Network security policy mediation

US 8,607,300 B2
Filed: 07/18/2006
Issued: 12/10/2013
Est. Priority Date: 07/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for mediating between first and second network security policies, comprising:

mapping, by a security policy mediation device (SPMD) including at least one hardware processor, a first security policy to a second security policy, wherein the second security policy is a generic network-independent policy that is devoid of any specific network technology; and

mapping, by the SPMD, the second security policy to a plurality of rules, each associated with a target network security policy and collectively executable at the target network, wherein one policy of the first security policy and the target network security policy is operable for an IP-based network and the other policy of the first security policy and the target network security policy is operable for a signaling system number 7 (SS7) network, wherein mapping between the second security policy and the plurality of rules each associated with a target network security policy and collectively executable at the target network includes searching a repository, using the second security policy, for one or more executable security modules for including in the target network security policy; and

wherein mapping the second security policy to the plurality of rules associated with the target network security policy comprises;

deconstructing each rule of the second security policy into at least one generic action and at least one generic target;

mapping the at least one generic action into at least one action deployable in the target network security policy; and

mapping the at least one generic target to at least one target of the target network security policy; and

wherein the SPMD provides a consistent end-to-end security policy comprised of the first security policy and the target network security policy, across a convergent network including the SS7 network and the IP-based network.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for mediating between first and second network security policies, by: (1) mapping a first security policy to a generic second security policy, and (2) mapping the generic second security policy to a plurality of rules each associated with a target network security policy.

Citations

13 Claims

1. A method for mediating between first and second network security policies, comprising:
- mapping, by a security policy mediation device (SPMD) including at least one hardware processor, a first security policy to a second security policy, wherein the second security policy is a generic network-independent policy that is devoid of any specific network technology; and
  
  mapping, by the SPMD, the second security policy to a plurality of rules, each associated with a target network security policy and collectively executable at the target network, wherein one policy of the first security policy and the target network security policy is operable for an IP-based network and the other policy of the first security policy and the target network security policy is operable for a signaling system number 7 (SS7) network, wherein mapping between the second security policy and the plurality of rules each associated with a target network security policy and collectively executable at the target network includes searching a repository, using the second security policy, for one or more executable security modules for including in the target network security policy; and
  
  wherein mapping the second security policy to the plurality of rules associated with the target network security policy comprises;
  
  deconstructing each rule of the second security policy into at least one generic action and at least one generic target;
  
  mapping the at least one generic action into at least one action deployable in the target network security policy; and
  
  mapping the at least one generic target to at least one target of the target network security policy; and
  
  wherein the SPMD provides a consistent end-to-end security policy comprised of the first security policy and the target network security policy, across a convergent network including the SS7 network and the IP-based network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein mapping the first security policy to the second security policy comprises creating first security policy components based on rules of the first security policy, and verifying syntactic correctness of the first security policy components.
  - 3. The method of claim 1 wherein mapping the first security policy to the second security policy comprises creating first security policy components based on rules of the first security policy and then comparing the first security policy components with a collection of generic security policy rules and components.
  - 4. The method of claim 3 wherein mapping the first security policy to the second security policy comprises, if no match is found between any of the first security policy components and the collection of generic security policy rules and components, generating an indication to a user that no match was found.
  - 5. The method of claim 3 wherein mapping the first security policy to the second security policy comprises, if no match is found between any of the first security policy components and the collection of security rules and components, manually matching the unmatched first security policy component to a component of the second security policy.
  - 6. The method of claim 1 wherein mapping the second security policy to the rules associated with the target network security policy comprises:
    - generating a first indication of all the generic targets that did not map to a target of the target network security policy; and
      
      generating a second indication of all the generic actions that did not map to an action of the target network security policy.

7. A system configured to mediate between an originating network security policy and a target network security policy, the system comprising:
- a security policy mediation device (SPMD) comprising;
  
  a hardware processor; and
  
  a memory, wherein the memory stores instructions that when executed by the at least one hardware processor performs the steps comprising;
  
  mapping first rules of an originating network security policy to second rules of a generic security policy that is devoid of specific network technology; and
  
  mapping the second rules of the generic network security policy to third rules of a target network security policy, wherein one policy of the originating network security policy and the target network security policy is operable for an IP-based network and the other policy of the originating network security policy and the target network security policy is operable for a signaling system number 7 (SS7) network, wherein mapping between the second rules of the generic network security policy and the third rules of the target network security policy each associated with the target network security policy and collectively executable at the target network includes searching a repository, using the second security policy, for one or more executable security modules for including in the target network security policy;
  
  wherein mapping the second rules of the generic network security policy to second third rules of the target network security policy comprises;
  
  deconstructing each of the second rules into at least one generic action and at least one generic target,mapping the at least one generic action into at least one action deployable in the target network security policy; and
  
  mapping the at least one generic target to at least one target of the target network security policy; and
  
  wherein the SPMD provides a consistent end-to-end security policy comprised of the originating network policy and the target network security policy across a convergent network that includes the SS7 network and the IP-based network.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7 wherein the SPMD comprises a security policy translator and a security policy rule parser configured to parse rules from the first network security policy and verify syntactic correctness of the rules from the first network security policy.
  - 9. The system of claim 7 wherein the SPMD comprises a knowledge base configured to store security policy rules and security policy rule components for at least one of the originating, generic, and target network security policies.
  - 10. The system of claim 7 wherein the SPMD comprises a security policy translator configured to allow at least one of manual and automatic translation of a first security policy rule to a second security policy rule.
  - 11. The system of claim 7 wherein the SPMD comprises an executable module repertoire containing a plurality of executable modules, programs, and/or program parts which are deployable within the context of the target network security policy.
  - 12. The system of claim 7 wherein the SPMD comprises a network security provisioning module that defines new security policy components and new security policy rules of at least one of the originating, generic, and target network security policies.
  - 13. The system of claim 12 wherein the network security provisioning module is remotely accessible via the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Genband US LLC (Ribbon Communications, Inc.)
Original Assignee
Genband US LLC (Ribbon Communications, Inc.)
Inventors
Wang, Haojin
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
AMORIN, CARLOS E

Application Number

US11/458,262
Publication Number

US 20080034401A1
Time in Patent Office

2,702 Days
Field of Search

705/500, 726/1, 726/4
US Class Current

726/1
CPC Class Codes

H04L 63/20 for managing network securi...

Network security policy mediation

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Network security policy mediation

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links