Security policy unification across different security products
First Claim
Patent Images
1. A method comprising:
- at a management device including multiple security device plugins, each security device plugin to communicate over a network with a corresponding one of multiple security devices and associated with a corresponding native policy model used by the corresponding security device;
receiving from the multiple security devices over the network via the plugins corresponding native security policies each based on the native policy model associated with the corresponding security device, each security device configured to control access to a resource according to the corresponding native security policy, wherein each native security policy includes native security rules, and each native security rule includes native rule parameters expressed according to the corresponding native policy model and configured to cause an identified security device to perform an access control operation for a type of access based on a protocol, a source address associated with the access control operation, and a destination address associated with the network access; and
normalizing the received native security policies across the multiple security devices based on a generic policy model, to produce at least one normalized security policy that is based on the generic policy model and representative of the native security polices, the normalizing including, for each received native security policy, mapping the native rule parameters to corresponding generic rule components of the generic policy model, the mapping including mapping the source address to a {principal} component, the access control operation to an {action} component, the destination address to a {resource} component, the protocol to a {context} component, and the type of access attempted to a {result} component, to form a generic security rule in the form;
if {principal} tries to perform an {action} on {resource} within {context} then {result}.
1 Assignment
0 Petitions
Accused Products
Abstract
A management entity receives from multiple security devices corresponding native security policies each based on a native policy model associated with the corresponding security device. Each security device controls access to resources by devices associated with the security device according to the corresponding native security policy. The management entity normalizes the received native security policies across the security devices based on a generic policy model, to produce a normalized security policy that is based on the generic policy model and representative of the native security polices.
-
Citations
16 Claims
-
1. A method comprising:
-
at a management device including multiple security device plugins, each security device plugin to communicate over a network with a corresponding one of multiple security devices and associated with a corresponding native policy model used by the corresponding security device; receiving from the multiple security devices over the network via the plugins corresponding native security policies each based on the native policy model associated with the corresponding security device, each security device configured to control access to a resource according to the corresponding native security policy, wherein each native security policy includes native security rules, and each native security rule includes native rule parameters expressed according to the corresponding native policy model and configured to cause an identified security device to perform an access control operation for a type of access based on a protocol, a source address associated with the access control operation, and a destination address associated with the network access; and normalizing the received native security policies across the multiple security devices based on a generic policy model, to produce at least one normalized security policy that is based on the generic policy model and representative of the native security polices, the normalizing including, for each received native security policy, mapping the native rule parameters to corresponding generic rule components of the generic policy model, the mapping including mapping the source address to a {principal} component, the access control operation to an {action} component, the destination address to a {resource} component, the protocol to a {context} component, and the type of access attempted to a {result} component, to form a generic security rule in the form;
if {principal} tries to perform an {action} on {resource} within {context} then {result}. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus comprising:
-
a network interface unit to connect with a network; and a processor coupled to the network interface unit to; implement multiple security device plugins each configured to communicate with a corresponding one of multiple security devices over the network via the network interface unit, each security device plugin being associated with a corresponding native policy model used by the corresponding security device; receive from the multiple security devices over the network via the security device plugins corresponding native security policies each based on the native policy model associated with the corresponding security device, each security device configured to control access to a resource according to the corresponding native security policy, wherein each native security policy includes native security rules, and each native security rule includes native rule parameters expressed according to the corresponding native policy model; normalize the received native security policies across the security devices based on a generic policy model, to produce at least one normalized security policy that is based on the generic policy model and representative of the native security polices, by, for each received native security policy, mapping the native rule parameters to corresponding generic rule components of the generic policy model, including {principal}, {action}, {resource}, and {result} components, to form a generic security rule in the form;
if {principal} tries to perform an {action} on {resource} then {result};receive a generic security policy based on the generic policy model; translate the generic security policy to multiple native security policies each based on a corresponding one of the native policy models associated with the corresponding one of the security devices; and provide the multiple native security policies to the corresponding security devices to enable the security devices to implement the native security policy. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by a processor of a management device including a network interface unit to communicate with a network, cause the processor to:
-
implement multiple security device plugins each configured to communicate with a corresponding one of multiple security devices over the network via the network interface unit, each security device plugin being associated with a corresponding native policy model used by the corresponding security device; receive from the multiple security devices over the network via the plugins corresponding native security policies each based on the native policy model associated with the corresponding security device, each security device configured to control access to a resource according to the corresponding native security policy, wherein each native security policy includes native security rules, and each native security rule includes native rule parameters expressed according to the corresponding native policy model and configured to cause an identified security device to perform an access control operation for a type of access based on a protocol, a source address associated with the access control operation, and a destination address associated with the network access; and normalize the received native security policies across the multiple security devices based on a generic policy model, to produce at least one normalized security policy that is based on the generic policy model and representative of the native security polices, by, for each received native security policy, mapping the native rule parameters to corresponding generic rule components of the generic policy model, the mapping including mapping the source address to a {principal} component, the access control operation to an {action} component, the destination address to a {resource} component, the protocol to a {context} component, and the type of access attempted to a {result} component, to form a generic security rule in the form;
if {principal} tries to perform an {action} on {resource} within {context} then {result}. - View Dependent Claims (13, 14, 15, 16)
-
Specification