Security policy unification across different security products

US 9,680,875 B2
Filed: 01/20/2015
Issued: 06/13/2017
Est. Priority Date: 01/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a management device including multiple security device plugins, each security device plugin to communicate over a network with a corresponding one of multiple security devices and associated with a corresponding native policy model used by the corresponding security device;

receiving from the multiple security devices over the network via the plugins corresponding native security policies each based on the native policy model associated with the corresponding security device, each security device configured to control access to a resource according to the corresponding native security policy, wherein each native security policy includes native security rules, and each native security rule includes native rule parameters expressed according to the corresponding native policy model and configured to cause an identified security device to perform an access control operation for a type of access based on a protocol, a source address associated with the access control operation, and a destination address associated with the network access; and

normalizing the received native security policies across the multiple security devices based on a generic policy model, to produce at least one normalized security policy that is based on the generic policy model and representative of the native security polices, the normalizing including, for each received native security policy, mapping the native rule parameters to corresponding generic rule components of the generic policy model, the mapping including mapping the source address to a {principal} component, the access control operation to an {action} component, the destination address to a {resource} component, the protocol to a {context} component, and the type of access attempted to a {result} component, to form a generic security rule in the form;

if {principal} tries to perform an {action} on {resource} within {context} then {result}.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management entity receives from multiple security devices corresponding native security policies each based on a native policy model associated with the corresponding security device. Each security device controls access to resources by devices associated with the security device according to the corresponding native security policy. The management entity normalizes the received native security policies across the security devices based on a generic policy model, to produce a normalized security policy that is based on the generic policy model and representative of the native security polices.

Citations

16 Claims

1. A method comprising:
- at a management device including multiple security device plugins, each security device plugin to communicate over a network with a corresponding one of multiple security devices and associated with a corresponding native policy model used by the corresponding security device;
  
  receiving from the multiple security devices over the network via the plugins corresponding native security policies each based on the native policy model associated with the corresponding security device, each security device configured to control access to a resource according to the corresponding native security policy, wherein each native security policy includes native security rules, and each native security rule includes native rule parameters expressed according to the corresponding native policy model and configured to cause an identified security device to perform an access control operation for a type of access based on a protocol, a source address associated with the access control operation, and a destination address associated with the network access; and
  
  normalizing the received native security policies across the multiple security devices based on a generic policy model, to produce at least one normalized security policy that is based on the generic policy model and representative of the native security polices, the normalizing including, for each received native security policy, mapping the native rule parameters to corresponding generic rule components of the generic policy model, the mapping including mapping the source address to a {principal} component, the access control operation to an {action} component, the destination address to a {resource} component, the protocol to a {context} component, and the type of access attempted to a {result} component, to form a generic security rule in the form;
  
  if {principal} tries to perform an {action} on {resource} within {context} then {result}.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the native security rule further specifies a time frame over which the security device is to apply the access control operation for the type of access, and the mapping further includes mapping the time frame to the {context} rule component.
  - 3. The method of claim 1, wherein the native security rule further specifies a uniform resource locator (URL) to identify the security device, and the mapping further includes mapping the URL to the {resource} rule component.
  - 4. The method of claim 1, further comprising:
    - receiving a generic security policy based on the generic policy model;
      
      translating the generic security policy to multiple native security policies each based on a corresponding one of the native policy models associated with the corresponding one of the security devices; and
      
      providing the multiple native security policies to the corresponding security devices to enable the security devices to implement the native security policies.
  - 5. The method of claim 4, wherein:
    - the receiving the generic security policy includes receiving one or more generic security rules each including generic rule components expressed according to the generic policy model; and
      
      the translating includes mapping the generic rule components to native rule parameters expressed according to the corresponding native policy model to form native rules representative of the one or more generic rules.

6. An apparatus comprising:
- a network interface unit to connect with a network; and
  
  a processor coupled to the network interface unit to;
  
  implement multiple security device plugins each configured to communicate with a corresponding one of multiple security devices over the network via the network interface unit, each security device plugin being associated with a corresponding native policy model used by the corresponding security device;
  
  receive from the multiple security devices over the network via the security device plugins corresponding native security policies each based on the native policy model associated with the corresponding security device, each security device configured to control access to a resource according to the corresponding native security policy, wherein each native security policy includes native security rules, and each native security rule includes native rule parameters expressed according to the corresponding native policy model;
  
  normalize the received native security policies across the security devices based on a generic policy model, to produce at least one normalized security policy that is based on the generic policy model and representative of the native security polices, by, for each received native security policy, mapping the native rule parameters to corresponding generic rule components of the generic policy model, including {principal}, {action}, {resource}, and {result} components, to form a generic security rule in the form;
  
  if {principal} tries to perform an {action} on {resource} then {result};
  
  receive a generic security policy based on the generic policy model;
  
  translate the generic security policy to multiple native security policies each based on a corresponding one of the native policy models associated with the corresponding one of the security devices; and
  
  provide the multiple native security policies to the corresponding security devices to enable the security devices to implement the native security policy.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The apparatus of claim 6, wherein:
    - the generic rule components further include a {context} component; and
      
      the processor performs the mapping by mapping the native rule parameters to the generic rule components according to the generic policy model in the form;
      
      if {principal} tries to perform an {action} on {resource} within {context} then {result}, to generate the generic security rule.
  - 8. The apparatus of claim 7, wherein:
    - each native rule includes native rule parameters configured to cause an identified security device to perform an access control operation for a type of access based on a protocol, a source address associated with the access control operation, and a destination address associated with the access control operation; and
      
      the processor performs the mapping by mapping;
      
      the source address to the {principal} rule component;
      
      the destination address to the {resource} rule component;
      
      the protocol to the {context} rule component;
      
      the access control operation to the {action} rule component; and
      
      the type of access attempted to the {result} rule component.
  - 9. The apparatus of claim 8, wherein the native security rule further specifies a time frame over which the security device is to apply the access control operation for the type of access, and the processor performs the mapping by further mapping the time frame to the {context} rule component.
  - 10. The apparatus of claim 8, wherein the native security rule further specifies a uniform resource locator (URL) to identify the security device, and the processor performs the mapping by further mapping the URL to the {resource} rule component.
  - 11. The apparatus of claim 6, wherein:
    - the processor receives the generic security policy by receiving one or more generic security rules each including generic rule components expressed according to the generic policy model; and
      
      the processor translates by mapping the generic rule components to native rule parameters expressed according to the corresponding native policy model to form native rules representative of the one or more generic rules.

12. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by a processor of a management device including a network interface unit to communicate with a network, cause the processor to:
- implement multiple security device plugins each configured to communicate with a corresponding one of multiple security devices over the network via the network interface unit, each security device plugin being associated with a corresponding native policy model used by the corresponding security device;
  
  receive from the multiple security devices over the network via the plugins corresponding native security policies each based on the native policy model associated with the corresponding security device, each security device configured to control access to a resource according to the corresponding native security policy, wherein each native security policy includes native security rules, and each native security rule includes native rule parameters expressed according to the corresponding native policy model and configured to cause an identified security device to perform an access control operation for a type of access based on a protocol, a source address associated with the access control operation, and a destination address associated with the network access; and
  
  normalize the received native security policies across the multiple security devices based on a generic policy model, to produce at least one normalized security policy that is based on the generic policy model and representative of the native security polices, by, for each received native security policy, mapping the native rule parameters to corresponding generic rule components of the generic policy model, the mapping including mapping the source address to a {principal} component, the access control operation to an {action} component, the destination address to a {resource} component, the protocol to a {context} component, and the type of access attempted to a {result} component, to form a generic security rule in the form;
  
  if {principal} tries to perform an {action} on {resource} within {context} then {result}.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer readable storage media of claim 12, wherein the native security rule further specifies a time frame over which the security device is to apply the access control operation for the type of access, and the instructions to cause the processor to map include further instructions to cause the processor to map the time frame to the {context} rule component.
  - 14. The computer readable storage media of claim 12, wherein the native security rule further specifies a uniform resource locator (URL) to identify the security device, and the instructions to cause the processor to map include further instructions to cause the processor to map the URL to the {resource} rule component.
  - 15. The computer readable storage media of claim 12, further comprising instructions to cause the processor to:
    - receive a generic security policy based on the generic policy model;
      
      translate the generic security policy to multiple native security policies each based on a corresponding one of the native policy models associated with the corresponding one of the security devices; and
      
      provide the multiple native security policies to the corresponding security devices to enable the security devices to implement the native security policies.
  - 16. The computer readable storage media of claim 15, wherein:
    - the generic security policy includes one or more generic security rules each including generic rule components expressed according to the generic policy model; and
      
      the instructions to cause the processor to translate include instructions to cause the processor to map the generic rule components to native rule parameters expressed according to the corresponding native policy model to form native rules representative of the one or more generic rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Knjazihhin, Denis, Dotan, Yedidya, Vasant, Sachin, Say, Burak, Martherus, Robin
Primary Examiner(s)
POTRATZ, DANIEL B

Application Number

US14/600,495
Publication Number

US 20160212169A1
Time in Patent Office

875 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 41/0843   based on generic templates

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Security policy unification across different security products

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Security policy unification across different security products

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links