Method and apparatus for centralized policy programming and distributive policy enforcement

US 9,426,178 B1
Filed: 03/25/2002
Issued: 08/23/2016
Est. Priority Date: 03/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

centrally maintaining a plurality of policy definitions for one or more subscribers;

generating policy configurations using the plurality of policy definitions, each of the policy configurations being specific to one of the plurality of policy definitions, wherein each of the policy configurations defines a required software configuration;

disseminating the policy configurations to one or more host devices within the subscribers'"'"' networks;

determining at each of said one or more host devices if that host device complies with the required software configuration defined by the appropriate one of the policy configurations, wherein said determining includes scanning a registry of that host device;

transmitting by each of said one or more host devices a configuration status indicating whether it complies with the appropriate one of the policy configurations; and

restricting at a choke point external access of all packets of those host devices within the subscribers'"'"' networks that do not have the appropriate one of the policy configurations and those host devices whose configuration status is not consistent with the appropriate one of the policy configurations, wherein the choke point is a device separate from the host devices.

View all claims

29 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for centralized policy programming and distributive policy enforcement is described. A method comprises centrally maintaining a plurality of policy definitions for one or more subscribers, generating policy configurations using the plurality of policy definitions, each of the policy configurations being specific to one of the plurality of policy definitions, and disseminating the policy configurations to the appropriate ones of the subscribers'"'"' networks.

35 Citations

View as Search Results

36 Claims

1. A method comprising:
- centrally maintaining a plurality of policy definitions for one or more subscribers;
  
  generating policy configurations using the plurality of policy definitions, each of the policy configurations being specific to one of the plurality of policy definitions, wherein each of the policy configurations defines a required software configuration;
  
  disseminating the policy configurations to one or more host devices within the subscribers'"'"' networks;
  
  determining at each of said one or more host devices if that host device complies with the required software configuration defined by the appropriate one of the policy configurations, wherein said determining includes scanning a registry of that host device;
  
  transmitting by each of said one or more host devices a configuration status indicating whether it complies with the appropriate one of the policy configurations; and
  
  restricting at a choke point external access of all packets of those host devices within the subscribers'"'"' networks that do not have the appropriate one of the policy configurations and those host devices whose configuration status is not consistent with the appropriate one of the policy configurations, wherein the choke point is a device separate from the host devices.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising collecting a set of one or more template configurations to generate the policy configurations.
  - 3. The method of claim 1 further comprising:
    - generating policy configuration identifiers for each of the generated policy configurations; and
      
      disseminating the policy configuration identifiers to the appropriate ones of the subscribers'"'"' networks.
  - 4. The method of claim 1 further comprising distributively enforcing the policy definitions on the subscribers'"'"' networks.
  - 5. The method of claim 1 further comprising maintaining subscription information for each of the subscribers.
  - 6. The method of claim 1 wherein the set of policy definitions relate to anti-virus protection, license compliance, intrusion detection, content filtering, software maintenance, or virtual private networks.

7. A computer implemented method comprising:
- centrally maintaining a plurality of policy definitions for a plurality of subscribers;
  
  collecting a set of template configurations based on a first of the plurality of policy definitions for a first of the plurality of subscribers;
  
  generating a policy configuration with the set of template configurations and a policy configuration identifier that identifies the policy configuration;
  
  transmitting the policy configuration and the policy configuration identifier to an agent on a set of one or more host devices within the first subscriber'"'"'s network, the policy configuration to include a required software configuration to be present on the set of one or more host devices so as to maintain software, ensure software license compliance, ensure anti-virus protection, and maintain security patches;
  
  transmitting the policy configuration identifier to a policy definition enforcement agent (PDEA) of a choke point corresponding to the set of host devices, wherein the choke point is a device separate from the host devices; and
  
  restricting on a host device basis at the choke point external access of those of the set of host devices that do not provide the policy configuration identifier and an indication of compliance with the first policy definition.
- View Dependent Claims (8)
- - 8. The method of claim 7 further comprising maintaining subscription information for the first subscriber.

9. A method comprising:
- maintaining a set one or more template configurations;
  
  maintaining a network policy definition for a subscriber;
  
  generating a network policy configuration with the set of template configurations based on the network policy definition and a network policy configuration identifier that identifies the network policy configuration; and
  
  transmitting the network policy configuration identifier to a plurality of choke points within a set of one or more local area networks (LANs) of the subscriber;
  
  transmitting the network policy configuration to an agent on a plurality of host devices within the set of LANs to determine compliance of the host devices with a software configuration responsive to the network policy configuration; and
  
  enforcing the network policy definition on the plurality of LANs by restricting at the plurality of choke points external access of those of the plurality of host devices that do not comply with the policy definition, wherein the plurality of choke points are devices separate from the plurality of host devices.
- View Dependent Claims (10, 11, 12, 36)
- - 10. The method of claim 9 further comprising:
    - maintaining status of a subscription corresponding to the subscriber; and
      
      conditioning enforcement of the network policy definition upon the subscriber maintaining the subscription.
  - 11. The method of claim 9 wherein enforcing the policy definition comprises:
    - each of the choke pointsdetermining if their corresponding host devices have the policy configuration;
      
      determining if their corresponding host devices'"'"' configuration status is consistent with the policy configuration; and
      
      restricting external access of those host devices that do not have the policy configuration to accessing the policy configuration; and
      
      restricting external access of those host devices with a configuration status that is inconsistent with the policy configuration to accessing files for implementing the policy configuration.
  - 12. The method of claim 9 wherein the network policy definition concerns anti-virus protection, license compliance, intrusion detection, content filtering, software maintenance, hardware settings, virtual private networks, or any combination of anti-virus protection, license compliance, intrusion detection, content filtering, software maintenance, hardware settings, and virtual private networks.
  - 36. The method of claim 9 wherein said enforcing occurs on said plurality of choke points, wherein the choke points are separate devices from said plurality of host devices.

13. An apparatus comprising:
- a policy editor toreceive policy definition parameters from one or more product categories, a plurality of vendors within each product category, and one or more products within each vendor, the one or more product categories including one or more of anti-virus protection and software maintenance, andgenerate a policy definition that includes one or more rules to maintain software, to ensure software license compliance, and to maintain security patches from the policy definition parameters, the policy definition to enforce at a choke point in a local area network having a host device, wherein the choke point is a device separate from the host device, and to store the policy definition; and
  
  a policy generator coupled with the policy editor, the policy generator to collect a set of one or more template configurations based on the policy definition and to generate a policy configuration with the set of template configurations to implement on the host device.
- View Dependent Claims (14, 15)
- - 14. The apparatus of claim 13 further comprising a template configurations database coupled with the policy generator.
  - 15. The apparatus of claim 13 further comprising:
    - a subscription editor to receive subscription information; and
      
      a subscription database coupled with the subscription editor and the policy generator, the subscription database to store the subscription information.

16. An apparatus comprising:
- a policy editor toreceive policy definition parameters from a plurality of product categories, one or more vendors within each product category, and one or more products within each vendor, the plurality of product categories including anti-virus protection, and software maintenance, andgenerate policy definitions from the policy definition parameters to enforce software and hardware configurations on a host device at a choke point in a local area network having the host device, wherein the choke point is a device separate from the host device;
  
  a policy definitions database coupled with the policy editor;
  
  a template configurations database to store template configurations; and
  
  a policy generator coupled with the policy definitions database and the template configurations database, the policy generator to generate policy configurations and a policy configuration identifier with the template configuration and the policy definitions to transmit to an agent on the host device.
- View Dependent Claims (17, 18)
- - 17. The apparatus of claim 16 further comprising:
    - a subscription editor to receive subscription information; and
      
      a subscription database coupled with the subscription editor and the policy generator, the subscription database to store the subscription information.
  - 18. The apparatus of claim 17 further comprising the policy generator to generate the policy configurations with the subscription information, the policy definitions, and the template configurations.

19. A system comprising:
- a policy coordinator having a policy editor to generate a policy definition from policy definition parameters to enforce software configurations on a host device, and a policy generator to generate a policy configuration and a policy configuration identifier;
  
  a policy definition enforcement agent (PDEA) coupled with the policy coordinator, the PDEA to enforce implementation of the policy definition on the host device; and
  
  a policy configuration implementation agent (PCIA) coupled with the PDEA and the policy coordinator, the PCIA to implement the policy configuration on its host device and to report the policy configuration identifier and configuration status of the host device to the PDEA, the implementation of the policy configuration on its host device includes manipulation of the registry of the host device, wherein the PDEA is separate from the host device.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The system of claim 19 wherein the policy coordinator server is a global policy coordinator server that further comprises:
    - a policy definitions database coupled with the policy editor; and
      
      a template configurations database coupled with the policy generator.
  - 21. The system of claim 20 wherein the global policy coordinator further comprises:
    - a subscription editor; and
      
      a subscription database.
  - 22. The system of claim 19 wherein the policy coordinator server is a local policy coordinator.
  - 23. The system of claim 19 wherein the PDEA is implemented on a choke point.
  - 24. The system of claim 23 wherein the choke point is a router, gateway, bridge, firewall, modem, virtual private network client, or virtual private network server.

25. A machine-readable medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
- receiving a policy configuration based on a policy definition, the policy configuration to be implemented on a host device in order to comply with the policy definition that has been defined for a local area network that includes the host device;
  
  retrieving a set of one or more files for implementing the policy configuration on the host device if the host device does not have the set of one or more files;
  
  implementing the received policy configurations, wherein implementing includes scanning and manipulating the host device; and
  
  indicating the host device'"'"'s compliance with the policy definition.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. The machine-readable medium of claim 25 wherein indicating the host device'"'"'s compliance comprises:
    - reporting the host device'"'"'s configuration status to a policy coordinator, the configuration status indicating whether the host device is consistent with the policy configuration;
      
      receiving an acknowledgement from the policy coordinator; and
      
      communicating the acknowledgement to a policy definition enforcement agent.
  - 27. The machine-readable medium of claim 25 wherein reporting the host device'"'"'s configuration status comprises:
    - collecting information from a set of one or more application programming interface (API) plug-ins, each of the set of API plug-ins corresponding to different modules.
  - 28. The machine-readable medium of claim 25 further comprising generating a policy configuration implementation report with the information.
  - 29. The machine-readable medium of claim 28 wherein the different modules include an anti-virus module, a virtual private network module, or a license compliance module.
  - 30. The machine-readable medium of claim 25 wherein indicating the host device'"'"'s compliance comprises:
    - identifying the received policy configuration to a policy definition enforcement agent (PDEA); and
      
      reporting the host device'"'"'s configuration status to the PDEA, the configuration status indicating whether the host device is consistent with the policy configuration.
  - 31. The machine-readable medium of claim 30 wherein reporting the host device'"'"'s configuration status comprises:
    - collecting information from a set of one or more application programming interface (API) plug-ins, each of the set of API plug-ins corresponding to different modules.
  - 32. The machine-readable medium of claim 31 further comprising generating a policy configuration implementation report with the information.
  - 33. The machine-readable medium of claim 31 wherein the different modules include an anti-virus module, a virtual private network module, or a license compliance module.
  - 34. The machine-readable medium of claim 25 wherein the policy definition relates to content filtering, software maintenance, security, virtual private networks, license compliance, subscription maintenance or a combination of content filtering, software maintenance, security, license compliance, subscription maintenance, and virtual private networks.

35. A method, comprising:
- receiving policy definitions for different organizations that each have a set of one or more local area networks (LANs), each of the policy definitions including a plurality of product categories, the plurality of product categories including anti-virus protection, intrusion detection, and software maintenance;
  
  centrally and periodically generating policy configurations and corresponding policy configuration identifiers from current template configurations based upon the policy definitions for each of the different organizations;
  
  for each of the organizations, disseminating to host devices within that organization'"'"'s set of LANs the policy configurations generated based on the policy definitions of that organization;
  
  for each of the organizations, disseminating to choke points within that organization'"'"'s set of LANs the corresponding policy configuration identifiers, wherein the choke points control external access; and
  
  ensuring the host devices comply with the policy definitions of their respective organization by,for any of the host devices that do not have the current and appropriate policy configuration or that lack compliance with that policy configuration, restricting at one of the choke points the external access of each such host device to accessing one or more files to bring that host device into compliance, andfor any of the host devices that do have the current and appropriate policy configuration and that are compliant with that policy configuration, granting external access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Dell Software, Inc. (Dell Technologies Inc.)
Inventors
Yanovsky, Boris, Yanovsky, Roman
Primary Examiner(s)
MADAMBA, GLENFORD J

Application Number

US10/105,575
Time in Patent Office

5,265 Days
Field of Search

709/224, 709/244
US Class Current

1/1
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Method and apparatus for centralized policy programming and distributive policy enforcement

First Claim

29 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for centralized policy programming and distributive policy enforcement

First Claim

29 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others