied, no action is taken; if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters; if said NID is configured for client-based actions, use individual endpoint status and if status or role has action defined, and endpoint NID has same action applied, no action is taken; if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved; if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved; if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does not have previous action applied, no action is taken; and if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters; whereby said system controls connections between said endpoint devices and users with network infrastructure and information technology (IT) resources of said network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for automated configuration of devices within a network by policy enforcement comprising the steps of:
-
configuring at a server, initialization of said network; initializing at said server, discovery of network infrastructure devices (NIDs) on said network; managing at said server, action of said NIDs on said network; managing at said server, roles characterizing said devices, users, and endpoints on said network; profiling at said server, said devices, identifying types of said endpoints connected to said NIDs on said network; external policy notification from said server, whereby systems external to said network are configured with policy notification from events and alerts;
compliance of said endpoints by said server, on said network by agent security policy; andcorrelating at said server, whereby actions to apply to said NIDs when trigger events occur are determined, said correlating comprises; gathering connection time, endpoint status, identity of user logged into said endpoint, identity of endpoint owner and point of access NID or port role; if said NID is configured for interface-based actions, most secure status representing all endpoints connected to said interface is computed, and if status or role has action defined, and endpoint NID has same action applied, no action is taken; if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved; if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved; if said NID is configured for said interface-based actions, said most secure status representing all endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does not have previous action applied, no action is taken; if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters; if said NID is configured for client-based actions, use individual endpoint status and if status or role has action defined, and endpoint NID has same action applied, no action is taken; if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved; if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved; if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does not have previous action applied, no action is taken; and if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters; whereby endpoint devices and users are connected with network infrastructure and information technology (IT) resources of said network. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An apparatus for automated computer network device configuration by policy enforcement comprising:
-
a microprocessor operating on instructions of a configuration module for initialization configuration of said computer network; a discovery module for discovery initialization of network infrastructure devices (NIDs) on said computer network through at least one physical communication connection; an action module executed by a microprocessor for action management of access devices on said computer network; a role module for role management characterizing devices, users, and endpoints on said computer network; a profiling module for device profiling identifying types of said endpoints connected to said NIDs on said computer network through at least one physical communication connection; an external policy module for external policy notification whereby computer system components located external to said devices of said computer network are configured with policy notification from events and alerts; a compliance module for compliance of said endpoints on said computer network by agent security policy; and a correlation engine module for determining actions to apply to said NIDs when trigger events occur, wherein said correlation comprises; gathering connection time, endpoint status, identity of user logged into said endpoint, identity of endpoint owner and point of access NID or port role; if said NID is configured for interface-based actions, most secure status representing all endpoints connected to said interface is computed, and if status or role has action defined, and endpoint NID has same action applied, no action is taken; if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved; if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved; if said NID is configured for said interface-based actions, said most secure status representing all endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does not have previous action applied, no action is taken; if said NID is configured for said interface-based actions, said most secure status representing all said endpoints connected to said interface is computed, and if neither said status nor role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters; if said NID is configured for client-based actions, use individual endpoint status and if status or role has action defined, and endpoint NID has same action applied, no action is taken; if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does not have previous action applied, set action is executed and undo action parameters are saved; if said NID is configured for said client-based actions, said individual endpoint status is used and if said status or role has action defined, and said endpoint NID does not have same action applied, and if said endpoint NID does have previous action applied, undo action is executed using saved parameters, and set action is executed and undo action parameters are saved; if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does not have previous action applied, no action is taken; and if said NID is configured for said client-based actions, use said individual endpoint status and if neither said status nor said role has action defined, and said endpoint NID does have previous action applied, undo action is executed using saved parameters; whereby said apparatus controls connectivity of said endpoint devices and users with said computer network infrastructure devices and information technology (IT) resources of said computer network.
-
Specification