Integrated Development Environment (IDE) for Network Security Configuration Files

US 20160344773A1
Filed: 06/30/2015
Published: 11/24/2016
Est. Priority Date: 05/19/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

in a computer-implemented integrated development environment;

preprocessing a configuration file including security rules, each security rule including multiple security rule parameters to cause a security appliance to apply a network access control when a source attempts to access a destination, at least one of the destination or the source in some of the security rules represented as a respective object name, each object name associated with an object value defined in an object definition in the configuration file, the preprocessing including mapping each object name to the associated object value based on the object definition for that object name;

responsive to the configuration file being opened in an editor through which a user interacts with the security rules, providing the editor with access to results of the preprocessing;

searching each security rule in the opened configuration file for object names therein;

linking each object name found in the searching to the associated object value mapped thereto by the mapping performed during the preprocessing; and

receiving a selection of a particular object name in a security rule of the opened configuration file and generating for display the associated object value linked to the selected object name.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An integrated development environment (IDE) preprocesses a configuration file including security rules. The preprocessing maps object names in the security rules to associated object values based on object definitions for the object names. Responsive to the configuration file being opened in an editor, the IDE provides the editor with access to preprocessing results. Each security rule in the opened configuration file is searched for object names. The IDE links each object name found in the search to an associated object value mapped thereto by the mapping performed during the preprocessing. The IDE receives a selection of an object name in a security rule of the opened configuration file and generates for display the associated object value linked to the selected object name.

30 Citations

View as Search Results

20 Claims

1. A method comprising:
- in a computer-implemented integrated development environment;
  
  preprocessing a configuration file including security rules, each security rule including multiple security rule parameters to cause a security appliance to apply a network access control when a source attempts to access a destination, at least one of the destination or the source in some of the security rules represented as a respective object name, each object name associated with an object value defined in an object definition in the configuration file, the preprocessing including mapping each object name to the associated object value based on the object definition for that object name;
  
  responsive to the configuration file being opened in an editor through which a user interacts with the security rules, providing the editor with access to results of the preprocessing;
  
  searching each security rule in the opened configuration file for object names therein;
  
  linking each object name found in the searching to the associated object value mapped thereto by the mapping performed during the preprocessing; and
  
  receiving a selection of a particular object name in a security rule of the opened configuration file and generating for display the associated object value linked to the selected object name.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the network access control includes a block access or an allow access, and each source, each destination, and each object value is associated with a network address or a range of network addresses.
  - 3. The method of claim 1, wherein the preprocessing includes:
    - tokenizing the security rule parameters, including the object names, of each security rule into security rule tokens based on a security rule grammar associated with a security rule syntax; and
      
      parsing the security rule tokens, including the object names into a parser tree based on the security rule syntax,wherein the mapping includes mapping each object name parsed into the parser tree to the associated object value based on the object definition for the each object name.
  - 4. The method of claim 1, further comprising:
    - comparing the security rule parameters of each security rule in the opened configuration file to a dictionary of prohibited or potentially dangerous security rule parameters; and
      
      if the comparing indicates a match between a first security rule parameter in a given security rule and one of the prohibited or potentially dangerous security rule parameters of the dictionary, generating for display a warning associated with the given security rule.
  - 5. The method of claim 1, wherein the preprocessing further comprises classifying the security rules in the configuration file into security rule classifications based on commonality between the security rules, each security rule classification including the security rules that share the commonality for that security rule classification, and the method further comprises:
    - receiving a selection of a security rule in the opened configuration file;
      
      responsive to the selection of the security rule, determining whether the selected security rule is classified into any of the security rule classifications; and
      
      if it is determined that the selected security rule is classified into one of the security rule classifications, generating for display the security rules in the one of the security rule classifications.
  - 6. The method of claim 5, wherein the generating for display further includes generating for display an indication of the commonality associated with the one of the security rule classifications.
  - 7. The method of claim 5, wherein the classifying includes:
    - classifying the security rules into one or more identical security rule classifications based on identicality between the security rules, each identical security rule classification including security rules that are identical to each other; and
      
      classifying the security rules into one or more similar security rule classifications based on similarity but not identicality between the security rules, each similar security rule classification including security rules that are similar but not identical to each other.
  - 8. The method of claim 5, further comprising preprocessing one or more additional configuration files such that the classifying includes classifying the security rules across the configuration file and the one or more additional configuration files into security rule classifications based on commonality between the security rules in the configuration file and the one or more additional configuration files, wherein the generating for display further includes generating for display configuration file location information associated with each of the security rules in the one of the security rule classifications.
  - 9. The method of claim 1, further comprising:
    - performing a regular expressions search of the security rule parameters of each security rule in the opened configuration file for matches to regular expressions defined for the configuration file; and
      
      for each security rule parameter found to match one of the regular expressions, generating for display a visual indication associated with the security rule parameter found to match the one of the regular expressions.
  - 10. The method of claim 9, wherein:
    - the performing the regular expression search includes searching the security rule parameters of each security rule for an object or object group designator followed by an object name; and
      
      for each found object or object group designator, generating for display a visual object or object group indication to visually differentiate the found object or object group designator from other security rule parameters that are not object or object group designators.
  - 11. The method of claim 9, wherein:
    - wherein the performing the regular expression search further includes searching the opened configuration file for delineated remarks interspersed among the security rules and that have no effect on the security appliance; and
      
      for each found remark, generating for display a visual remark indication to visually differentiate the found remark from the security rules.

12. A apparatus comprising:
- a network interface unit configured to enable communications over a network; and
  
  a processor, coupled to the network interface unit, configured to, in a computer implemented integrated development environment;
  
  preprocess a configuration file including security rules, each security rule including multiple security rule parameters to cause a security appliance to apply a network access control when a source attempts to access a destination, at least one of the destination or the source in some of the security rules represented as a respective object name, each object name associated with an object value defined in an object definition in the configuration file, wherein the processor is configured to preprocess by mapping each object name to the associated object value based on the object definition for that object name;
  
  responsive to the configuration file being opened in an editor through which a user interacts with the security rules, provide the editor with access to results of the preprocessing;
  
  search each security rule in the opened configuration file for object names therein;
  
  link each object name found in the searching to the associated object value mapped thereto by the mapping performed during the preprocessing; and
  
  receive a selection of a particular object name in a security rule of the opened configuration file and generating for display the associated object value linked to the selected object name.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The apparatus of claim 12, wherein the network access control includes a block access or an allow access, and each source, each destination, and each object value is associated with a network address or a range of network addresses.
  - 14. The apparatus of claim 12, wherein the processor is further configured to preprocess by classifying the security rules in the configuration file into security rule classifications based on commonality between the security rules, each security rule classification including the security rules that share the commonality for that security rule classification, and the processor is further configured to:
    - receive a selection of a security rule in the opened configuration file;
      
      responsive to the selection of the security rule, determine whether the selected security rule is classified into any of the security rule classifications; and
      
      if it is determined that the selected security rule is classified into one of the security rule classifications, generate for display the security rules in the one of the security rule classifications.
  - 15. The apparatus of claim 14, wherein the processor is configured to perform the classifying by:
    - classifying the security rules into one or more identical security rule classifications based on identicality between the security rules, each identical security rule classification including security rules that are identical to each other; and
      
      classifying the security rules into one or more similar security rule classifications based on similarity but not identicality between the security rules, each similar security rule classification including security rules that are similar but not identical to each other.
  - 16. The apparatus of claim 12, wherein the processor is further configured to:
    - perform a regular expressions search of the security rule parameters of each security rule in the opened configuration file for matches to regular expressions defined for the configuration file; and
      
      for each security rule parameter found to match one of the regular expressions, generate for display a visual indication associated with the security rule parameter found to match the one of the regular expressions.

17. A method comprising:
- in a computer implemented integrated development environment;
  
  preprocessing a configuration file including security rules, each security rule configured to cause a security appliance to apply a network access control when a source attempts to access a destination, the preprocessing including classifying the security rules in the configuration file into security rule classifications based on commonality between the security rules;
  
  responsive to the configuration file being opened in an editor through which a user interacts with the security rules, providing the editor with access to results of the preprocessing;
  
  receiving a selection of a security rule in the opened configuration file;
  
  responsive to the selection, determining whether the selected security rule is classified into any of the security rule classifications; and
  
  if it is determined that the selected security rule is classified into one of the security rule classifications, generating for display the security rules in the one of the security rule classifications.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the classifying further includes:
    - classifying the security rules into one or more identical security rule classifications based on identicality between the security rules, each identical security rule classifications including security rules that are identical to each other; and
      
      classifying the security rules into one or more similar security rule classifications based on similarity but not identicality between the rules, each similar security rule classification including security rules that are similar but not identical to each other.
  - 19. The method of claim 18, wherein:
    - the generating for display further includes generating for display, for each security rule in the one of the security rule classifications, an indication that the security rule is identical or similar to the selected security rule, and a location in the configuration file where the security rule is found.
  - 20. The method of claim 19, further comprising preprocessing one or more additional configuration files, wherein:
    - the classifying further includes classifying the security rules across the configuration file and one or more additional configuration files into security rule classifications based on commonality between the security rules in the configuration file and one or more additional configuration files; and
      
      the generating for display further includes generating for display configuration file location information associated with each of the security rules in the one of the security rule classifications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Siswick, Zachary D., Hollingshead, Daniel, Knjazihhin, Denis, Dotan, Yedidya, Duane, Christopher

Granted Patent

US 9,787,722 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/148   File search processing

G06F 16/285   Clustering or classification

G06F 21/57   Certifying or maintaining t...

G06F 21/604   Tools and structures for ma...

H04L 63/20   for managing network securi...

Integrated Development Environment (IDE) for Network Security Configuration Files

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated Development Environment (IDE) for Network Security Configuration Files

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links