User interface driven translation, comparison, unification, and deployment of device neutral network security policies
First Claim
1. A method comprising:
- at a management device that manages multiple network security devices over a network, the security devices configured to control access to network accessible resources, receiving a query that asks how the security devices control access to a specific resource; and
responsive to the query;
collecting from each security device a respective native security rule that references the specific resource, each native security rule based on a respective native rule model associated with the security device from which the native security rule is collected;
translating each native security rule into a respective normalized rule that is based on a generic rule model;
comparing the respective normalized rules to each other;
if results of the comparing indicate that more of the security devices either allow access than block access to the specific resource or block access than allow access to the specific resource, automatically selecting a unified action for all of the network security devices to either allow access or block access to the specific resource, respectively;
displaying an indication of the unified action;
generating a common normalized rule based on the generic rule model to perform the unified action with respect to the specific resource;
translating the common normalized rule into unified native security rules each for a respective one of the security devices; and
configuring each security device with the respective unified native security rule so that all of the security devices implement the unified action.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is performed at a management device to manage multiple network security devices over a network. The security devices are configured to control access to network accessible resources. A query is received. In response to the received query, a respective native security rule that references the specific resource is collected from each security device, where each native security rule is based on a respective native rule model associated with the security device from which the native security rule is collected. Each native security rule is translated into a respective normalized rule that is based on a generic rule model. The respective normalized rules are compared to each other to generate compare results. Based on the compare results, an indication of whether each security device allows or blocks access to the specific resource is generated.
63 Citations
20 Claims
-
1. A method comprising:
-
at a management device that manages multiple network security devices over a network, the security devices configured to control access to network accessible resources, receiving a query that asks how the security devices control access to a specific resource; and responsive to the query; collecting from each security device a respective native security rule that references the specific resource, each native security rule based on a respective native rule model associated with the security device from which the native security rule is collected; translating each native security rule into a respective normalized rule that is based on a generic rule model; comparing the respective normalized rules to each other; if results of the comparing indicate that more of the security devices either allow access than block access to the specific resource or block access than allow access to the specific resource, automatically selecting a unified action for all of the network security devices to either allow access or block access to the specific resource, respectively; displaying an indication of the unified action; generating a common normalized rule based on the generic rule model to perform the unified action with respect to the specific resource; translating the common normalized rule into unified native security rules each for a respective one of the security devices; and configuring each security device with the respective unified native security rule so that all of the security devices implement the unified action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; and a hardware processor, coupled to the network interface unit, configured to manage multiple network security devices over the network, the security devices configured to control access to network accessible resources, the processor configured to receive a query that ask how the security devices control access to a specific resource; and responsive to the query; collect from each security device a respective native security rule that references the specific resource, each native security rule based on a respective native rule model associated with the security device from which the native security rule is collected; translate each native security rule into a respective normalized rule that is based on a generic rule model; compare the respective normalized rules to each other; and if results of the compare operation indicate that more of the security devices either allow access than block access to the specific resource or block access than allow access to the specific resource, automatically select a unified action for all of the network security devices to either allow access or block access to the specific resource, respectively; generate for display an indication of the unified action; generate a common normalized rule based on the generic rule model to perform the unified action with respect to the specific resource; translate the common normalized rule into unified native security rules each for a respective one of the security devices; and configure each security device with the respective unified native security rule so that all of the security devices implement the unified action. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
at a management device that manages multiple network security devices, determining, based on security rules implemented on and collected from the security devices, whether more of the security devices allow access than block access to a specific resource, or more of the security devices block access than allow access to the specific resource; if it is determined that more of the security devices either allow access than block access to the specific resource or block access than allow access to the specific resource, automatically selecting a unified action for all of the network security devices to either allow access or block access to the specific resource, respectively; displaying an indication of the unified action; generating a common normalized rule based on a generic rule model to perform the unified action with respect to the specific resource; translating the common normalized rule into unified native security rules each for a respective one of the security devices; and configuring each security device with the respective unified native security rule so that all of the security devices implement the unified action. - View Dependent Claims (17, 18, 19, 20)
-
Specification