Method and system for security policy management
First Claim
1. A method for determining whether a network comprising a plurality of network elements is conformant to a policy statement, wherein the policy statement indicates whether a set of clients is denied or granted access to a network-service supported by a set of servers, the method comprising the steps of:
- building a topology and model of the network, wherein said model comprises a plurality of service models corresponding to the network elements, and wherein said service models indicate how the network elements will treat network packets, identifying a first network element from the set of clients and a second network element from the set of servers, building a packet in accordance with the network-service and the identified first and second network elements, attempting to move the packet from the first network element to the second network element by applying the packet to the network element service models, and based on whether the packet reaches the server, indicating whether the network is conformant to the policy statement.
3 Assignments
0 Petitions
Accused Products
Abstract
The conformance of a network to a set of security policy statements is determined by attempting to violate the policies by routing packets through models of network elements. Policy statements specify whether a set of clients is granted or denied access to a network service offered by a set of servers. Network element models are in accordance to the element'"'"'s configurable parameters and supported services, which together indicate how the element will treat packets when the element'"'"'s current configuration is applied to the model. Conformance to a policy statement is determined by building a packet in accordance with the network service and a representative network-element client and server, and by attempting to move the packet from the client to the server by applying the packet to the network element models. Policy conformance is based on whether the packet reaches the service on the server. Network reconfigurations are determined for non-conformant policies.
115 Citations
2 Claims
-
1. A method for determining whether a network comprising a plurality of network elements is conformant to a policy statement, wherein the policy statement indicates whether a set of clients is denied or granted access to a network-service supported by a set of servers, the method comprising the steps of:
-
building a topology and model of the network, wherein said model comprises a plurality of service models corresponding to the network elements, and wherein said service models indicate how the network elements will treat network packets, identifying a first network element from the set of clients and a second network element from the set of servers, building a packet in accordance with the network-service and the identified first and second network elements, attempting to move the packet from the first network element to the second network element by applying the packet to the network element service models, and based on whether the packet reaches the server, indicating whether the network is conformant to the policy statement. - View Dependent Claims (2)
-
Specification