Method and apparatus for building and managing policies

US 8,667,556 B2
Filed: 05/19/2008
Issued: 03/04/2014
Est. Priority Date: 05/19/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

at an application service appliance device, detecting a presence of one or more network users;

logging activities of the network users on at least one of a per user basis and a per resource basis, wherein the activities comprise activities of the network users accessing resources of an application server of a datacenter configured to communicate with the application service appliance device such that the application service appliance device operates as an application service gateway to the datacenter;

generating a log file from the logging for each of the network users;

creating a first policy from the log file for enforcement of real time traffic and a second policy from the log file for simulation of real time traffic to evaluate the first policy of enforcement of the real time traffic without impacting the real time traffic, wherein the first policy and the second policy are based on the real time traffic associated with the network users and attributes extracted from the activities of the network users, the attributes including at least one of a network user attribute, an environment attribute, and a resource attribute;

simulating the real time traffic to evaluate the first policy of enforcement by applying the second policy to the simulated real time traffic;

generating a simulation result from the simulating;

when the simulation result satisfies a predetermined condition, committing the first policy to be enforced in the application services appliance device to determine whether a particular one of the network users is eligible to access a particular resource of the datacenter; and

modifying the first policy when the simulation result does not satisfy the predetermined condition.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described.

Citations

18 Claims

1. A method comprising:
- at an application service appliance device, detecting a presence of one or more network users;
  
  logging activities of the network users on at least one of a per user basis and a per resource basis, wherein the activities comprise activities of the network users accessing resources of an application server of a datacenter configured to communicate with the application service appliance device such that the application service appliance device operates as an application service gateway to the datacenter;
  
  generating a log file from the logging for each of the network users;
  
  creating a first policy from the log file for enforcement of real time traffic and a second policy from the log file for simulation of real time traffic to evaluate the first policy of enforcement of the real time traffic without impacting the real time traffic, wherein the first policy and the second policy are based on the real time traffic associated with the network users and attributes extracted from the activities of the network users, the attributes including at least one of a network user attribute, an environment attribute, and a resource attribute;
  
  simulating the real time traffic to evaluate the first policy of enforcement by applying the second policy to the simulated real time traffic;
  
  generating a simulation result from the simulating;
  
  when the simulation result satisfies a predetermined condition, committing the first policy to be enforced in the application services appliance device to determine whether a particular one of the network users is eligible to access a particular resource of the datacenter; and
  
  modifying the first policy when the simulation result does not satisfy the predetermined condition.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising generating a report from the simulation result, wherein the report comprises event logs, policy logs and device statistics.
  - 3. The method of claim 1, wherein logging the activities comprises:
    - retrieving a list of predefined attributes available from one or more directory servers;
      
      selecting one or more attributes from the list as a filtering mechanism for logging the activities; and
      
      generating a log report having a plurality of records representing the logging, wherein the records relate to the selected one or more attributes from the list.
  - 4. The method of claim 3, further comprising:
    - extracting one or more attributes from a record selected from the log report;
      
      generating a first rule template having one or more fields prefilled with the extracted one or more attributes;
      
      modifying the one or more fields of the first rule template in response to an input received from an administrator; and
      
      generating a new rule for the first policy based on information obtained from the first rule template.
  - 5. The method of claim 4, further comprising:
    - performing an analysis based on the log report;
      
      generating an analysis report based on the analysis of the log report; and
      
      provisioning the new rule based on a data set selected from the analysis report.
  - 6. The method of claim 5, wherein provisioning the new rule comprises:
    - extracting one or more attributes from the data set selected from the analysis report;
      
      generating a second rule template having one or more fields prefilled with the extracted one or more attributes; and
      
      modifying the one or more fields of the second rule template in response to an input received from an administrator.
  - 7. The method of claim 1, further comprising:
    - performing an analysis based on the generated simulation result;
      
      generating an analysis report based on the performed analysis;
      
      selecting a data set from the analysis report; and
      
      modifying the first policy using attributes extracted from the selected data set of the analysis report.

8. A machine-readable storage device having instructions stored therein, which when executed by a processor, cause the processor to:
- detect a presence of one or more network users at an application service appliance device;
  
  log activities of the network users on at least one of a per user basis and a per resource basis, wherein the activities comprise activities of the network users accessing resources of an application server of a datacenter configured to communicate with the application service appliance device such that the application service appliance device operates as an application service gateway to the datacenter;
  
  generate a log file from the log for each of the network users;
  
  create a first policy from the log file for enforcement of real time traffic and a second policy from the log file for simulation of real time traffic to evaluate the first policy of enforcement of the real time traffic without impacting the real time traffic, wherein the first policy and the second policy are based on real time traffic associated with the network users and attributes extracted from the activities of the network users, the attributes including at least one of a network user attribute, an environment attribute, and a resource attribute;
  
  simulate the real time traffic to evaluate the first policy of enforcement by applying the second policy to the simulated real time traffic;
  
  generate a simulation result from the simulated real time traffic;
  
  when the simulation result satisfies a predetermined condition, commit the first policy to be enforced in the application services appliance device to determine whether a particular one of the network users is eligible to access a particular resource of the datacenter; and
  
  modify the first policy when the simulation result does not satisfy the predetermined condition.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The machine-readable storage device of claim 8, further comprising instructions that cause the processor to:
    - generate a report from the simulation result, wherein the report comprises event logs, policy logs and device statistics.
  - 10. The machine-readable storage device of claim 8, wherein the instructions that cause the processor to log activities of the network users comprise instructions that cause the processor to:
    - retrieve a list of predefined attributes available from one or more directory servers;
      
      select one or more attributes from the list as a filtering mechanism for logging the activities; and
      
      generate a log report having a plurality of records representing the logging, wherein the records relate to the selected one or more attributes from the list.
  - 11. The machine-readable storage device of claim 10, further comprising instructions that cause the processor to:
    - extract one or more attributes from a record selected from the log report;
      
      generate a first rule template having one or more fields prefilled with the extracted one or more attributes;
      
      modify the one or more fields of the first rule template in response to an input received from an administrator; and
      
      generate a new rule for the first policy based on information obtained from the first rule template.
  - 12. The machine-readable storage device of claim 11, further comprising instructions that cause the processor to:
    - perform an analysis based on the log report;
      
      generate an analysis report based on the analysis of the log report; and
      
      provision the new rule based on a data set selected from the analysis report.
  - 13. The machine-readable storage device of claim 12, wherein the instructions that cause the processor to provision the new rule comprise instructions that cause the processor to:
    - extract one or more attributes from the data set of the analysis report;
      
      generate a second rule template having one or more fields prefilled with the extracted one or more attributes; and
      
      modify the one or more fields of the second rule template in response to an input received from an administrator.
  - 14. The machine-readable storage device of claim 8, further comprising instructions that cause the processor to:
    - perform an analysis based on the generated simulation result;
      
      generate an analysis report based on the performed analysis;
      
      select a data set from the analysis report; and
      
      modify the first policy using attributes extracted from the selected data set of the analysis report.

15. An apparatus comprising:
- a memory configured to store a policy database; and
  
  a processor in communication with the policy database and configured to;
  
  detect a presence of one or more network users; and
  
  log activities of the network users on at least one of a per user basis and a per resource basis, wherein the activities comprise activities of the network users accessing resources of an appliance server of a datacenter;
  
  generate a log file from the logging for each of the network users;
  
  create a first policy from the log file for enforcement of real time traffic and a second policy from the log file for simulation of real time traffic to evaluate the first policy of enforcement of the real time traffic without impacting the real time traffic, wherein the first policy and the second policy are based on the real time traffic associated with the network users and attributes extracted from the activities of the network users, the attributes including at least one of a network user attribute, an environment attribute, and a resource attribute;
  
  the real time traffic to evaluate the first policy of enforcement by applying the second policy to the simulated real time traffic;
  
  generate a simulation result from the simulated real time traffic;
  
  when the simulation result satisfies a predetermined condition, commit the first policy to be enforced to determine whether a particular one of the network users is eligible to access a particular resource of the datacenter; and
  
  modify the first policy when the simulation result does not satisfy the predetermined condition.
- View Dependent Claims (16, 17, 18)
- - 16. The apparatus of claim 15, wherein the processor is further configured to:
    - extract one or more attributes from a record selected from the log report;
      
      generate a first rule template having one or more fields prefilled with the extracted one or more attributes;
      
      modify the one or more fields of the first rule template in response to an input received from an administrator; and
      
      generate a new rule for the first policy based on information obtained from the first rule template.
  - 17. The apparatus of claim 15, wherein the processor is further configured to:
    - perform an analysis based on the log report;
      
      generate an analysis report based on the analysis of the log report; and
      
      provision the new rule based on a data set selected from the analysis report.
  - 18. The apparatus of claim 17, wherein the processor is further configured to:
    - extract one or more attributes from the selected data set of the analysis report;
      
      generate a second rule template having one or more fields prefilled with the extracted one or more attributes; and
      
      modify the one or more fields of the second rule template in response to an input received from an administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Chang, David, Gandhi, Prashant, Patra, Abhijit, Sagar, Vijay
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
PLECHA, THADDEUS J

Application Number

US12/123,219
Publication Number

US 20090288135A1
Time in Patent Office

2,115 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

Method and apparatus for building and managing policies

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for building and managing policies

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links