Method and system for policy simulation
First Claim
1. A method of managing access to resources on a secured network using a plurality of access rules, comprisingreading packet information in respective packets of a packet communication received at a security node;
- applying an access rule of the plurality of access rules;
determining whether the security node is to block the respective packets or the packet communication from reaching one or more of the resources on the secured network based on the applied access rule;
if (i) the applied access rule is a simulated access rule and (ii) the security node is to simulate blocking the respective packets or the packet communication from reaching the one or more resources based on the applied simulated access rule, the security node;
(1) passing the respective packets or the packet communication towards the one or more resources on the secured network; and
(2) generating a log event that indicates blocking of the respective packets or the packet communication by the security node, and changing the simulated access rule or an order of the access rules to reduce an amount of over-blocking or under-blocking determined based on the log event, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule.
9 Assignments
0 Petitions
Accused Products
Abstract
A method and system for managing access to resources on a secured network is disclosed. The method includes reading packet information in respective packets of a packet communication received at a security node and applying one of the plurality of access rules. The method also includes determining whether the security node is to block the respective packets and/or the packet communication from reaching a resource on the secured network based on the applied access rule. If the security node is to block the respective packets and/or the packet communication, it is determined whether the applied access rule is a simulated access rule. Responsive to the applied access rule being a simulated access rule, the respective packets and/or the packet communication are passed towards the resource on the secured network and a log event is generated that indicates the security node blocked the respective packets and/or the packet communication.
-
Citations
22 Claims
-
1. A method of managing access to resources on a secured network using a plurality of access rules, comprising
reading packet information in respective packets of a packet communication received at a security node; -
applying an access rule of the plurality of access rules; determining whether the security node is to block the respective packets or the packet communication from reaching one or more of the resources on the secured network based on the applied access rule; if (i) the applied access rule is a simulated access rule and (ii) the security node is to simulate blocking the respective packets or the packet communication from reaching the one or more resources based on the applied simulated access rule, the security node; (1) passing the respective packets or the packet communication towards the one or more resources on the secured network; and (2) generating a log event that indicates blocking of the respective packets or the packet communication by the security node, and changing the simulated access rule or an order of the access rules to reduce an amount of over-blocking or under-blocking determined based on the log event, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 22)
-
-
17. A method of managing access to resources on a secured network, comprising
reading packet information in respective packets of a packet communication received at a security node; -
applying, by a program processor of the security node, a simulated access rule; determining, by the program processor of the security node, whether the packet communication is authorized for one or more resources on the secured network using packet information in at least one of the respective packets and the applied, simulated access rule; responsive to the packet communication not being authorized by the simulated access rule, generating a log event indicating that the packet communication is simulated to be blocked by the security node; and changing the simulated access rule to reduce an amount of over-blocking or under-blocking determined based on the log event, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule. - View Dependent Claims (18, 19)
-
-
20. A method of simulating an effect of access policies for managing access to a resource on a protected network, comprising,
generating, by an administrator; - a simulated rule or a set of simulated rules having a precedence order;
authorizing use of the simulated rule or set of simulated rules at an enforcement point; generating log events at the enforcement point including;
(1) simulating blocking of respective packets when the simulated rule or set of simulated rules provide for blocking of the respective data packets based on the analysis step;
or (2) simulating transmission of respective packets when the simulated rule or set of simulated rules provide for access to the protected resource;analyzing the generated log events to determine an amount of over-blocking or under-blocking, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule; changing either the precedence order or the simulated rule to reduce the amount of over-blocking or under-blocking; and placing the simulated rule into service on the enforcement point as an actual rule.
- a simulated rule or a set of simulated rules having a precedence order;
-
21. A security node for managing access to a resource on a secured network using a plurality of access rules, comprising
a packet processor module for reading packet information in respective packets of a packet communication received at the security node; -
a rule enforcement unit for applying the plurality of access rules in a precedence order and for determining whether the security node is to block the respective packets or the packet communication from reaching the resource on the secured network based on an applied access rule of the plurality of access rules, an event logger for generating log events, and wherein if (i) the rule enforcement unit determines that the applied access rule is a simulated access rule and (ii) the security node is to simulate blocking the respective packets or the packet communication from reaching the resource based on the applied simulated access rule; (1) the packet processor passes the respective packets or the packet communication towards the resource on the secured network; and (2) the event logger generates a respective log event that indicates blocking of the respective packets or the packet communication by the security node, the precedence order or the simulated access rule changed to reduce an amount of over-blocking or under-blocking determined based on the log event, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule.
-
Specification