Managing command compliance in internetworking devices

US 8,856,292 B2
Filed: 12/10/2009
Issued: 10/07/2014
Est. Priority Date: 10/27/2009
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

one or more network interfaces configured to couple to a data network for sending and receiving one or more packets;

one or more processors;

a switching system and packet forwarding logic, wherein the switching system is coupled to the one or more processors, wherein the switching system and packet forwarding logic are configured to send and receive packets on the one or more network interfaces;

a non-transitory computer-readable storage medium storing one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;

receiving a command to configure the apparatus;

sending, from the apparatus over a network to a compliance server, a request to determine whether the command conforms to one or more compliance policies, wherein the request includes all or part of the command and wherein each compliance policy of the one or more compliance policies includes a rule specifying one or more required device commands or parameters that must be configured on the apparatus before executing the command;

sending, from the apparatus over the network to the compliance server, a copy of a then-currently running configuration for the apparatus, wherein the compliance server is configured to use the copy of the runninguration to determine whether the command would conform to the compliance policies when applied to the running configuration;

receiving, over the network at the apparatus, a compliance response from the compliance server;

in response to determining whether the compliance response indicates success, executing the command at the apparatus only when the compliance response indicates that the command conforms to the one or more compliance policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, an internetworking device is configured with compliance proxy logic that is configured for sending, to a compliance server, a request to determine whether the command conforms to one or more compliance policies, wherein the request includes the command; receiving a compliance response from the compliance server; in response to determining whether the compliance response indicates success, executing the command only when the compliance response indicates that the command conforms to the one or more compliance policies. Thus the device can determine actively whether a proposed user command or configuration change will violate established standards or policies, before the command or change is applied to the device.

Citations

26 Claims

1. An apparatus, comprising:
- one or more network interfaces configured to couple to a data network for sending and receiving one or more packets;
  
  one or more processors;
  
  a switching system and packet forwarding logic, wherein the switching system is coupled to the one or more processors, wherein the switching system and packet forwarding logic are configured to send and receive packets on the one or more network interfaces;
  
  a non-transitory computer-readable storage medium storing one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  receiving a command to configure the apparatus;
  
  sending, from the apparatus over a network to a compliance server, a request to determine whether the command conforms to one or more compliance policies, wherein the request includes all or part of the command and wherein each compliance policy of the one or more compliance policies includes a rule specifying one or more required device commands or parameters that must be configured on the apparatus before executing the command;
  
  sending, from the apparatus over the network to the compliance server, a copy of a then-currently running configuration for the apparatus, wherein the compliance server is configured to use the copy of the runninguration to determine whether the command would conform to the compliance policies when applied to the running configuration;
  
  receiving, over the network at the apparatus, a compliance response from the compliance server;
  
  in response to determining whether the compliance response indicates success, executing the command at the apparatus only when the compliance response indicates that the command conforms to the one or more compliance policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1 wherein the compliance server is a compliance server computer that is separate from the apparatus.
  - 3. The apparatus of claim 1, further comprising instructions which when executed cause forming the request according to an authentication, authorization and access (AAA) protocol and sending the request to a AAA server;
    - wherein the receiving comprises receiving the compliance response from the AAA server.
  - 4. The apparatus of claim 3, wherein the compliance server is hosted within the AAA server.
  - 5. The apparatus of claim 1, wherein the compliance server is configured to execute, in response to receiving the request, any one or more of:
    - posture validation operations on the apparatus, diagnostic commands on the apparatus, or one or more other compliance checks on the apparatus.
  - 6. The apparatus of claim 5, wherein the compliance server is configured to download the copy of the then-currently running configuration from the apparatus before performing the posture validation operations, diagnostic commands, or other compliance checks.
  - 7. The apparatus of claim 1, further comprising instructions which when executed cause blocking execution of the command when the compliance response indicates that the command conforms to the one or more compliance policies, and performing a responsive action.
  - 8. The apparatus of claim 7, further comprising instructions which when executed cause any one or more of:
    - generating a user notification of non-compliance in a command line interface of the apparatus;
      
      creating and storing a log record relating to the non-compliance;
      
      or generating one or more events or alerts relating to the non-compliance.
  - 9. The apparatus of claim 1, wherein the computer-readable storage medium comprises compliance proxy logic integrated into an operating system.

10. A non-transitory computer-readable storage medium storing one or more stored sequences of instructions which, when executed by one or more processors, cause the one or more processors to perform:
- receiving, at an internetworking device, a command to configure the internetworking device;
  
  sending, from the internetworking device over a network to a compliance server, a request to determine whether the command conforms to one or more compliance policies, wherein the request includes all or part of the command and wherein each compliance policy of the one or more compliance policies includes a rule specifying one or more required device commands or parameters that must be configured on the internetworking device before executing the command;
  
  sending, from the internetworking device over the network to the compliance server, a copy of a then currently running configuration for the internetworking device, wherein the compliance server is configured to use the copy of the running configuration to determine whether the command would conform to the compliance policies when applied to the running configuration;
  
  receiving, over the network at the internetworking device a compliance response from the compliance server;
  
  in response to determining whether the compliance response indicates success, executing the command at the internetworking device only when the compliance response indicates that the command conforms to the one or more compliance policies.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer-readable storage medium of claim 10 wherein the compliance server is a compliance server computer that is separate from the internetworking device.
  - 12. The computer-readable storage medium of claim 10, further comprising instructions which when executed cause forming the request according to an authentication, authorization and access (AAA) protocol and sending the request to a AAA server;
    - wherein the receiving comprises receiving the compliance response from the AAA server.
  - 13. The computer-readable storage medium of claim 12, wherein the compliance server is hosted within the AAA server.
  - 14. The computer-readable storage medium of claim 10, wherein the compliance server is configured to execute, in response to receiving the request, any one or more of:
    - posture validation operations on the internetworking device, diagnostic commands on the internetworking device, or one or more other compliance checks on the internetworking device.
  - 15. The computer-readable storage medium of claim 14, wherein the compliance server is configured to download the copy of the then-currently running configuration from the internetworking device before performing the posture validation operations, diagnostic commands, or other compliance checks.
  - 16. The computer-readable storage medium of claim 10, further comprising instructions which when executed cause blocking execution of the command when the compliance response indicates that the command conforms to the one or more compliance policies, and performing a responsive action.
  - 17. The computer-readable storage medium of claim 16, further comprising instructions which when executed cause any one or more of:
    - generating a user notification of non-compliance in a command line interface of the internetworking device;
      
      creating and storing a log record relating to the non-compliance;
      
      or generating one or more events or alerts relating to the non-compliance.
  - 18. The computer-readable storage medium of claim 10, wherein the computer-readable storage medium comprises compliance proxy logic integrated into an operating system.

19. A method comprising:
- receiving, at an internetworking device, a command to configure the internetworking device;
  
  sending, from the internetworking device over a network to a compliance server, a request to determine whether the command conforms to one or more compliance policies, wherein the request includes all or part of the command and wherein each compliance policy of the one or more compliance policies includes a rule specifying one or more required device commands or parameters that must be configured on the internetworking device before executing the command;
  
  sending, from the internetworking device over the network to the compliance server, a copy of a then-currently running configuration for the internetworking device, wherein the compliance server is configured to use the copy of the running configuration to determine whether the command would conform to the compliance policies when applied to the running configuration;
  
  receiving, over the network at the internetworking device a compliance response from the compliance server;
  
  in response to determining whether the compliance response indicates success, executing the command at the internetworking device only when the compliance response indicates that the command conforms to the one or more compliance policies.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The method of claim 19 wherein the compliance server is a compliance server computer that is separate from the internetworking device.
  - 21. The method of claim 19, further comprising forming the request according to an authentication, authorization and access (AAA) protocol and sending the request to a AAA server;
    - wherein the receiving comprises receiving the compliance response from the AAA server.
  - 22. The method of claim 21, wherein the compliance server is hosted within the AAA server.
  - 23. The method of claim 19, wherein the compliance server is configured to execute, in response to receiving the request, any one or more of:
    - posture validation operations on the internetworking device, diagnostic commands on the internetworking device, or one or more other compliance checks on the internetworking device.
  - 24. The method of claim 23, wherein the compliance server is configured to download the copy of the then-currently running configuration from the internetworking device before performing the posture validation operations, diagnostic commands, or other compliance checks.
  - 25. The method of claim 19, further comprising blocking execution of the command when the compliance response indicates that the command conforms to the one or more compliance policies, and performing a responsive action.
  - 26. The method of claim 25, further comprising generating a user notification of non-compliance in a command line interface of the internetworking device;
    - creating and storing a log record relating to the non-compliance;
      
      or generating one or more events or alerts relating to the non-compliance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Srinivasan, Shyam Sundar, Jayaraman, Rajagopal
Primary Examiner(s)
ALGIBHAH, HAMZA N

Application Number

US12/634,738
Publication Number

US 20110099255A1
Time in Patent Office

1,762 Days
Field of Search

709/221
US Class Current

709/221
CPC Class Codes

H04L 41/0856   by backing up or archiving ...

H04L 41/0866   Checking the configuration

H04L 63/0281   Proxies

H04L 63/0892   by using authentication-aut...

H04L 63/20   for managing network securi...

Managing command compliance in internetworking devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Managing command compliance in internetworking devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links