Classification of security policies across multiple security products

US 9,401,933 B1
Filed: 01/20/2015
Issued: 07/26/2016
Est. Priority Date: 01/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method performed at a management entity, comprising:

connecting with security devices across a network, each security device configured to operate in accordance with one or more security policies, each security policy including one or more security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource;

importing, over the network, the security policies from the security devices;

classifying the security policies into one or more identical security policy classifications when all of their associated rule parameters are equivalent to each other, one or more similar security policy classifications when only some of their associated rule parameters are equivalent to each other, and one or more unique security policy classifications when none of their associated rule parameters are equivalent to each other;

displaying a list of the rule parameters for each security policy classification and a filter option to specify a rule parameter associated with each security policy classification;

receiving a specified rule parameter through the filter option; and

displaying all of the rules in each security policy classification that includes a rule parameter that matches the specified rule parameter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management entity connects with multiple security devices across a network. Each security device operates in accordance with one or more security policies. The management entity imports, over the network, data describing the security policies from the multiple security devices. The management entity classifies the imported security policies into security policy classifications based on commonality in information included in the security policies across the multiple security devices.

Citations

16 Claims

1. A method performed at a management entity, comprising:
- connecting with security devices across a network, each security device configured to operate in accordance with one or more security policies, each security policy including one or more security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource;
  
  importing, over the network, the security policies from the security devices;
  
  classifying the security policies into one or more identical security policy classifications when all of their associated rule parameters are equivalent to each other, one or more similar security policy classifications when only some of their associated rule parameters are equivalent to each other, and one or more unique security policy classifications when none of their associated rule parameters are equivalent to each other;
  
  displaying a list of the rule parameters for each security policy classification and a filter option to specify a rule parameter associated with each security policy classification;
  
  receiving a specified rule parameter through the filter option; and
  
  displaying all of the rules in each security policy classification that includes a rule parameter that matches the specified rule parameter.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein:
    - the set of rule parameters are configured to permit or deny access to the resource based on a network protocol, source and destination addresses, and a device port.
  - 3. The method of claim 2, further comprising:
    - classifying security policies not already classified into a security policy classification indicating further investigation is needed for certain security policies; and
      
      generating an alert notification indicating that one or more security policies need further investigation.
  - 4. The method of claim 2, further comprising comparing the rule parameters of each rule of each security policy across the security policies, wherein the classifying further includes classifying based on results of the comparing.
  - 5. The method of claim 2, further comprising:
    - displaying the security policy classifications as selectable security policy classifications;
      
      displaying a policy template naming option through which a policy template name may be entered;
      
      receiving an entered policy template name and selections of multiple security policy classifications; and
      
      assigning all of the security policies in the multiple selected security policy classifications to a security policy template having the entered policy template name.
  - 6. The method of claim 2, further comprising:
    - displaying the security policy classifications in unexpanded views;
      
      displaying the an expand option associated with each of the displayed security policy classifications;
      
      receiving a selection of one of the expand options; and
      
      displaying the security policy classification associated with the selected expand option in an expanded view that exposes device names of all of the security devices associated with that security policy classification.

7. An apparatus comprising:
- a network interface unit to connect with a network; and
  
  a processor coupled to the network interface unit to;
  
  connect with security devices across a network, each security device configured to operate in accordance with one or more security policies, each security policy including one or more security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource;
  
  import, over the network, data describing the security policies from the security devices;
  
  classify the security policies into one or more identical security policy classifications when all of their associated rule parameters are equivalent to each other, one or more similar security policy classifications when only some of their associated rule parameters are equivalent to each other, and one or more unique security policy classifications when none of their associated rule parameters are equivalent to each other;
  
  generate for display a list of the rule parameters for each security policy classification and a filter option to specify a rule parameter associated with each security policy classification;
  
  receive a specified rule parameter through the filter option; and
  
  generate for display all of the rules in each security policy classification that includes a rule parameter that matches the specified rule parameter.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus of claim 7, wherein:
    - the set of rule parameters configured are to permit or deny access to the resource based on a network protocol, source and destination addresses, and a device port.
  - 9. The apparatus of claim 8, wherein the processor further:
    - classifies security policies not already classified into a security policy classification indicating further investigation is needed for certain security policies; and
      
      generates an alert notification indicating that one or more security policies need further investigation.
  - 10. The apparatus of claim 8, wherein the processor is further configured to compare the rule parameters of each rule of each security policy across the security policies, and the processor is configured to classify based on results of the compare.
  - 11. The apparatus of claim 8, wherein the processor further:
    - generates for display the security policy classifications in unexpanded views;
      
      generates for display an expand option associated with each of the displayed security policy classifications;
      
      receives a selection of one of the expand options; and
      
      generates for display the security policy classification associated with the selected expand option in an expanded view that exposes device names of all of the security devices associated with that security policy classification.

12. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to:
- connect with security devices across a network, each security device configured to operate in accordance with one or more security policies, each security policy including one or more security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource;
  
  import, over the network, data describing the security policies from the security devices;
  
  classify the security policies into one or more identical security policy classifications when all of their associated rule parameters are equivalent to each other, one or more similar security policy classifications when only some of their associated rule parameters are equivalent to each other, and one or more unique security policy classifications when none of their associated rule parameters are equivalent to each other;
  
  generate for display a list of the rule parameters for each security policy classification and a filter option to specify a rule parameter associated with each security policy classification;
  
  receive a specified rule parameter through the filter option; and
  
  generate for display all of the rules in each security policy classification that includes a rule parameter that matches the specified rule parameter.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The non-transitory tangible computer readable storage media of claim 12, wherein:
    - the set of rule parameters are configured to permit or deny access to the resource based on a network protocol, source and destination addresses, and a device port.
  - 14. The non-transitory tangible computer readable storage media of claim 13, further comprising instructions to cause the processor to:
    - classify security policies not already classified into a security policy classification indicating further investigation is needed for certain security policies; and
      
      generate an alert notification indicating that one or more security policies need further investigation.
  - 15. The non-transitory tangible computer readable storage media of claim 13, further comprising instructions to cause the processor to compare the rule parameters of each rule of each security policy across the security policies, wherein the instructions to cause the processor to classify include instructions to cause the processor to classify based on results of the compare.
  - 16. The non-transitory tangible computer readable storage media of claim 13, further comprising instructions to cause the processor to:
    - generate for display the security policy classifications in unexpanded views;
      
      generate for display an expand option associated with each of the displayed security policy classifications;
      
      receive a selection of one of the expand options; and
      
      generate for display the security policy classification associated with the selected expand option in an expanded view that exposes device names of all of the security devices associated with that security policy classification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dotan, Yedidya, Agarwal, Sanjay, Martherus, Robin
Primary Examiner(s)
HO, DAO Q

Application Number

US14/600,436
Publication Number

US 20160212167A1
Time in Patent Office

553 Days
Field of Search

726/3
US Class Current

1/1
CPC Class Codes

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/186   Templates

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Classification of security policies across multiple security products

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Classification of security policies across multiple security products

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links