Method and system for management of security rule set

US 9,122,990 B2
Filed: 05/21/2013
Issued: 09/01/2015
Est. Priority Date: 05/18/2009
Status: Active Grant

First Claim

Patent Images

1. A method of automatically managing one or more security rule-sets, the method comprising:

a. obtaining data characterizing a connectivity request and data characterizing an amended rule-set, the amended rule-set being derivative of an initial rule-set amended to fit the connectivity request;

b. automatically verifying each possible combination of values specified in different fields of the connectivity request against the initial rule-set and the amended rule-set;

c. calculating one or more values corresponding to an amount of extra allowed traffic or an amount of dissatisfied requested traffic;

d. automatically comparing the calculated values with a predefined threshold; and

e. automatically classifying the amended rule-set as appropriate for implementation if the results of the automatically comparing match a predefined verification criterion.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided a method of automated managing one or more security rule-sets and a system thereof. The method comprising: obtaining data characterizing a connectivity request and an amended rule-set, the amended rule-set being derivative of an initial rule-set amended to fit the connectivity request; automated verifying each possible combination of values in the connectivity request against the initial rule-set and the amended rule-set; calculating one or more values selected from a group comprising values characterizing relative amount of extra allowed traffic and values characterizing relative amount of dissatisfied requested traffic; automated comparing the calculated values and/or derivatives thereof with a predefined threshold; and automated classifying the amended rule-set as applicable for implementation if the results of the automated comparing match a predefined verification criterion.

12 Citations

10 Claims

1. A method of automatically managing one or more security rule-sets, the method comprising:
- a. obtaining data characterizing a connectivity request and data characterizing an amended rule-set, the amended rule-set being derivative of an initial rule-set amended to fit the connectivity request;
  
  b. automatically verifying each possible combination of values specified in different fields of the connectivity request against the initial rule-set and the amended rule-set;
  
  c. calculating one or more values corresponding to an amount of extra allowed traffic or an amount of dissatisfied requested traffic;
  
  d. automatically comparing the calculated values with a predefined threshold; and
  
  e. automatically classifying the amended rule-set as appropriate for implementation if the results of the automatically comparing match a predefined verification criterion.
- View Dependent Claims (2, 3, 10)
- - 2. The method of claim 1 wherein at least one value corresponding to the amount of extra allowed traffic is selected from a group consisting of:
    - a. values characterizing a relation between allowed traffic in the amended rule-set and traffic allowed in the initial rule-set;
      
      b. values characterizing a relation between entire added traffic and traffic which needs to be added in accordance with the connectivity request; and
      
      c. values characterizing a relation between allowed traffic that has not been requested and traffic allowed in the initial rule-set.
  - 3. The method of claim 1 wherein at least one value corresponding to the amount of dissatisfied requested traffic is selected from a group consisting of:
    - a. values characterizing a relation between requested traffic dissatisfied resulting from amendment and requested traffic satisfied resulting from the amendment;
      
      b. values characterizing a relation between requested traffic dissatisfied resulting from the amendment and entire requested traffic; and
      
      c. values characterizing a relation between requested traffic dissatisfied resulting from the amendment and requested traffic dissatisfied before the amendment.
  - 10. A computer program product embodied on a non-transitory computer readable medium and comprising computer program code means for performing all the steps of claim 1 when run on a computer.

4. A system capable of automatically managing a security rule-set, the system comprising:
- a. an interface operable to obtain data characterizing a connectivity request;
  
  b. an interface operable to obtain data characterizing an amended rule-set, the amended rule-set being derivative of an initial rule-set amended to fit the connectivity request;
  
  c. means for automatically verifying each possible combination of values specified in different fields of the connectivity request against the initial rule-set and the amended rule-set;
  
  d. means for calculating one or more values corresponding to an amount of extra allowed traffic or an amount of dissatisfied requested traffic;
  
  e. means for automatically comparing the calculated values with a predefined threshold; and
  
  f. means for automatically classifying the amended rule-set as appropriate for implementation if the results of the automatically comparing match a predefined verification criterion.
- View Dependent Claims (5, 6)
- - 5. The system of claim 4 wherein at least one value corresponding to the amount of extra allowed traffic is selected from a group consisting of:
    - a. value characterizing a relation between allowed traffic in the amended rule-set and traffic allowed in the initial rule-set;
      
      b. value characterizing a relation between entire added traffic and traffic which needs to be added in accordance with the connectivity request; and
      
      c. value characterizing a relation between allowed traffic that has not been requested and traffic allowed in the initial rule-set.
  - 6. The system of claim 4 wherein at least one value corresponding to the amount of dissatisfied requested traffic is selected from a group consisting of:
    - a. value characterizing a relation between requested traffic dissatisfied resulting from amendment and requested traffic satisfied resulting from the amendment;
      
      b. value characterizing a relation between requested traffic dissatisfied resulting from the amendment and entire requested traffic; and
      
      c. value characterizing a relation between requested traffic dissatisfied resulting from the amendment and requested traffic dissatisfied before the amendment.

7. A method of automatically managing one or more security rule-sets, the method comprising:
- a. obtaining data characterizing a connectivity request and data characterizing one or more rules in an amended rule-set, the one or more rules in the amended rule-set being derivatives of corresponding one or more rules in an initial rule-set amended to fit the connectivity request;
  
  b. automatically verifying each possible combination of values specified in different fields of the connectivity request against the one or more rules in the amended rule-set and against the corresponding one or more rules in the initial rule-set;
  
  c. calculating one or more values corresponding to an amount of extra allowed traffic or an amount of dissatisfied requested traffic;
  
  d. comparing the calculated values with a predefined threshold; and
  
  e. automatically classifying the one or more rules in the amended rule-set as inappropriate for implementation if the results of the comparing do not match a predefined verification criterion.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7 wherein at least one value corresponding to the amount of extra allowed traffic is selected from a group consisting of:
    - a. values characterizing a relation between allowed traffic in the one or more rules in the amended rule-set and traffic allowed in the corresponding one or more rules in the initial rule-set;
      
      b. values characterizing a relation between traffic added in the one or more rules in the amended rule-set and traffic which needs to be added in accordance with the connectivity request; and
      
      c. values characterizing a relation between traffic allowed in the one or more rules in the amended rule-set that has not been requested and traffic allowed in the one or more rules in the initial rule-set.
  - 9. The method of claim 7 wherein at least one value corresponding to the amount of dissatisfied requested traffic is selected from a group consisting of:
    - a. values characterizing a relation between requested traffic dissatisfied resulting from amendment and requested traffic satisfied resulting from the amendment;
      
      b. values characterizing a relation between requested traffic dissatisfied resulting from the amendment and entire requested traffic; and
      
      c. values characterizing a relation between requested traffic dissatisfied resulting from the amendment and requested traffic dissatisfied before the amendment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
Harrison, Reuven, Cogan, Amir, Barkan, Tomer
Primary Examiner(s)
Hill, Stanley K

Application Number

US13/899,103
Publication Number

US 20130254150A1
Time in Patent Office

833 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06N 5/02   Knowledge representation; S...

H04L 63/20   for managing network securi...

H04L 65/765   intermediate

Method and system for management of security rule set

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for management of security rule set

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links