Method and apparatus for building and managing policies
First Claim
1. A method comprising:
- at an application service appliance device, detecting a presence of one or more network users;
logging activities of the network users on at least one of a per user basis and a per resource basis, wherein the activities comprise activities of the network users accessing resources of an application server of a datacenter configured to communicate with the application service appliance device such that the application service appliance device operates as an application service gateway to the datacenter;
generating a log file from the logging for each of the network users;
creating a first policy from the log file for enforcement of real time traffic and a second policy from the log file for simulation of real time traffic to evaluate the first policy of enforcement of the real time traffic without impacting the real time traffic, wherein the first policy and the second policy are based on the real time traffic associated with the network users and attributes extracted from the activities of the network users, the attributes including at least one of a network user attribute, an environment attribute, and a resource attribute;
simulating the real time traffic to evaluate the first policy of enforcement by applying the second policy to the simulated real time traffic;
generating a simulation result from the simulating;
when the simulation result satisfies a predetermined condition, committing the first policy to be enforced in the application services appliance device to determine whether a particular one of the network users is eligible to access a particular resource of the datacenter; and
modifying the first policy when the simulation result does not satisfy the predetermined condition.
3 Assignments
0 Petitions
Accused Products
Abstract
Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described.
-
Citations
18 Claims
-
1. A method comprising:
-
at an application service appliance device, detecting a presence of one or more network users; logging activities of the network users on at least one of a per user basis and a per resource basis, wherein the activities comprise activities of the network users accessing resources of an application server of a datacenter configured to communicate with the application service appliance device such that the application service appliance device operates as an application service gateway to the datacenter; generating a log file from the logging for each of the network users; creating a first policy from the log file for enforcement of real time traffic and a second policy from the log file for simulation of real time traffic to evaluate the first policy of enforcement of the real time traffic without impacting the real time traffic, wherein the first policy and the second policy are based on the real time traffic associated with the network users and attributes extracted from the activities of the network users, the attributes including at least one of a network user attribute, an environment attribute, and a resource attribute; simulating the real time traffic to evaluate the first policy of enforcement by applying the second policy to the simulated real time traffic; generating a simulation result from the simulating; when the simulation result satisfies a predetermined condition, committing the first policy to be enforced in the application services appliance device to determine whether a particular one of the network users is eligible to access a particular resource of the datacenter; and modifying the first policy when the simulation result does not satisfy the predetermined condition. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A machine-readable storage device having instructions stored therein, which when executed by a processor, cause the processor to:
-
detect a presence of one or more network users at an application service appliance device; log activities of the network users on at least one of a per user basis and a per resource basis, wherein the activities comprise activities of the network users accessing resources of an application server of a datacenter configured to communicate with the application service appliance device such that the application service appliance device operates as an application service gateway to the datacenter; generate a log file from the log for each of the network users; create a first policy from the log file for enforcement of real time traffic and a second policy from the log file for simulation of real time traffic to evaluate the first policy of enforcement of the real time traffic without impacting the real time traffic, wherein the first policy and the second policy are based on real time traffic associated with the network users and attributes extracted from the activities of the network users, the attributes including at least one of a network user attribute, an environment attribute, and a resource attribute; simulate the real time traffic to evaluate the first policy of enforcement by applying the second policy to the simulated real time traffic; generate a simulation result from the simulated real time traffic; when the simulation result satisfies a predetermined condition, commit the first policy to be enforced in the application services appliance device to determine whether a particular one of the network users is eligible to access a particular resource of the datacenter; and modify the first policy when the simulation result does not satisfy the predetermined condition. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus comprising:
-
a memory configured to store a policy database; and a processor in communication with the policy database and configured to; detect a presence of one or more network users; and log activities of the network users on at least one of a per user basis and a per resource basis, wherein the activities comprise activities of the network users accessing resources of an appliance server of a datacenter; generate a log file from the logging for each of the network users; create a first policy from the log file for enforcement of real time traffic and a second policy from the log file for simulation of real time traffic to evaluate the first policy of enforcement of the real time traffic without impacting the real time traffic, wherein the first policy and the second policy are based on the real time traffic associated with the network users and attributes extracted from the activities of the network users, the attributes including at least one of a network user attribute, an environment attribute, and a resource attribute; the real time traffic to evaluate the first policy of enforcement by applying the second policy to the simulated real time traffic; generate a simulation result from the simulated real time traffic; when the simulation result satisfies a predetermined condition, commit the first policy to be enforced to determine whether a particular one of the network users is eligible to access a particular resource of the datacenter; and modify the first policy when the simulation result does not satisfy the predetermined condition. - View Dependent Claims (16, 17, 18)
-
Specification