Classification of security policies across multiple security products

US 9,769,210 B2
Filed: 06/22/2016
Issued: 09/19/2017
Est. Priority Date: 01/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a management entity;

importing information included in security policies from security devices configured to operate in accordance with respective ones of the security policies, wherein each security policy includes security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource based on a network protocol, a source address or a destination address, and a device port;

comparing the rule parameters of each rule of each security policy across the security policies;

based on results of the comparing, classifying the security policies into identical security policy classifications when all of their associated rule parameters are equivalent to each other, similar security policy classifications when only some of their associated rule parameters are equivalent to each other, and unique security policy classifications when none of the associated rule parameters are equivalent to each other;

displaying the security policy classifications as selectable security policy classifications;

receiving an entry of a policy template name and selections of multiple security policy classifications;

assigning the security policies in the multiple selected security policy classifications to a security policy template identified by the entered policy template name; and

displaying a menu which shows editable security rules of the security policy template.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management entity imports information included in security policies from security devices configured to operate in accordance with respective ones of the security policies. The information is classified into security policy classifications based on commonality in the information across the security policies. The security policy classifications are displayed as selectable security policy classifications. An entry of a policy template name and selections of multiple security policy classifications are received. The security policies in the multiple selected security policy classifications are assigned to a security policy template identified by the entered policy template name.

68 Citations

View as Search Results

20 Claims

1. A method comprising:
- at a management entity;
  
  importing information included in security policies from security devices configured to operate in accordance with respective ones of the security policies, wherein each security policy includes security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource based on a network protocol, a source address or a destination address, and a device port;
  
  comparing the rule parameters of each rule of each security policy across the security policies;
  
  based on results of the comparing, classifying the security policies into identical security policy classifications when all of their associated rule parameters are equivalent to each other, similar security policy classifications when only some of their associated rule parameters are equivalent to each other, and unique security policy classifications when none of the associated rule parameters are equivalent to each other;
  
  displaying the security policy classifications as selectable security policy classifications;
  
  receiving an entry of a policy template name and selections of multiple security policy classifications;
  
  assigning the security policies in the multiple selected security policy classifications to a security policy template identified by the entered policy template name; and
  
  displaying a menu which shows editable security rules of the security policy template.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising, after the assigning:
    - displaying the security policy template and one or more of the security devices as selectable options; and
      
      responsive to selections of the security policy template and one of the security devices through though the selectable options, creating a new security policy based on the security policies in the selected security policy template and applying the new security policy to the selected one of the security devices.
  - 3. The method of claim 2, further comprising:
    - displaying a menu which shows editable security rules included in the new security policy.
  - 4. The method of claim 3, further comprising:
    - receiving modifications of the security rules through the menu which shows the editable security rules; and
      
      updating the new security policy to include the modified security rules.
  - 5. The method of claim 1, further comprising:
    - displaying a policy template naming option through which the policy template name is entered.
  - 6. The method of claim 1, further comprising displaying a list of the rule parameters for each of the security policy classifications.
  - 7. The method of claim 1, further comprising:
    - displaying the security policy classifications in unexpanded views;
      
      displaying the an expand option associated with each of the displayed security policy classifications;
      
      receiving a selection of one of the expand options; and
      
      displaying the security policy classification associated with the selected expand option in an expanded view that exposes device names of all of the security devices associated with that security policy classification.
  - 8. The method of claim 1, wherein:
    - the displaying further includes displaying a filter option to specify a rule parameter associated with the security policy classifications;
      
      receiving a specified rule parameter through the filter option; and
      
      displaying all of the rules in each security policy classifications that include a rule parameter that matches the specified rule parameter.

9. An apparatus comprising:
- a network interface unit to connect with a network; and
  
  a processor coupled to the network interface unit to;
  
  import information included in security policies from security devices configured to operate in accordance with respective ones of the security policies, wherein each security policy includes security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource based on a network protocol, a source address or a destination address, and a device port;
  
  compare the rule parameters of each rule of each security policy across the security policies;
  
  based on results of the compare, classify the security policies into identical security policy classifications when all of their associated rule parameters are equivalent to each other, similar security policy classifications when only some of their associated rule parameters are equivalent to each other, and unique security policy classifications when none of the associated rule parameters are equivalent to each other;
  
  generate for display the security policy classifications as selectable security policy classifications;
  
  receive an entry of a policy template name and selections of multiple security policy classifications;
  
  assign the security policies in the multiple selected security policy classifications to a security policy template having the entered policy template name; and
  
  generate for display a menu which shows editable security rules of the security policy template.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein the processor is further configured to, after the assign operation:
    - generate for display the security policy template and one or more of the security devices as selectable options; and
      
      responsive to selections of the security policy template and one of the security devices through though the selectable options, create a new security policy based on the security policies in the selected security policy template and apply the new security policy to the selected one of the security devices.
  - 11. The apparatus of claim 10, further comprising:
    - generate for display a menu which shows editable security rules included in the new security policy.
  - 12. The apparatus of claim 11, further comprising:
    - receive modifications of the security rules through the menu which shows the editable security rules; and
      
      update the new security policy to include the modified security rules.
  - 13. The apparatus of claim 9, wherein the processor is further configured to:
    - generate for display a policy template naming option through which the policy template name is entered.
  - 14. The apparatus of claim 9, wherein the processor is further configured to:
    - generate for display the security policy classifications in unexpanded views;
      
      generate for display an expand option associated with each of the displayed security policy classifications;
      
      receive a selection of one of the expand options; and
      
      generate for display the security policy classification associated with the selected expand option in an expanded view that exposes device names of all of the security devices associated with that security policy classification.
  - 15. The apparatus of claim 9, wherein the processor is further configured to:
    - generate for display a filter option to specify a rule parameter associated with the security policy classifications;
      
      receive a specified rule parameter through the filter option; and
      
      generate for display all of the rules in each security policy classifications that include a rule parameter that matches the specified rule parameter.

16. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to:
- import information included in security policies from security devices configured to operate in accordance with respective ones of the security policies, wherein each security policy includes security rules, each security rule including a set of rule parameters configured to permit or deny access to a resource based on a network protocol, a source address or a destination address, and a device port;
  
  compare the rule parameters of each rule of each security policy across the security policies;
  
  based on results of the compare, classify the security policies into identical security policy classifications when all of their associated rule parameters are equivalent to each other, similar security policy classifications when only some of their associated rule parameters are equivalent to each other, and unique security policy classifications when none of the associated rule parameters are equivalent to each other;
  
  generate for display the security policy classifications as selectable security policy classifications;
  
  receive an entry of a policy template name and selections of multiple security policy classifications;
  
  assign the security policies in the multiple selected security policy classifications to a security policy template having the entered policy template name; and
  
  generate of display a menu which shows editable security rules of the security policy template.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage media of claim 16, further comprising instructions to cause the processor to:
    - generate for display a policy template naming option through which the policy template name is entered.
  - 18. The non-transitory computer readable storage media of claim 16, further comprising instructions to cause the processor:
    - generate for display the security policy template and one or more of the security devices as selectable options; and
      
      responsive to selections of the security policy template and one of the security devices through though the selectable options, create a new security policy based on the security policies in the selected security policy template and apply the new security policy to the selected one of the security devices.
  - 19. The non-transitory computer readable storage media of claim 18, further comprising:
    - generate for display a menu which shows editable security rules included in the new security policy.
  - 20. The non-transitory computer readable storage media of claim 19, further comprising:
    - receive modifications of the security rules through the menu which shows the editable security rules; and
      
      update the new security policy to include the modified security rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dotan, Yedidya, Agarwal, Sanjay, Martherus, Robin
Primary Examiner(s)
HO, DAO Q

Application Number

US15/189,755
Publication Number

US 20160301717A1
Time in Patent Office

454 Days
Field of Search
US Class Current
CPC Class Codes

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/186   Templates

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Classification of security policies across multiple security products

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Classification of security policies across multiple security products

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links