Conditional declarative policies

US 9,621,595 B2
Filed: 05/10/2016
Issued: 04/11/2017
Est. Priority Date: 03/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for producing a firewall rule set comprising:

receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and action associated with the predetermined category, the predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, in which the declarative policy is high risk assets are not allowed to communicate with high value assets;

collecting information from at least one external system of record, the information associated with the at least one predetermined category;

generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy, in which the generating comprises;

receiving a workload associated with the declarative policy,determining workload attributes associated with the workload using the information, the workload attributes collected from at least one of the external system of record and an analysis of network behavior,computing a score using the workload attributes,comparing the score to a predetermined threshold,identifying addresses associated with the workload, in response to the comparison, andproducing the firewall rule set using the addresses associated with the workload; and

provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.

166 Citations

16 Claims

1. A computer-implemented method for producing a firewall rule set comprising:
- receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and action associated with the predetermined category, the predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, in which the declarative policy is high risk assets are not allowed to communicate with high value assets;
  
  collecting information from at least one external system of record, the information associated with the at least one predetermined category;
  
  generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy, in which the generating comprises;
  
  receiving a workload associated with the declarative policy,determining workload attributes associated with the workload using the information, the workload attributes collected from at least one of the external system of record and an analysis of network behavior,computing a score using the workload attributes,comparing the score to a predetermined threshold,identifying addresses associated with the workload, in response to the comparison, andproducing the firewall rule set using the addresses associated with the workload; and
  
  provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, in which the declarative policy is received through at least one of a graphical user interface, a command line interface, and an application programming interface.
  - 3. The computer-implemented method of claim 2, in which the declarative policy is received in a tabular form.
  - 4. The computer-implemented method of claim 1, in which the information includes assets in a computer network, and a risk level and a value associated with each asset.
  - 5. The computer-implemented method of claim 1, in which the providing includes sending an update to at least one hypervisor, the update including the firewall rule set.
  - 6. The computer-implemented method of claim 1, in which the score is further computed using a sum of the workload attributes.
  - 7. The computer-implemented method of claim 1, further comprising:
    - checking the firewall rule set for at least one of a conflict and an overlap among the addresses; and
      
      correcting the firewall rule set in response to finding at least one of the conflict and the overlap.
  - 8. The computer-implemented method of claim 1, further comprising:
    - re-collecting information from the at least one external system of record, in response to at least one of an input from a user, an input from another external system of record, and a predetermined amount of time elapsing; and
      
      re-generating the firewall rule set using the declarative policy and the re-collected information, the firewall rule set including addresses to or from which network communications are not permitted.

9. A system for producing a firewall rule set comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method comprising;
  
  receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and action associated with the predetermined category, the predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, in which the declarative policy is high risk assets are not allowed to communicate with high value assets;
  
  collecting information from at least one external system of record, the information associated with the at least one predetermined category;
  
  generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy, in which the generating comprises;
  
  receiving a workload associated with the declarative policy,determining workload attributes associated with the workload using the information, the workload attributes collected from at least one of the external system of record and an analysis of network behavior,computing a score using the workload attributes,comparing the score to a predetermined threshold,identifying addresses associated with the workload, in response to the comparison, andproducing the firewall rule set using the addresses associated with the workload; and
  
  provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, in which the declarative policy is received through at least one of a graphical user interface, a command line interface, and an application programming interface.
  - 11. The system of claim 10, in which the declarative policy is received in a tabular form.
  - 12. The system of claim 9, in which the information includes assets in a computer network, and a risk level and a value associated with each asset.
  - 13. The system of claim 9, in which the providing includes sending an update to at least one hypervisor, the update including the firewall rule set.
  - 14. The system of claim 9, in which the score is further computed using a sum of the workload attributes.
  - 15. The system of claim 9, further comprising:
    - re-collecting information from the at least one external system of record, in response to at least one of an input from a user, an input from another external system of record, and a predetermined amount of time elapsing; and
      
      re-generating the firewall rule set using the declarative policy and the re-collected information, the firewall rule set including addresses to or from which network communications are not permitted.

16. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for producing a firewall rule set, the method comprising:
- receiving a declarative policy associated with a computer network security policy, the declarative policy including at least one predetermined category and action associated with the predetermined category, the predetermined category indicating a plurality of workloads, the action being at least one of forward, block, redirect, and log, in which the declarative policy is high risk assets are not allowed to communicate with high value assets;
  
  collecting information from at least one external system of record, the information evaluated and associated with the at least one predetermined category;
  
  generating a firewall rule set using the declarative policy and the information, the firewall rule set including workload addresses to or from which network communications are at least one of forwarded, blocked, redirected, and logged, the firewall rule set being at a lower level of abstraction than the declarative policy, the generating comprising;
  
  receiving a workload associated with the declarative policy,determining workload attributes associated with the workload using the information, the workload attributes collected from at least one of an external system of record and an analysis of network behavior,computing a score using the workload attributes,comparing the score to a predetermined threshold,identifying addresses associated with the workload, in response to the comparison, andproducing the firewall rule set using the addresses associated with the workload; and
  
  provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, each enforcement point policing network communications among respective workloads using the firewall rule set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Lian, Jia-Jyi, Paterra, Anthony, Woolward, Marc
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
LE, THANH H

Application Number

US15/151,303
Publication Number

US 20170063795A1
Time in Patent Office

336 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0806   for initial configuration o...

H04L 41/0893   Assignment of logical group...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Conditional declarative policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Conditional declarative policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links