IT infrastructure policy breach investigation interface

US 9,282,005 B1
Filed: 11/01/2007
Issued: 03/08/2016
Est. Priority Date: 11/01/2007
Status: Active Grant

First Claim

Patent Images

1. A method of tracking network compliance at a policy compliance server in a network environment, the method comprising:

discovering network entities in the network environment at the policy compliance server, wherein the network environment comprises a storage area network (SAN) and wherein the network entities comprise storage domain entities selected from a group consisting of storage arrays, hosts, switches, physical links, logical links, and interconnections therebetween, the discovery identifying configuration data applicable to rules of a network policy, the rules for specifying a desired state of a network entity, the state including relations and dependencies on other network entities in the network environment;

receiving notifications at the policy compliance server indicative of network events, the network events modifying a value defining a state of a network entity in the network environment; and

evaluating the received notifications against the rules in the policy to identify a breach of a policy, wherein the breach of the policy comprises a vulnerability indicative of a network environment state not yet deviating from a desired network environment state specified by a rule but having potential to result in a violation, wherein the violation is indicative of a network environment state deviating from a desired network environment state specified by a rule.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a large network, it can be difficult to pinpoint and track down the causes of breaches of established policies. A policy compliance server allows traversal of notifications according to breaches, organizes the breaches (vulnerabilities and violation) according to severity and recurrence, and identifies related rules, network entities and configuration changes, which may be related to the breach. An integrated graphical user interface (GUI) provides efficient, timely traversal and analysis of rule breaches across the network to allow quick, efficient identification of the underlying cause or condition of the rule breach. A discoverer gathers configuration data including notifications of changes, alerts, and conditions in the network that are pertinent to the rule breaches. A compliance engine evaluates the configuration data against the rules to identify breaches. Therefore, the compliance engine identifies breaches (rule violations and vulnerabilities) across the network to be addressed for compliance with the policies in effect in the network.

26 Citations

View as Search Results

23 Claims

1. A method of tracking network compliance at a policy compliance server in a network environment, the method comprising:
- discovering network entities in the network environment at the policy compliance server, wherein the network environment comprises a storage area network (SAN) and wherein the network entities comprise storage domain entities selected from a group consisting of storage arrays, hosts, switches, physical links, logical links, and interconnections therebetween, the discovery identifying configuration data applicable to rules of a network policy, the rules for specifying a desired state of a network entity, the state including relations and dependencies on other network entities in the network environment;
  
  receiving notifications at the policy compliance server indicative of network events, the network events modifying a value defining a state of a network entity in the network environment; and
  
  evaluating the received notifications against the rules in the policy to identify a breach of a policy, wherein the breach of the policy comprises a vulnerability indicative of a network environment state not yet deviating from a desired network environment state specified by a rule but having potential to result in a violation, wherein the violation is indicative of a network environment state deviating from a desired network environment state specified by a rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the network environment defines a network fabric interconnecting network entities, such that discovering network entities in the network environment further comprises:
    - traversing the network fabric;
      
      identifying physical links in the network fabric;
      
      identifying logical links in the network fabric;
      
      identifying entities interconnected by the physical and logical links; and
      
      retrieving values corresponding to an actual state of the network entities.
  - 3. The method of claim 2 wherein the network entities further comprise configuration settings, ports, services, and dependencies.
  - 4. The method of claim 3 wherein discovering network entities in the network environment retrieves configuration data including events, notifications, indicators, infrastructure software, host and network access control configuration, storage and their respective configurations, host configurations, network elements and their respective configurations and physical and logical connections, the configuration data being state information including attributes having values, the attributes indicative of adherence to a desired state, adherence based on the values corresponding to an expected value for a desired state such that the rules are responsive to the configuration data for identifying conformity with a particular rule.
  - 5. The method of claim 1 wherein the notifications trigger rediscovery of related entities, further comprising identifying related entities by:
    - determining entity groups;
      
      determining a path corresponding to the triggering entity; and
      
      identifying related entities in same path or group.
  - 6. The method of claim 5 wherein the path includes physical and logical links, the logical links including at least one of mapping, masking, and zoning.
  - 7. The method of claim 5 further comprising evaluating redundant paths by:
    - iterating over determined paths, each path defining at least one association between network entities;
      
      for each defined association, counting distinct instances of the network entities defining the paths;
      
      identifying a rule indicative of a minimum redundancy of paths between the network entities; and
      
      generate breach indications for each network entity with insufficient redundancy.
  - 8. The method of claim 7 wherein the network entities denoting the paths include storage arrays and hosts, each storage array having a path from at least one host.
  - 9. The method of claim 5 wherein the entities further define sets of related entities as groups, the related entities defined by an intersection of policy scope and rule scope.
  - 10. The method of claim 5 wherein rediscovery further comprises evaluating near-real time updates of notifications/alerts by at least one of:
    - polling network entities to identify a change in state; and
      
      asynchronous notifications generated by network entities.
  - 11. The method of claim 1 wherein the that the network entities further comprise routers, ports, network adapters, and links, and wherein the breach is indicative of an actual state deviating from an intended state of a storage domain entity.
  - 12. The method of claim 1 further comprising generating a notification upon modification of one of the rules in a policy, the notification indicative of addition, removal, enabling or disabling of the rule.
  - 13. The method of claim 1 further comprising merging identified breaches with existing breaches from previous discovery, merging eliminating duplicate notifications indicative of the same violation.
  - 14. The method of claim 1 further comprising:
    - testing, in an iterative manner, each object discovered during the discovery against each rule in the network policy; and
      
      enumerating, as a stream of notifications, an indication of each breach revealed by the testing.
  - 15. The method of claim 1 wherein evaluating the received notifications against the rules in the policy comprises:
    - identifying network states inconsistent with a rule indicative of the desired state for the evaluated network state; and
      
      navigating evaluated notifications via a graphical user interface (GUI) responsive to an interactive user.

16. A network policy server in a network environment comprising:
- a processor; and
  
  memory storing computer-executable code that when executed on the processor causes the network policy server to;
  
  discover network entities in the network environment, wherein the network environment comprises a storage area network (SAN) and wherein the network entities comprise storage domain entities selected from a group consisting of storage arrays, hosts, switches, physical links, logical links, and interconnections therebetween, the discovery identifying configuration data applicable to rules of a network policy, the rules for specifying a desired state of a network entity, the state including relations and dependencies on other network entities in the network environment, the discoverer further operable to receive notifications indicative of network events, the network events modifying a value defining a state of a network entity in the network environment; and
  
  evaluate the received notifications against the rules in the policy to identify a breach of a policy, wherein the breach of the policy comprises a vulnerability indicative of a network environment state not yet deviating from a desired network environment state specified by a rule but having potential to result in a violation, wherein the violation is indicative of a network environment state deviating from a desired network environment state specified by a rule.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The server of claim 16 wherein the computer-executable code further causes the network policy server to:
    - identify network states inconsistent with a rule indicative of the desired state for the evaluated network state; and
      
      navigate evaluated notifications via a graphical user interface (GUI) responsive to an interactive user.
  - 18. The server of claim 16 wherein the network environment defines a network fabric interconnecting network entities, and wherein the computer-executable code further causes the network policy server to:
    - traverse the network fabric;
      
      identify physical links in the network fabric;
      
      identify logical links in the network fabric;
      
      identify entities interconnected by the physical and logical links; and
      
      retrieve values corresponding to an actual state of the network entities.
  - 19. The server of claim 16 wherein the notifications trigger rediscovery of related entities, and wherein the computer-executable code further causes the network policy server to identify comprising related entities by:
    - determining entity groups by defining sets of related entities as groups via an intersection of policy scope and rule scope;
      
      determining a path corresponding to the triggering entity; and
      
      identifying related entities in same path or group.
  - 20. The server of claim 19 wherein the path includes physical and logical links, the logical links including at least one of mapping, masking, and zoning.
  - 21. The server of claim 19 wherein rediscovery further comprises evaluating near-real time updates of notifications/alerts by at least one of:
    - polling network entities to identify a change in state; and
      
      asynchronous notifications generated by network entities.
  - 22. The server of claim 16wherein the network entities further comprise applications, services, routers, ports, network adapters, and links;
    - wherein the violation breach is indicative of an actual state deviating from an intended state of a storage domain entity;
      
      wherein the computer-executable code further causes the network policy server to retrieve configuration data including events, notifications, indicators, infrastructure software, host configuration, storage configuration, switch and router configuration, host and network access control configuration, network management and host connections; and
      
      wherein the configuration data is state information including attributes having values, the attributes indicative of adherence to a desired state, adherence based on the values corresponding to an expected value for a desired state such that the rules are responsive to the configuration data for identifying conformity with a particular rule.

23. A computer program product having a non-transitory computer readable storage medium operable to store computer program logic embodied in computer program code encoded as a set of processor based instructions thereon for tracking network policy compliance in a network environment comprising:
- computer program code for discovering network entities in the network environment, wherein the network environment comprises a storage area network (SAN) and wherein the network entities comprise storage domain entities selected from a group consisting of storage arrays, hosts, switches, physical links, logical links, and interconnections therebetween, the discovery identifying configuration data applicable to rules of a network policy, the rules for specifying a desired state of a network entity, the state including relations and dependencies on other network entities in the network environment;
  
  computer program code for receiving notifications indicative of network events, the network events modifying a value defining a state of a network entity in the network environment; and
  
  computer program code for evaluating the received notifications against the rules in the policy to identify a breach of a policy, wherein the breach of the policy comprises a vulnerability indicative of a network environment state not yet deviating from a desired network environment state specified by a rule but having potential to result in a violation, wherein the violation is indicative of a network environment state deviating from a desired network environment state specified by a rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Yehuda, Hanna, Artzi, Amanuel Ronen, Lim, Ju-Lien, Dvir, Eran
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
Gracia, Gary

Application Number

US11/933,586
Time in Patent Office

3,050 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 41/065   involving logical or physic...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

IT infrastructure policy breach investigation interface

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

IT infrastructure policy breach investigation interface

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links