Management of security policies across multiple security products

US 9,531,757 B2
Filed: 01/20/2015
Issued: 12/27/2016
Est. Priority Date: 01/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method performed at a management entity, comprising:

discovering multiple security devices connected to a network, each security device to control access to resources according to a corresponding native security policy that is based on a corresponding native policy model associated with the corresponding security device;

importing the native security policies from the corresponding security devices over the network, each native security policy including a set of native security rules, each native security rule including native rule parameters to permit or deny access to a resource based on a network protocol and at least one of a source address or a destination address;

classifying the imported native security policies into identical, similar, and unique security policy classifications having identical, similar, and unique security rules, respectively, based on commonality between the native rule parameters of the native security rules included in the native security policies across the security devices;

normalizing the classified imported native security policies across the security devices based on a generic policy model, by mapping the native rule parameters in the native security rules of each security policy to corresponding components {a principal or actor}, {action}, {a resource}, {a context}, and {perform a result} of a generic rule;

“

if {a principal or actor} tries to perform an {action) on {a resource} within {a context} then {perform a result}, to produce normalized security policies; and

processing security events received from the security devices using the normalized security policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management entity discovers security devices connected to a network. Each security device controls access to resources by devices associated with the security device according to a corresponding native security policy that is based on a corresponding native policy model associated with the security device. The management entity imports the native security policies from the corresponding security devices over the network, and normalizes the imported native security policies across the security devices based on a generic policy model, to produce normalized security policies that are based on the generic policy model and representative of the native security polices. The management entity receives security events from the security devices, and processes the received security events among the security devices based on the normalized security policies.

67 Citations

18 Claims

1. A method performed at a management entity, comprising:
- discovering multiple security devices connected to a network, each security device to control access to resources according to a corresponding native security policy that is based on a corresponding native policy model associated with the corresponding security device;
  
  importing the native security policies from the corresponding security devices over the network, each native security policy including a set of native security rules, each native security rule including native rule parameters to permit or deny access to a resource based on a network protocol and at least one of a source address or a destination address;
  
  classifying the imported native security policies into identical, similar, and unique security policy classifications having identical, similar, and unique security rules, respectively, based on commonality between the native rule parameters of the native security rules included in the native security policies across the security devices;
  
  normalizing the classified imported native security policies across the security devices based on a generic policy model, by mapping the native rule parameters in the native security rules of each security policy to corresponding components {a principal or actor}, {action}, {a resource}, {a context}, and {perform a result} of a generic rule;
  
  “
  
  if {a principal or actor} tries to perform an {action) on {a resource} within {a context} then {perform a result}, to produce normalized security policies; and
  
  processing security events received from the security devices using the normalized security policies.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the processing includes:
    - receiving commands to change one or more normalized security policies across the security devices.
  - 3. The method of claim 2, wherein the processing further includes:
    - reporting the received security events.
  - 4. The method of claim 1, wherein the multiple security devices include at least two of a Web Security Appliance (WSA), an Application Security Appliance (ASA), and a Next Generation firewall (NGF).
  - 5. The method of claim 1, further comprising:
    - prior to the discovering, receiving names and addresses of the multiple security devices.
  - 6. The method of claim 1, wherein:
    - for each native security rule the set of rule parameters further includes the source and destination addresses, and a device port.

7. An apparatus comprising:
- a network interface unit to connect with a network; and
  
  a processor coupled to the network interface unit to;
  
  discover multiple security devices connected to the network, each security device to control access to resources according to a corresponding native security policy that is based on a corresponding native policy model associated with the corresponding security device, each native security policy including a set of native security rules, each native security rule including native rule parameters to permit or deny access to a resource based on a network protocol and at least one of a source address or a destination address;
  
  import the native security policies from the corresponding security devices over the network;
  
  classify the imported native security policies into identical, similar, and unique security policy classifications having identical, similar, and unique security rules, respectively, based on commonality between the native rule parameters of the native security rules included in the native security policies across the security devices;
  
  normalize the classified imported native security policies across the security devices based on a generic policy model, by mapping the native rule parameters in the native security rules of each security policy to corresponding components {a principal or actor}, {action}, {a resource}, {a context}, and {perform a result} of a generic rule;
  
  “
  
  if {a principal or actor} tries to perform an {action) on {a resource} within {a context} then {perform a result}, to produce normalized security policies; and
  
  process security events received from the security devices using the normalized security policies.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the processor processes by:
    - receiving commands to change one or more normalized security policies across the security devices.
  - 9. The apparatus of claim 8, wherein the processor further processes by:
    - reporting the received security events.
  - 10. The apparatus of claim 7, wherein the multiple security devices include at least two of a Web Security Appliance (WSA), an Application Security Appliance (ASA), and a Next Generation firewall (NGF).
  - 11. The apparatus of claim 7, wherein the processor further:
    - prior to the discover operation, receive names and addresses of the multiple security devices.
  - 12. The apparatus of claim 7, wherein:
    - for each native security rule the set of rule parameters further includes the source and destination addresses, and a device port.

13. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to:
- discover multiple security devices connected to the network, each security device to control access to resources according to a corresponding native security policy that is based on a corresponding native policy model associated with the corresponding security device, each native security policy including a set of native security rules, each native security rule including native rule parameters to permit or deny access to a resource based on a network protocol and at least one of a source address or a destination address;
  
  import the native security policies from the corresponding security devices over the network;
  
  classify the imported native security policies into identical, similar, and unique security policy classifications having identical, similar, and unique security rules, respectively, based on commonality between the native rule parameters of the native security rules included in the native security policies across the security devices;
  
  normalize the classified imported native security policies across the security devices based on a generic policy model, by mapping the native rule parameters in the native security rules of each security policy to corresponding components {a principal or actor}, {action}, {a resource}, {a context}, and {perform a result} of a generic rule;
  
  “
  
  if {a principal or actor} tries to perform an {action) on {a resource} within {a context} then {perform a result}, to produce normalized security policies; and
  
  process security events received from the security devices using the normalized security policies.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory tangible computer readable storage media of claim 13, wherein the instructions to cause the processor to process include instructions to cause the processor to:
    - receive commands to change one or more normalized security policies across the security devices.
  - 15. The non-transitory tangible computer readable storage media of claim 14, wherein the instructions to cause the processor to process include further instructions to cause the processor to:
    - report the received security events.
  - 16. The non-transitory tangible computer readable storage media of claim 13, wherein the multiple security devices include at least two of a Web Security Appliance (WSA), an Application Security Appliance (ASA), and a Next Generation firewall (NGF).
  - 17. The non-transitory tangible computer readable storage media of claim 13, further comprising:
    - instructions to cause the processor to, prior to the discovering, receive names and addresses of the multiple security devices.
  - 18. The non-transitory tangible computer readable storage media of claim 13, wherein:
    - for each native security rule the set of rule parameters further includes the source and destination addresses, and a device port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Henry, Shawn, Martherus, Robin, Agarwal, Sanjay
Primary Examiner(s)
HO, DAO Q

Application Number

US14/600,418
Publication Number

US 20160212166A1
Time in Patent Office

707 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 41/28   Restricting access to netwo...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Management of security policies across multiple security products

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

67 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Management of security policies across multiple security products

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others