Creation of security policy templates and security policies based on the templates

US 9,571,524 B2
Filed: 01/20/2015
Issued: 02/14/2017
Est. Priority Date: 01/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a management entity;

connecting across a network with different types of security devices including at least two of an application security appliance, a web security appliance, and a firewall device;

importing, over the network, security policies from the security devices, each security policy including security rules from a corresponding one of the different security devices, each security rule including a set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses;

comparing the rule parameters of each security rule of each imported security policy to identify commonality in the security rules across the different security devices;

based on commonality between the security rules identified in the comparing, classifying the imported security policies into identical security policy classifications when all of their associated rule parameters are the same as each other, similar security policy classifications when only some of their associated rule parameters are the same as each other, and unique security policy classifications when none of their associated rule parameters are the same as each other;

displaying at least the identical security policy classifications as user selectable options;

receiving selections of the identical security policy classifications;

creating a new policy template that includes all of the security policies identified by selected ones of the policy classification selections;

creating a new security policy based on the new policy template; and

applying the new security policy to a security device over the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management entity generates selectable security policy classifications each identifying security policies that share common security rules. Each of the security policies is applied by a corresponding one of different security devices to control access to a resource. The management entity creates a new policy template that includes all of the security policies identified by selected ones of the policy classification selections and then creates a new security policy based on the new policy template. The management entity applies the new security policy to a security device over a network.

Citations

21 Claims

1. A method comprising:
- at a management entity;
  
  connecting across a network with different types of security devices including at least two of an application security appliance, a web security appliance, and a firewall device;
  
  importing, over the network, security policies from the security devices, each security policy including security rules from a corresponding one of the different security devices, each security rule including a set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses;
  
  comparing the rule parameters of each security rule of each imported security policy to identify commonality in the security rules across the different security devices;
  
  based on commonality between the security rules identified in the comparing, classifying the imported security policies into identical security policy classifications when all of their associated rule parameters are the same as each other, similar security policy classifications when only some of their associated rule parameters are the same as each other, and unique security policy classifications when none of their associated rule parameters are the same as each other;
  
  displaying at least the identical security policy classifications as user selectable options;
  
  receiving selections of the identical security policy classifications;
  
  creating a new policy template that includes all of the security policies identified by selected ones of the policy classification selections;
  
  creating a new security policy based on the new policy template; and
  
  applying the new security policy to a security device over the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the new policy template includes security rules each including the set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses, and wherein creating the new security policy comprises:
    - creating the new security policy so as to include at least some of the security rules of the new policy template.
  - 3. The method of claim 1, further comprising:
    - displaying an option to enter a name of a new policy template; and
      
      receiving an entered name and selections of security policy classifications,wherein creating the new policy template includes creating the new policy template so as to be identified with the entered name and to include all of the security policies identified by the policy classification selections.
  - 4. The method of claim 3, further comprising:
    - displaying selectable labels identifying respective ones of security devices and selectable names of previously created policy templates including the new policy template; and
      
      receiving selections of one of the labels and the name of the new polity template among the policy template names and, responsive thereto, creating the new security policy so as to include the security policies of the new policy template and associating the new security policy with the security device identified by the selected label.
  - 5. The method of claim 1, wherein creating the new security policy includes:
    - modifying security rules of the security policies of the new policy template; and
      
      creating the new security policy to include the modified security rules.
  - 6. The method of claim 5, wherein the modifying includes:
    - displaying a menu which shows the security rules included in the security policies of the new policy template and permits modifications to the security rules; and
      
      receiving the modifications of the network security rules through the menu.
  - 7. The method of claim 1, wherein:
    - the set of rule parameters of each security rule further includes a device port.

8. An apparatus comprising:
- a network interface unit to connect with a network; and
  
  a processor coupled to the network interface unit to;
  
  connect across a network with different types of security devices including at least two of an application security appliance, a web security appliance, and a firewall device;
  
  import, over the network, security policies from the security devices, each security policy including security rules from a corresponding one of the different security devices, each security rule including a set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses;
  
  compare the rule parameters of each security rule of each imported security policy to identify commonality in the security rules across the different security devices;
  
  based on commonality between the security rules identified in the compare, classify the imported security policies into identical security policy classifications when all of their associated rule parameters are the same as each other, similar security policy classifications when only some of their associated rule parameters are the same as each other, and unique security policy classifications when none of their associated rule parameters are the same as each other;
  
  display at least the identical security policy classifications as user selectable options;
  
  receive selections of the identical security policy classifications;
  
  create a new policy template that includes all of the security policies identified by selected ones of the policy classification selections;
  
  create a new security policy based on the new policy template; and
  
  apply the new security policy to a security device over the network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the new policy template includes security rules each including the set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses, and the processor further creates the new security policy so as to include at least some of the security rules of the new policy template.
  - 10. The apparatus of claim 8, further comprising a display coupled to the processor, wherein the processor further:
    - generates for display an option to enter a name of the new policy template; and
      
      receives an entered name and selections of security policy classifications,wherein the processor creates the new policy template so as to be identified with the entered name and to include all of the security policies identified by the policy classification selections.
  - 11. The apparatus of claim 10, wherein the processor further:
    - generates for display selectable labels identifying respective ones of security devices and selectable names of previously created policy templates including the new policy template; and
      
      receives selections of one of the labels and the name of the new polity template among the policy template names and, responsive thereto, creates the new security policy so as to include the security policies of the new policy template and associating the new security policy with the security device identified by the selected label.
  - 12. The apparatus of claim 8, wherein the processor creates the new security policy by:
    - modifying security rules of the security policies of the new policy template; and
      
      creating the new security policy to include the modified security rules.
  - 13. The apparatus of claim 12, wherein the processor modifies by:
    - generating for display a menu which shows the security rules included in the security policies of the new policy template and permits modifications to the security rules; and
      
      receiving the modifications of the network security rules through the menu.
  - 14. The apparatus of claim 8, wherein:
    - the set of rule parameters of each security rule further includes a device port.

15. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to:
- connect across a network with different types of security devices including at least two of an application security appliance, a web security appliance, and a firewall device;
  
  import, over the network, security policies from the security devices, each security policy including security rules from a corresponding one of the different security devices, each security rule including a set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses;
  
  compare the rule parameters of each security rule of each imported security policy to identify commonality in the security rules across the different security devices;
  
  based on commonality between the security rules identified in the compare, classify the imported security policies into identical security policy classifications when all of their associated rule parameters are the same as each other, similar security policy classifications when only some of their associated rule parameters are the same as each other, and unique security policy classifications when none of their associated rule parameters are the same as each other;
  
  display at least the identical security policy classifications as user selectable options;
  
  receive selections of the identical security policy classifications;
  
  create a new policy template that includes all of the security policies identified by selected ones of the policy classification selections;
  
  create a new security policy based on the new policy template; and
  
  apply the new security policy to a security device over the network.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable storage media of claim 15, wherein the new policy template includes security rules each including the set of rule parameters used by a security device to permit or deny access to a resource based on a network protocol, and source and destination addresses, and wherein the instructions to cause the processor to create include instructions to cause the processor to create the new security policy so as to include at least some of the security rules of the new policy template.
  - 17. The non-transitory computer readable storage media of claim 15, further comprising instructions to cause the processor to:
    - generate for display an option to enter a name of the policy template; and
      
      receive an entered name and selections of security policy classifications,wherein the instructions to cause the processor to create include instructions to cause the processor to create the new policy template so as to be identified with the entered name and to include all of the security policies identified by the policy classification selections.
  - 18. The non-transitory computer readable storage media of claim 17, further comprising instructions to cause the processor to:
    - generate for display selectable labels identifying respective ones of security devices and selectable names of previously created policy templates including the new policy template; and
      
      receive selections of one of the labels and the name of the new polity template among the policy template names and, responsive thereto, create the new security policy so as to include the security policies of the new policy template and associating the new security policy with the security device identified by the selected label.
  - 19. The non-transitory computer readable storage media of claim 15, wherein the instructions to cause the processor to create the new security policy include instructions to cause the processor to:
    - modify the security rules of the security policies of the new policy template; and
      
      create the new security policy to include the modified security rules.
  - 20. The non-transitory computer readable storage media of claim 19, wherein the instructions to cause the processor to modify include instructions to cause the processor to:
    - generate for display a menu which shows the security rules included in the security policies of the new policy template and permits modifications to the security rules; and
      
      receive the modifications of the network security rules through the menu.
  - 21. The non-transitory computer readable storage media of claim 15, wherein:
    - the set of rule parameters of each security rule further includes a device port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dotan, Yedidya, Duane, Christopher, Knjazihhin, Denis
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US14/600,473
Publication Number

US 20160212168A1
Time in Patent Office

756 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0254   Stateful filtering

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Creation of security policy templates and security policies based on the templates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Creation of security policy templates and security policies based on the templates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links