Integrated development environment (IDE) for network security configuration files
First Claim
1. A method comprising:
- in a computer-implemented integrated development environment;
preprocessing a configuration file including security rules, each security rule including multiple security rule parameters to cause a network security device to apply a network access control, including either a block access or an allow access, when a source attempts to access a destination, at least one of the destination or the source in some of the security rules represented as a respective object name, each object name associated with an object value defined in an object definition in the configuration file, wherein each of the source, the destination, and the object value is associated with a network address or a range of network addresses, the preprocessing including;
mapping each object name to the associated object value based on the object definition for that object name; and
classifying the security rules into (i) one or more identical classifications each including security rules that are identical to each other, and (ii) one or more similar classifications each including security rules that are similar but not identical to each other, and storing for each classification an index to access the classification, file locations of the security rules in the classification, and either an identical indicator or a similar indicator for the classification;
responsive to the configuration file being opened in an editor configured to interact with the security rules, providing the editor with access to preprocessing results;
searching each security rule in the opened configuration file for object names therein;
linking each object name found in the searching to the associated object value mapped thereto by the mapping performed during the preprocessing; and
receiving a selection of a particular object name in a security rule of the opened configuration file and generating for display the associated object value linked to the selected object name.
1 Assignment
0 Petitions
Accused Products
Abstract
An integrated development environment (IDE) preprocesses a configuration file including security rules. The preprocessing maps object names in the security rules to associated object values based on object definitions for the object names. Responsive to the configuration file being opened in an editor, the IDE provides the editor with access to preprocessing results. Each security rule in the opened configuration file is searched for object names. The IDE links each object name found in the search to an associated object value mapped thereto by the mapping performed during the preprocessing. The IDE receives a selection of an object name in a security rule of the opened configuration file and generates for display the associated object value linked to the selected object name.
37 Citations
18 Claims
-
1. A method comprising:
in a computer-implemented integrated development environment; preprocessing a configuration file including security rules, each security rule including multiple security rule parameters to cause a network security device to apply a network access control, including either a block access or an allow access, when a source attempts to access a destination, at least one of the destination or the source in some of the security rules represented as a respective object name, each object name associated with an object value defined in an object definition in the configuration file, wherein each of the source, the destination, and the object value is associated with a network address or a range of network addresses, the preprocessing including; mapping each object name to the associated object value based on the object definition for that object name; and classifying the security rules into (i) one or more identical classifications each including security rules that are identical to each other, and (ii) one or more similar classifications each including security rules that are similar but not identical to each other, and storing for each classification an index to access the classification, file locations of the security rules in the classification, and either an identical indicator or a similar indicator for the classification; responsive to the configuration file being opened in an editor configured to interact with the security rules, providing the editor with access to preprocessing results; searching each security rule in the opened configuration file for object names therein; linking each object name found in the searching to the associated object value mapped thereto by the mapping performed during the preprocessing; and receiving a selection of a particular object name in a security rule of the opened configuration file and generating for display the associated object value linked to the selected object name. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; and a processor, coupled to the network interface unit, configured to, in a computer implemented integrated development environment; preprocess a configuration file including security rules, each security rule including multiple security rule parameters to cause a network security device to apply a network access control, including either a block access or an allow access, when a source attempts to access a destination, at least one of the destination or the source in some of the security rules represented as a respective object name, each object name associated with an object value defined in an object definition in the configuration file, wherein each of the source, the destination, and the object value is associated with a network address or a range of network addresses, wherein the processor is configured to; map each object name to the associated object value based on the object definition for that object name; and classify the security rules into (i) one or more identical classifications each including security rules that are identical to each other, and (ii) one or more similar classifications each including security rules that are similar but not identical to each other, and store for each classification an index to access the classification, file locations of the security rules in the classification, and either an identical indicator or a similar indicator for the classification; responsive to the configuration file being opened in an editor configured to interact with the security rules, provide the editor with access to preprocessing results; search each security rule in the opened configuration file for object names therein; link each object name found in the searching to the associated object value mapped thereto by the mapping performed during the preprocessing; and receive a selection of a particular object name in a security rule of the opened configuration file and generating for display the associated object value linked to the selected object name. - View Dependent Claims (12, 13, 14)
-
-
15. A method comprising:
in a computer implemented integrated development environment; preprocessing a configuration file including security rules, each security rule including multiple security rule parameters to cause a network security device to apply a network access control, including either a block access or an allow access, when a source attempts to access a destination, the source and the destination being associated with a network address or a range of network addresses, the preprocessing including classifying the security rules into (i) one or more identical classifications each including security rules that are identical to each other, and (ii) one or more similar classifications each including security rules that are similar but not identical to each other, and storing for each classification an index to access the classification, file locations of the security rules in the classification, and either an identical indicator or a similar indicator for the classification; responsive to the configuration file being opened in an editor configured to interact with the security rules, providing the editor with access to preprocessing results; receiving a selection of a security rule in the opened configuration file; responsive to the selection, determining whether the selected security rule is classified into any of the classifications; and if it is determined that the selected security rule is classified into one of the classifications, generating for display the security rules in the one of the classifications. - View Dependent Claims (16, 17, 18)
Specification