Virtualized policy tester

US 8,554,534 B2
Filed: 06/07/2012
Issued: 10/08/2013
Est. Priority Date: 10/01/2008
Status: Active Grant

First Claim

Patent Images

1. A method of testing policy changes associated with a production network comprising:

generating a virtual network representing a portion of the production network;

obtaining a first transaction log based on a first execution of the virtual network using test traffic and a first set of policies that are implemented in the production network;

obtaining a second transaction log based on a second execution of the virtual network using the test traffic and a second set of policies to be implemented in the production network, the second set of policies including a policy that blocks broadcasts from traversing an interface of a firewall and a policy that blocks traffic from a private address from being forwarded over an Internet access circuit; and

determining an effect that the second set of policies has on the virtual network based on a comparison of the first and second transaction logs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention are directed to testing policy changes associated with a production network. A virtual network that represents at least a portion of the production network can be generated. A first transaction log based on a first execution of the virtual network using test traffic and a first set of policies that are implemented in the production network can be obtained. A second transaction log based on a second execution of the virtual network using the test traffic and a second set of policies to be implemented in the production network can be obtained. Based on a comparison of the first and second transaction logs, it can be determined whether the second set of policies has a desired effect in the virtual network.

6 Citations

20 Claims

1. A method of testing policy changes associated with a production network comprising:
- generating a virtual network representing a portion of the production network;
  
  obtaining a first transaction log based on a first execution of the virtual network using test traffic and a first set of policies that are implemented in the production network;
  
  obtaining a second transaction log based on a second execution of the virtual network using the test traffic and a second set of policies to be implemented in the production network, the second set of policies including a policy that blocks broadcasts from traversing an interface of a firewall and a policy that blocks traffic from a private address from being forwarded over an Internet access circuit; and
  
  determining an effect that the second set of policies has on the virtual network based on a comparison of the first and second transaction logs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising generating the test traffic based on the first and second sets of policies, the test traffic configured to facilitate determining the effect that the second set of policies has on the virtual network.
  - 3. The method of claim 1, further comprising:
    - obtaining preliminary transaction logs for the virtual network and the production network using production traffic; and
      
      determining whether the virtual network model represents the production network based on a comparison of the preliminary transaction logs.
  - 4. The method of claim 1, wherein it is determined that the second set of policies does not have a desired effect and the method further comprising:
    - obtaining a third transaction log based on an execution of the virtual network using the test traffic and a third set of policies; and
      
      determining an effect that the third set of policies has on the virtual network based on a comparison of the first and third transaction logs.
  - 5. The method of claim 1, wherein generating a virtual network comprises:
    - obtaining information associated with physical elements of the production network; and
      
      generating virtual elements of the physical elements based on the information, the virtual elements modeling a logical functionality of the physical elements.
  - 6. The method of claim 5, wherein the information includes at least one of hardware specifications, software specifications, network performance data, an architecture of the production network, and the first set of policies.
  - 7. The method of claim 1, wherein the second set of policies includes an access restriction policy and a traffic regulation policy.
  - 8. The method of claim 1, wherein the second set of policies includes a policy that blocks traffic from a predetermined source IP address, traffic to a predetermined destination IP address, traffic associated with a particular transmission protocol, or peer-to-peer communication traffic.

9. A system to test policy changes associated with a production network comprising:
- a processing device; and
  
  a memory to store instructions that, when executed by the processing device perform operations comprising;
  
  generating a virtual network representing a portion of the production network;
  
  obtaining a first transaction log based on a first execution of the virtual network using test traffic and a first set of policies that are implemented in the production network;
  
  obtaining a second transaction log based on a second execution of the virtual network using the test traffic and a second set of policies to be implemented in the production network; and
  
  determining an effect that the second set of policies has on the virtual network based on a comparison of the first and second transaction logs, the second set of policies including a policy that blocks broadcasts from traversing an interface of a firewall and a policy that prevents traffic from a private address from being forwarded over an Internet access circuit.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the operations further comprise generating the test traffic based on the first and second sets of policies, the test traffic facilitating a determination of the effect that the second set of policies has on the virtual network.
  - 11. The system of claim 9, wherein the operations further comprise obtaining preliminary transaction logs for the virtual network and the production network using production traffic, the processing device being further configured to determine whether the virtual network model represents the production network based on a comparison of the preliminary transaction logs.
  - 12. The system of claim 9, wherein the operations further comprise obtaining a third transaction log based on an execution of the virtual network using the test traffic and a third set of policies in response the processing device determining that the second set of policies does not have a desired effect, and the processing device being further configured to determine an effect that the third set of policies has on the virtual network based on a comparison of the first and third transaction logs.
  - 13. The system of claim 9, wherein the second set of policies includes a policy that blocks broadcasts from traversing an interface of a firewall and a policy that prevents traffic from a private address from being forwarded over an Internet access circuit.

14. A non-transitory computer-readable storage medium comprising instructions that, when executed by a computing device, causes the computing device to perform operations comprising:
- generating a virtual network representing a portion of a production network;
  
  obtaining a first transaction log based on a first execution of the virtual network using test traffic and a first set of policies that are implemented in the production network;
  
  obtaining a second transaction log based on a second execution of the virtual network using the test traffic and a second set of policies to be implemented in the production network; and
  
  determining an effect that the second set of policies has on the virtual network based on a comparison of the first and second transaction logs, the second set of policies including a policy that blocks broadcasts from traversing an interface of a firewall and a policy that prevents traffic from a private address from being forwarded over an Internet access circuit.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the operations further comprise generating the test traffic based on the first and second sets of policies, the test traffic configured to facilitate determining the effect that the second set of policies has on the virtual network.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the operations further comprise:
    - obtaining preliminary transaction logs for the virtual network and the production network using production traffic; and
      
      determining whether the virtual network model represents the production network based on a comparison of the preliminary transaction logs.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein it is determined that the second set of policies does not have a desired effect and the operations further comprise:
    - obtaining a third transaction log based on an execution of the virtual network using the test traffic and a third set of policies; and
      
      determining an effect that the third set of policies has on the virtual network based on a comparison of the first and third transaction logs.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein generating a virtual network further comprises:
    - obtaining information associated with physical elements of the production network; and
      
      generating virtual elements of the physical elements based on the information, the virtual elements modeling a logical functionality of the physical elements.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the information includes of hardware specifications, software specifications, network performance data, an architecture of the production network, and the first set of policies.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein the second set of policies includes a policy that blocks traffic from a predetermined source IP address, traffic to a predetermined destination IP address, traffic associated with a particular transmission protocol, and peer-to-peer communication traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chawla, Deepak, Beckett, William
Primary Examiner(s)
Craig, Dwin M

Application Number

US13/490,928
Publication Number

US 20120245917A1
Time in Patent Office

488 Days
Field of Search

703/22, 709/223
US Class Current

703/22
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0869   Validating the configuratio...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 43/20   the monitoring system or th...

H04L 43/50   Testing arrangements

Virtualized policy tester

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtualized policy tester

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links