Generalized security policy user interface

US 9,521,167 B2
Filed: 01/20/2015
Issued: 12/13/2016
Est. Priority Date: 01/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a management entity to communicate with security devices over a network;

displaying a visualization of a network environment including network icons representing respective network zones at corresponding locations, and device icons representing one or more actors and one or more resources in corresponding ones of the visualized network domains, and one or more network security devices;

receiving user input in the form of a line drawn between a first icon representing an actor in a first visualized network zone and a second icon representing a resource in a second visualized network zone, the line intersecting a third icon representing a network security device between the actor and the resource, wherein the line represents;

whether to allow or block abilities between the actor and the resource;

whether traffic between the actor and the resource is to be monitored;

or whether access between the actor and the resource is permitted;

interpreting the line as a definition of a security policy that controls access between the actor and the resource and, based on the interpreting, generating one or more security rules for configuring the network security device to control the access according to the security policy, each security rule including rule parameters to control the access based on a network protocol and at least one of a source address and a destination address; and

delivering the one or more security rules to the security device to implement the security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management entity displays a plurality of icons, each icon representing an actor or a resource in a networking environment. The management entity defines security policy by receiving user input in the form of lines drawn between icons representing actors and resources to control abilities between actors and resources.

Citations

19 Claims

1. A method comprising:
- at a management entity to communicate with security devices over a network;
  
  displaying a visualization of a network environment including network icons representing respective network zones at corresponding locations, and device icons representing one or more actors and one or more resources in corresponding ones of the visualized network domains, and one or more network security devices;
  
  receiving user input in the form of a line drawn between a first icon representing an actor in a first visualized network zone and a second icon representing a resource in a second visualized network zone, the line intersecting a third icon representing a network security device between the actor and the resource, wherein the line represents;
  
  whether to allow or block abilities between the actor and the resource;
  
  whether traffic between the actor and the resource is to be monitored;
  
  or whether access between the actor and the resource is permitted;
  
  interpreting the line as a definition of a security policy that controls access between the actor and the resource and, based on the interpreting, generating one or more security rules for configuring the network security device to control the access according to the security policy, each security rule including rule parameters to control the access based on a network protocol and at least one of a source address and a destination address; and
  
  delivering the one or more security rules to the security device to implement the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 19)
- - 2. The method of claim 1, wherein a color of the line between the first icon and the second icon indicates whether the traffic between the actor and the resource is to be monitored.
  - 3. The method of claim 1, wherein an icon represents a group of a plurality of actors of a particular type within the networking environment.
  - 4. The method of claim 1, further comprising:
    - displaying delineated regions in which the plurality of icons may reside to indicate whether an actor or a resource is located within or outside a network zone.
  - 5. The method of claim 1, wherein an arrow on the line drawn between the first icon representing the actor and the second icon representing the resource determines whether access between the actor and the resource is permitted.
  - 6. The method of claim 1, wherein the interpreting comprises generating the one or more security rules in accordance with a generic policy model that is applicable across a plurality of security device types, and further comprising:
    - converting the one or more security rules in accordance with the generic policy model to one or more rules of a native rule set based on a native rule policy model associated with one or more security devices.
  - 19. The method of claim 1, further comprising receiving a selection of a network icon for a network zone and responsive thereto displaying details of a security topology of the selected network zone.

7. An apparatus comprising:
- a network interface unit to connect with a network and to communicate with security devices over the network; and
  
  a processor coupled to the network interface unit to;
  
  generate for display a visualization of a network environment including network icons representing respective network zones at corresponding locations, and device icons representing one or more actors and one or more resources in corresponding ones of the visualized network domains, and one or more network security devices;
  
  receive user input in the form of a line drawn between a first icon representing an actor in a first visualized network zone and a second icon representing a resource in a second visualized network zone, the line intersecting a third icon representing a network security device between the actor and the resource, wherein the line represents;
  
  whether to allow or block abilities between the actor and the resource;
  
  whether traffic between the actor and the resource is to be monitored;
  
  or whether access between the actor and the resource is permitted;
  
  interpret the line as a definition of a security policy that controls access between the actor and the resource and, based on the interpreting, generate one or more security rules for configuring the network security device to control the access according to the security policy, each security rule including rule parameters to control the access based on a network protocol and at least one of a source address and a destination address; and
  
  deliver the one or more security rules to the security device to implement the security policy.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein a color of the line between the first icon representing the actor and the second icon representing the resource indicates whether the traffic between the actor and the resource is to be monitored.
  - 9. The apparatus of claim 7, wherein an icon represents a group of a plurality of actors of a particular type within the networking environment.
  - 10. The apparatus of claim 7, wherein the processor further:
    - causes display of delineated regions in which the plurality of icons may reside to indicate whether an actor or a resource within or outside a network zone.
  - 11. The apparatus of claim 7, wherein an arrow on the line between the first icon representing the actor and the second icon representing the resource determines whether access between the actor and the resource is permitted.
  - 12. The apparatus of claim 7, wherein the processor interprets by generating the one or more security rules in accordance with a generic policy model that is applicable across a plurality of security device types, and wherein the processor further:
    - converts the one or more security rules in accordance with the generic policy model to one or more rules of a native rule set based on a native rule policy model associated with one or more security devices.

13. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by a processor of a management entity to communicate with security devices over a network, cause the processor to:
- generate for display a visualization of a network environment including network icons representing respective network zones at corresponding locations, and device icons representing one or more actors and one or more resources in corresponding ones of the visualized network domains, and one or more network security devices;
  
  receive user input in the form of a line drawn between a first icon representing an actor in a first visualized network zone and a second icon representing a resource in a second visualized network zone, the line intersecting a third icon representing a network security device between the actor and the resource, wherein the line represents;
  
  whether to allow or block abilities between the actor and the resource;
  
  whether traffic between the actor and the resource is to be monitored;
  
  or whether access between the actor and the resource is permitted;
  
  interpret the line as a definition of a security policy that controls access between the actor and the resource and, based on the interpreting, generate one or more security rules for configuring the network security device to control the access according to the security policy, each security rule including rule parameters to control the access based on a network protocol and at least one of a source address and a destination address; and
  
  deliver the one or more security rules to the security device to implement the security policy.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer readable storage media of claim 13, wherein a color of the line between the first icon representing the actor and the second icon representing the resource indicates whether the traffic between the actor and the resource is to be monitored.
  - 15. The computer readable storage media of claim 13, wherein an icon represents a group of a plurality of actors of a particular type within the networking environment.
  - 16. The computer readable storage media of claim 13, further comprising instructions to cause the processor to:
    - display delineated regions in which the plurality of icons may reside to indicate whether an actor or a resource within or outside a network zone.
  - 17. The computer readable storage media of claim 13, wherein an arrow on the line between the first icon representing the actor and the second icon representing the resource determines whether access between the actor and the resource is permitted.
  - 18. The computer readable storage media of claim 13, wherein the instructions to cause the processor to interpret include instructions to cause the processor to generate the one or more security rules in accordance with a generic policy model that is applicable across a plurality of security device types, and further comprising instructions to cause the processor to:
    - convert the one or more security rules in accordance with the generic policy model to one or more rules of a native rule set based on a native rule policy model associated with one or more security devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Martherus, Robin, Telner, Guy, Dotan, Yedidya, Knjazihhin, Denis
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/600,548
Publication Number

US 20160212170A1
Time in Patent Office

693 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 63/10 for controlling access to d...

H04L 63/20 for managing network securi...

Generalized security policy user interface

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Generalized security policy user interface

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links