Distributed network security using a logical multi-dimensional label-based policy model
First Claim
1. A method of quarantining a bad actor within an administrative domain, the method comprising:
- storing cached actor-sets, each of the cached actor sets specifying a group of actors present in the administrative domain;
storing a plurality of rules applicable to a particular managed server, each of the rules specifying a provider of a service, a user of the service, and a function controlling interactions between the provider and the user of the service, wherein each of the rules specifies at least one of the provider of the service and the user of the service as a set of managed servers using a label set, wherein a label of the label set represents a dimension of the managed servers and a value of the dimension;
storing in association with a given rule of the plurality of rules, relevant actor-sets comprising a subset of the cached actor-sets that each include at least one of the provider specified in the given rule and the user specified in the given rule;
receiving an instruction to quarantine the bad actor;
updating the cached actor-sets to indicate a change in state of the bad actor to a quarantined state;
identifying a changed actor-set in the relevant actor-sets for the given rule, wherein the changed actor-set was updated based on the change in state of the bad actor to the quarantined state;
responsive to identifying the changed actor-set,sending, to the particular managed server, information describing the changed actor-set and an instruction to add, remove, or modify the changed actor-set in a local list stored by the particular managed server.
1 Assignment
0 Petitions
Accused Products
Abstract
A managed server (MS) within an administrative domain is quarantined. The administrative domain includes multiple MSs that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. The quarantined MS is isolated from other MSs. A description of the MS is modified to indicate that the MS is quarantined, thereby specifying a description of the quarantined MS. Cached actor-sets are updated to indicate the quarantined MS'"'"'s changed state, thereby specifying updated actor-sets. A determination is made regarding which updated actor-sets are relevant to an other MS, thereby specifying currently-relevant updated actor-sets. A determination is made regarding whether the currently-relevant updated actor-sets differ from actor-sets previously sent to the other MS. Responsive to determining that the currently-relevant updated actor-sets are identical to the previously-sent actor-sets, no further action is taken.
-
Citations
20 Claims
-
1. A method of quarantining a bad actor within an administrative domain, the method comprising:
-
storing cached actor-sets, each of the cached actor sets specifying a group of actors present in the administrative domain; storing a plurality of rules applicable to a particular managed server, each of the rules specifying a provider of a service, a user of the service, and a function controlling interactions between the provider and the user of the service, wherein each of the rules specifies at least one of the provider of the service and the user of the service as a set of managed servers using a label set, wherein a label of the label set represents a dimension of the managed servers and a value of the dimension; storing in association with a given rule of the plurality of rules, relevant actor-sets comprising a subset of the cached actor-sets that each include at least one of the provider specified in the given rule and the user specified in the given rule; receiving an instruction to quarantine the bad actor; updating the cached actor-sets to indicate a change in state of the bad actor to a quarantined state; identifying a changed actor-set in the relevant actor-sets for the given rule, wherein the changed actor-set was updated based on the change in state of the bad actor to the quarantined state; responsive to identifying the changed actor-set, sending, to the particular managed server, information describing the changed actor-set and an instruction to add, remove, or modify the changed actor-set in a local list stored by the particular managed server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable storage medium storing computer program modules for quarantining a bad actor within an administrative domain, the computer program modules executable by a processor to perform steps comprising:
-
storing cached actor-sets, each of the cached actor sets specifying a group of actors present in the administrative domain; storing a plurality of rules applicable to a particular managed server, each of the rules specifying a provider of a service, a user of the service, and a function controlling interactions between the provider and the user of the service, wherein each of the rules specifies at least one of the provider of the service and the user of the service as a set of managed servers using a label set, wherein a label of the label set represents a dimension of the managed servers and a value of the dimension; storing in association with a given rule of the plurality of rules, relevant actor-sets comprising a subset of the cached actor-sets that each include at least one of the provider specified in the given rule and the user specified in the given rule; receiving an instruction to quarantine the bad actor; updating the cached actor-sets to indicate a change in state of the bad actor to a quarantined state; identifying a changed actor-set in the relevant actor-sets for the given rule, wherein the changed actor-set was updated based on the change in state of the bad actor to the quarantined state; responsive to identifying the changed actor-set, sending, to the particular managed server, information describing the changed actor-set and an instruction to add, remove, or modify the changed actor-set in a local list stored by the particular managed server. - View Dependent Claims (17, 18)
-
-
19. A system for quarantining a bad actor within an administrative domain, the system comprising:
-
a non-transitory computer-readable storage medium storing computer program modules executable to perform steps comprising; storing cached actor-sets, each of the cached actor sets specifying a group of actors present in the administrative domain; storing a plurality of rules applicable to a particular managed server, each of the rules specifying a provider of a service, a user of the service, and a function controlling interactions between the provider and the user of the service, wherein each of the rules specifies at least one of the provider of the service and the user of the service as a set of managed servers using a label set, wherein a label of the label set represents a dimension of the managed servers and a value of the dimension; storing in association with a given rule of the plurality of rules, relevant actor-sets comprising a subset of the cached actor-sets that each include at least one of the provider specified in the given rule and the user specified in the given rule; receiving an instruction to quarantine the bad actor; updating the cached actor-sets to indicate a change in state of the bad actor to a quarantined state; identifying a changed actor-set in the relevant actor-sets for the given rule, wherein the changed actor-set was updated based on the change in state of the bad actor to the quarantined state; responsive to identifying the changed actor-set, sending, to the particular managed server, information describing the changed actor-set and an instruction to add, remove, or modify the changed actor-set in a local list stored by the particular managed server; and a computer processor for executing the computer program modules. - View Dependent Claims (20)
-
Specification