Creation of security policy templates and security policies based on the templates
First Claim
Patent Images
1. A method comprising:
- at a management entity;
connecting across a network with different types of security devices including at least two of an application security appliance, a web security appliance, and a firewall device;
importing, over the network, security policies from the security devices, each security policy including security rules from a corresponding one of the different security devices, each security rule including a set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses;
comparing the rule parameters of each security rule of each imported security policy to identify commonality in the security rules across the different security devices;
based on commonality between the security rules identified in the comparing, classifying the imported security policies into identical security policy classifications when all of their associated rule parameters are the same as each other, similar security policy classifications when only some of their associated rule parameters are the same as each other, and unique security policy classifications when none of their associated rule parameters are the same as each other;
displaying at least the identical security policy classifications as user selectable options;
receiving selections of the identical security policy classifications;
creating a new policy template that includes all of the security policies identified by selected ones of the policy classification selections;
creating a new security policy based on the new policy template; and
applying the new security policy to a security device over the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A management entity generates selectable security policy classifications each identifying security policies that share common security rules. Each of the security policies is applied by a corresponding one of different security devices to control access to a resource. The management entity creates a new policy template that includes all of the security policies identified by selected ones of the policy classification selections and then creates a new security policy based on the new policy template. The management entity applies the new security policy to a security device over a network.
-
Citations
21 Claims
-
1. A method comprising:
-
at a management entity; connecting across a network with different types of security devices including at least two of an application security appliance, a web security appliance, and a firewall device; importing, over the network, security policies from the security devices, each security policy including security rules from a corresponding one of the different security devices, each security rule including a set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses; comparing the rule parameters of each security rule of each imported security policy to identify commonality in the security rules across the different security devices; based on commonality between the security rules identified in the comparing, classifying the imported security policies into identical security policy classifications when all of their associated rule parameters are the same as each other, similar security policy classifications when only some of their associated rule parameters are the same as each other, and unique security policy classifications when none of their associated rule parameters are the same as each other; displaying at least the identical security policy classifications as user selectable options; receiving selections of the identical security policy classifications; creating a new policy template that includes all of the security policies identified by selected ones of the policy classification selections; creating a new security policy based on the new policy template; and applying the new security policy to a security device over the network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
a network interface unit to connect with a network; and a processor coupled to the network interface unit to; connect across a network with different types of security devices including at least two of an application security appliance, a web security appliance, and a firewall device; import, over the network, security policies from the security devices, each security policy including security rules from a corresponding one of the different security devices, each security rule including a set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses; compare the rule parameters of each security rule of each imported security policy to identify commonality in the security rules across the different security devices; based on commonality between the security rules identified in the compare, classify the imported security policies into identical security policy classifications when all of their associated rule parameters are the same as each other, similar security policy classifications when only some of their associated rule parameters are the same as each other, and unique security policy classifications when none of their associated rule parameters are the same as each other; display at least the identical security policy classifications as user selectable options; receive selections of the identical security policy classifications; create a new policy template that includes all of the security policies identified by selected ones of the policy classification selections; create a new security policy based on the new policy template; and apply the new security policy to a security device over the network. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to:
-
connect across a network with different types of security devices including at least two of an application security appliance, a web security appliance, and a firewall device; import, over the network, security policies from the security devices, each security policy including security rules from a corresponding one of the different security devices, each security rule including a set of rule parameters to permit or deny access to a resource based on a network protocol, and source and destination addresses; compare the rule parameters of each security rule of each imported security policy to identify commonality in the security rules across the different security devices; based on commonality between the security rules identified in the compare, classify the imported security policies into identical security policy classifications when all of their associated rule parameters are the same as each other, similar security policy classifications when only some of their associated rule parameters are the same as each other, and unique security policy classifications when none of their associated rule parameters are the same as each other; display at least the identical security policy classifications as user selectable options; receive selections of the identical security policy classifications; create a new policy template that includes all of the security policies identified by selected ones of the policy classification selections; create a new security policy based on the new policy template; and apply the new security policy to a security device over the network. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification