Method and apparatus for centralized policy programming and distributive policy enforcement
First Claim
Patent Images
1. A method comprising:
- centrally maintaining a plurality of policy definitions for one or more subscribers;
generating policy configurations using the plurality of policy definitions, each of the policy configurations being specific to one of the plurality of policy definitions, wherein each of the policy configurations defines a required software configuration;
disseminating the policy configurations to one or more host devices within the subscribers'"'"' networks;
determining at each of said one or more host devices if that host device complies with the required software configuration defined by the appropriate one of the policy configurations, wherein said determining includes scanning a registry of that host device;
transmitting by each of said one or more host devices a configuration status indicating whether it complies with the appropriate one of the policy configurations; and
restricting at a choke point external access of all packets of those host devices within the subscribers'"'"' networks that do not have the appropriate one of the policy configurations and those host devices whose configuration status is not consistent with the appropriate one of the policy configurations, wherein the choke point is a device separate from the host devices.
29 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for centralized policy programming and distributive policy enforcement is described. A method comprises centrally maintaining a plurality of policy definitions for one or more subscribers, generating policy configurations using the plurality of policy definitions, each of the policy configurations being specific to one of the plurality of policy definitions, and disseminating the policy configurations to the appropriate ones of the subscribers'"'"' networks.
35 Citations
36 Claims
-
1. A method comprising:
-
centrally maintaining a plurality of policy definitions for one or more subscribers; generating policy configurations using the plurality of policy definitions, each of the policy configurations being specific to one of the plurality of policy definitions, wherein each of the policy configurations defines a required software configuration; disseminating the policy configurations to one or more host devices within the subscribers'"'"' networks; determining at each of said one or more host devices if that host device complies with the required software configuration defined by the appropriate one of the policy configurations, wherein said determining includes scanning a registry of that host device; transmitting by each of said one or more host devices a configuration status indicating whether it complies with the appropriate one of the policy configurations; and restricting at a choke point external access of all packets of those host devices within the subscribers'"'"' networks that do not have the appropriate one of the policy configurations and those host devices whose configuration status is not consistent with the appropriate one of the policy configurations, wherein the choke point is a device separate from the host devices. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method comprising:
-
centrally maintaining a plurality of policy definitions for a plurality of subscribers; collecting a set of template configurations based on a first of the plurality of policy definitions for a first of the plurality of subscribers; generating a policy configuration with the set of template configurations and a policy configuration identifier that identifies the policy configuration; transmitting the policy configuration and the policy configuration identifier to an agent on a set of one or more host devices within the first subscriber'"'"'s network, the policy configuration to include a required software configuration to be present on the set of one or more host devices so as to maintain software, ensure software license compliance, ensure anti-virus protection, and maintain security patches; transmitting the policy configuration identifier to a policy definition enforcement agent (PDEA) of a choke point corresponding to the set of host devices, wherein the choke point is a device separate from the host devices; and restricting on a host device basis at the choke point external access of those of the set of host devices that do not provide the policy configuration identifier and an indication of compliance with the first policy definition. - View Dependent Claims (8)
-
-
9. A method comprising:
-
maintaining a set one or more template configurations; maintaining a network policy definition for a subscriber; generating a network policy configuration with the set of template configurations based on the network policy definition and a network policy configuration identifier that identifies the network policy configuration; and transmitting the network policy configuration identifier to a plurality of choke points within a set of one or more local area networks (LANs) of the subscriber; transmitting the network policy configuration to an agent on a plurality of host devices within the set of LANs to determine compliance of the host devices with a software configuration responsive to the network policy configuration; and enforcing the network policy definition on the plurality of LANs by restricting at the plurality of choke points external access of those of the plurality of host devices that do not comply with the policy definition, wherein the plurality of choke points are devices separate from the plurality of host devices. - View Dependent Claims (10, 11, 12, 36)
-
-
13. An apparatus comprising:
-
a policy editor to receive policy definition parameters from one or more product categories, a plurality of vendors within each product category, and one or more products within each vendor, the one or more product categories including one or more of anti-virus protection and software maintenance, and generate a policy definition that includes one or more rules to maintain software, to ensure software license compliance, and to maintain security patches from the policy definition parameters, the policy definition to enforce at a choke point in a local area network having a host device, wherein the choke point is a device separate from the host device, and to store the policy definition; and a policy generator coupled with the policy editor, the policy generator to collect a set of one or more template configurations based on the policy definition and to generate a policy configuration with the set of template configurations to implement on the host device. - View Dependent Claims (14, 15)
-
-
16. An apparatus comprising:
-
a policy editor to receive policy definition parameters from a plurality of product categories, one or more vendors within each product category, and one or more products within each vendor, the plurality of product categories including anti-virus protection, and software maintenance, and generate policy definitions from the policy definition parameters to enforce software and hardware configurations on a host device at a choke point in a local area network having the host device, wherein the choke point is a device separate from the host device; a policy definitions database coupled with the policy editor; a template configurations database to store template configurations; and a policy generator coupled with the policy definitions database and the template configurations database, the policy generator to generate policy configurations and a policy configuration identifier with the template configuration and the policy definitions to transmit to an agent on the host device. - View Dependent Claims (17, 18)
-
-
19. A system comprising:
-
a policy coordinator having a policy editor to generate a policy definition from policy definition parameters to enforce software configurations on a host device, and a policy generator to generate a policy configuration and a policy configuration identifier; a policy definition enforcement agent (PDEA) coupled with the policy coordinator, the PDEA to enforce implementation of the policy definition on the host device; and a policy configuration implementation agent (PCIA) coupled with the PDEA and the policy coordinator, the PCIA to implement the policy configuration on its host device and to report the policy configuration identifier and configuration status of the host device to the PDEA, the implementation of the policy configuration on its host device includes manipulation of the registry of the host device, wherein the PDEA is separate from the host device. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A machine-readable medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
-
receiving a policy configuration based on a policy definition, the policy configuration to be implemented on a host device in order to comply with the policy definition that has been defined for a local area network that includes the host device; retrieving a set of one or more files for implementing the policy configuration on the host device if the host device does not have the set of one or more files; implementing the received policy configurations, wherein implementing includes scanning and manipulating the host device; and indicating the host device'"'"'s compliance with the policy definition. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A method, comprising:
-
receiving policy definitions for different organizations that each have a set of one or more local area networks (LANs), each of the policy definitions including a plurality of product categories, the plurality of product categories including anti-virus protection, intrusion detection, and software maintenance; centrally and periodically generating policy configurations and corresponding policy configuration identifiers from current template configurations based upon the policy definitions for each of the different organizations; for each of the organizations, disseminating to host devices within that organization'"'"'s set of LANs the policy configurations generated based on the policy definitions of that organization; for each of the organizations, disseminating to choke points within that organization'"'"'s set of LANs the corresponding policy configuration identifiers, wherein the choke points control external access; and ensuring the host devices comply with the policy definitions of their respective organization by, for any of the host devices that do not have the current and appropriate policy configuration or that lack compliance with that policy configuration, restricting at one of the choke points the external access of each such host device to accessing one or more files to bring that host device into compliance, and for any of the host devices that do have the current and appropriate policy configuration and that are compliant with that policy configuration, granting external access.
-
Specification