User interface driven translation, comparison, unification, and deployment of device neutral network security policies

US 9,641,540 B2
Filed: 05/29/2015
Issued: 05/02/2017
Est. Priority Date: 05/19/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a management device that manages multiple network security devices over a network, the security devices configured to control access to network accessible resources, receiving a query that asks how the security devices control access to a specific resource; and

responsive to the query;

collecting from each security device a respective native security rule that references the specific resource, each native security rule based on a respective native rule model associated with the security device from which the native security rule is collected;

translating each native security rule into a respective normalized rule that is based on a generic rule model;

comparing the respective normalized rules to each other;

if results of the comparing indicate that more of the security devices either allow access than block access to the specific resource or block access than allow access to the specific resource, automatically selecting a unified action for all of the network security devices to either allow access or block access to the specific resource, respectively;

displaying an indication of the unified action;

generating a common normalized rule based on the generic rule model to perform the unified action with respect to the specific resource;

translating the common normalized rule into unified native security rules each for a respective one of the security devices; and

configuring each security device with the respective unified native security rule so that all of the security devices implement the unified action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is performed at a management device to manage multiple network security devices over a network. The security devices are configured to control access to network accessible resources. A query is received. In response to the received query, a respective native security rule that references the specific resource is collected from each security device, where each native security rule is based on a respective native rule model associated with the security device from which the native security rule is collected. Each native security rule is translated into a respective normalized rule that is based on a generic rule model. The respective normalized rules are compared to each other to generate compare results. Based on the compare results, an indication of whether each security device allows or blocks access to the specific resource is generated.

63 Citations

View as Search Results

20 Claims

1. A method comprising:
- at a management device that manages multiple network security devices over a network, the security devices configured to control access to network accessible resources, receiving a query that asks how the security devices control access to a specific resource; and
  
  responsive to the query;
  
  collecting from each security device a respective native security rule that references the specific resource, each native security rule based on a respective native rule model associated with the security device from which the native security rule is collected;
  
  translating each native security rule into a respective normalized rule that is based on a generic rule model;
  
  comparing the respective normalized rules to each other;
  
  if results of the comparing indicate that more of the security devices either allow access than block access to the specific resource or block access than allow access to the specific resource, automatically selecting a unified action for all of the network security devices to either allow access or block access to the specific resource, respectively;
  
  displaying an indication of the unified action;
  
  generating a common normalized rule based on the generic rule model to perform the unified action with respect to the specific resource;
  
  translating the common normalized rule into unified native security rules each for a respective one of the security devices; and
  
  configuring each security device with the respective unified native security rule so that all of the security devices implement the unified action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - determining, for each normalized rule, whether the normalized rule allows or blocks access to the specific resource to all users except for a specific group of users indicated in the respective native security rule that was translated into the normalized rule; and
      
      if it is determined that the normalized rule allows or blocks access to the specific resource to all users except for a specific group of users, the generating for display includes generating for display an indication of the specific group of users.
  - 3. The method of claim 1, wherein:
    - each native security rule includes native rule parameters expressed according to the respective native rule model; and
      
      the translating includes, for each native security rule, mapping the native rule parameters expressed according to the respective native rule model to respective normalized rule components of the generic rule model to form the respective normalized rule.
  - 4. The method of claim 3, wherein:
    - the normalized rule components include {principal}, {action}, {resource}, {context}, and {result} components; and
      
      the mapping includes mapping the native rule parameters to the normalized rule components according to the generic rule model in the form;
      
      if {principal} tries to perform an {action} on {resource} within {context} then {result}.
  - 5. The method of claim 3, wherein:
    - the comparing includes comparing respective ones of the normalized rule components of the normalized rules to each other.
  - 6. The method of claim 1, wherein the specific resource is accessible through the Internet.
  - 7. The method of claim 1, further comprising:
    - if the results of the comparing indicate that some of the security devices allow access, while others block access, to the specific resource, the generating for display includes generating for display a user selectable icon to unify actions across the security devices; and
      
      receiving a selection of the icon, and responsive thereto;
      
      selecting a unified action either to allow access or block access to the specific resource; and
      
      unifying native security rules across the security devices in compliance with the unified action so that all of the security devices either allow access or block access to the specific resource.
  - 8. The method of claim 7, whereineach unified native security rule is based on the rule model native to the respective security device.

9. An apparatus comprising:
- a network interface unit configured to enable communications over a network; and
  
  a hardware processor, coupled to the network interface unit, configured to manage multiple network security devices over the network, the security devices configured to control access to network accessible resources, the processor configured to receive a query that ask how the security devices control access to a specific resource; and
  
  responsive to the query;
  
  collect from each security device a respective native security rule that references the specific resource, each native security rule based on a respective native rule model associated with the security device from which the native security rule is collected;
  
  translate each native security rule into a respective normalized rule that is based on a generic rule model;
  
  compare the respective normalized rules to each other; and
  
  if results of the compare operation indicate that more of the security devices either allow access than block access to the specific resource or block access than allow access to the specific resource, automatically select a unified action for all of the network security devices to either allow access or block access to the specific resource, respectively;
  
  generate for display an indication of the unified action;
  
  generate a common normalized rule based on the generic rule model to perform the unified action with respect to the specific resource;
  
  translate the common normalized rule into unified native security rules each for a respective one of the security devices; and
  
  configure each security device with the respective unified native security rule so that all of the security devices implement the unified action.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein the processor is further configured to:
    - determine, for each normalized rule, whether the normalized rule allows or blocks access to the specific resource to all users except for a specific group of users indicated in the respective native security rule that was translated into the normalized rule; and
      
      if it is determined that the normalized rule allows or blocks access to the specific resource to all users except for a specific group of users, generate for display an indication of the specific group of users.
  - 11. The apparatus of claim 9, wherein each native security rule includes native rule parameters expressed according to the respective native rule model;
    - andthe processor is configured to translate, for each native security rule, by mapping the native rule parameters expressed according to the respective native rule model to respective normalized rule components of the generic rule model to form the respective normalized rule.
  - 12. The apparatus of claim 11, wherein the normalized rule components include {principal}, {action}, {resource}, {context}, and {result} components;
    - andthe processor is configured to map by mapping the native rule parameters to the normalized rule components according to the generic rule model in the form;
      
      if {principal} tries to perform an {action} on {resource} within {context} then {result}.
  - 13. The apparatus of claim 11, wherein the processor is configured to compare respective ones of the normalized rule components of the normalized rules to each other.
  - 14. The apparatus of claim 9, wherein if the results of the compare operation indicate that some of the security devices allow access, while others block access, to the specific resource, the processor is configured to:
    - generate for display a user selectable icon to unify actions across the security devices;
      
      receive a selection of the user selectable icon, and responsive thereto;
      
      select a unified action either to allow access or block access to the specific resource; and
      
      unify native security rules across the security devices in compliance with the unified action so that all of the security devices either allow access or block access to the specific resource.
  - 15. The apparatus of claim 14, whereineach unified native security rule is based on the rule model native to the respective security device.

16. A method comprising:
- at a management device that manages multiple network security devices, determining, based on security rules implemented on and collected from the security devices, whether more of the security devices allow access than block access to a specific resource, or more of the security devices block access than allow access to the specific resource;
  
  if it is determined that more of the security devices either allow access than block access to the specific resource or block access than allow access to the specific resource, automatically selecting a unified action for all of the network security devices to either allow access or block access to the specific resource, respectively;
  
  displaying an indication of the unified action;
  
  generating a common normalized rule based on a generic rule model to perform the unified action with respect to the specific resource;
  
  translating the common normalized rule into unified native security rules each for a respective one of the security devices; and
  
  configuring each security device with the respective unified native security rule so that all of the security devices implement the unified action.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, whereineach unified native security rule is based on a rule model native to the respective security device.
  - 18. The method of claim 17, wherein:
    - the normalized rule includes normalized rule components expressed according to the generic rule model; and
      
      the translating includes, for each unified native security rule, mapping the normalized rule components to native rule parameters of the unified native security rule expressed according to the native rule model.
  - 19. The method of claim 18, wherein:
    - the normalized rule includes the normalized rule components of {principal}, {action}, {resource}, {context}, and {result} expressed according to the generic rule model in a form;
      
      if {principal} tries to perform an {action} on {resource} within {context} then {result}; and
      
      the mapping includes, for each unified native security rule, mapping the normalized rule components {principal}, {action}, {resource}, {context}, {result} to corresponding native rule parameters of the unified native security rule.
  - 20. The method of claim 16, further comprising:
    - generating for display user selectable sub-actions associated with a user selectable icon to unify actions; and
      
      receiving a selection of one of the sub-actions, and responsive thereto, configuring the security devices with respective native security rules to implement the selected one of the sub-actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dotan, Yedidya, Perry, Jason M., Knjazihhin, Denis, Siswick, Zachary D., Vasant, Sachin
Primary Examiner(s)
Poltorak, Peter

Application Number

US14/725,489
Publication Number

US 20160344743A1
Time in Patent Office

704 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/248   Presentation of query results

G06F 16/9535   Search customisation based ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/108   when the policy decisions a...

User interface driven translation, comparison, unification, and deployment of device neutral network security policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

User interface driven translation, comparison, unification, and deployment of device neutral network security policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links