Pdstudio design system and method
First Claim
Patent Images
1. A policy developer system for providing at least one translation of a meta-policy for development of, implementation of, monitoring, and enforcing a network security policy, said system comprising:
- a meta-policy for representing said network security policy, said meta-policy comprising;
an association with zero or more outcomes;
an association with zero or more relationships;
an association with zero or more network objects; and
an association with zero or more services;
wherein a relationship of said zero or more relationships is associated with at most one of said zero or more services and is associated with at most one of said zero or more outcomes, wherein a protocol of said only one of said zero or more services must match a protocol at said only one of said zero or more outcomes, and wherein said relationship associated with an initiator network object and a target network object;
wherein said outcome of said zero or more outcomes also comprises an attribute of owner and is associated with one or more components, each of said one or more components associated with a criticality;
at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy; and
means for inputting said at least one translation of said meta-policy into a tool capable of monitoring and enforcing said network security policy;
wherein a network object comprises an identity object.
4 Assignments
0 Petitions
Accused Products
Abstract
A policy developer studio comprising: a meta-policy core of network objects, a policy developer graphical user interface (GUI) tool for providing a front end to a policy language, an output in XML, a compiled output for a policy engine, and an output in human readable form is provided.
153 Citations
46 Claims
-
1. A policy developer system for providing at least one translation of a meta-policy for development of, implementation of, monitoring, and enforcing a network security policy, said system comprising:
-
a meta-policy for representing said network security policy, said meta-policy comprising; an association with zero or more outcomes; an association with zero or more relationships; an association with zero or more network objects; and an association with zero or more services; wherein a relationship of said zero or more relationships is associated with at most one of said zero or more services and is associated with at most one of said zero or more outcomes, wherein a protocol of said only one of said zero or more services must match a protocol at said only one of said zero or more outcomes, and wherein said relationship associated with an initiator network object and a target network object; wherein said outcome of said zero or more outcomes also comprises an attribute of owner and is associated with one or more components, each of said one or more components associated with a criticality; at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy; and means for inputting said at least one translation of said meta-policy into a tool capable of monitoring and enforcing said network security policy;
wherein a network object comprises an identity object. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A policy developer method for providing at least one translation of a meta-policy for development of implementation of, monitoring, and enforcing a network security policy, said method comprising:
-
providing a meta-policy for representing said network security policy, said meta-policy comprising; an association with zero or more outcomes; an association with zero or more relationships; an association with zero or more network objects; and an association with zero or more services; wherein a relationship of said zero or more relationships is associated with at most one of said zero or more services and is associated with at most one of said zero or more outcomes, wherein a protocol of said only one of said zero or more outcomes, and wherein said relationship is associated with an initiator network object and a target network object; wherein said outcome of said zero or more outcomes also comprises an attribute of owner and is associated with one or more components, each of said one or more components associated with a criticality; providing at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy; and inputting said at least one translation of said meta-policy into a tool capable of monitoring and enforcing said network security policy; wherein a network object comprises an identity object. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for generating a network security policy in a policy language from a meta-policy, said method comprising:
-
providing a meta-policy for representing said network security policy, said meta-policy comprising; an association with zero or more outcomes; an association with zero or more relationships; an association with zero or more network objects; and an association with zero or more services; wherein a relationship of said zero or more relationships is associated with at most one of said zero or more services and is associated with at most one of said zero or more outcomes, wherein a protocol of said only one of said zero or more outcomes, and wherein said relationship is associated with an initiator network object and a target network object; wherein said outcome of said zero or more outcomes also comprises an attribute of owner and is associated with one or more components, each of said one or more components associated with a criticality; providing at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy; and inputting said at least one translation of said meta-policy into a tool capable of monitoring and enforcing said network security policy; wherein a network object comprises an identity object; generating route information from said meta-policy; generating host information from said meta-policy; generating subnet credentials from said meta-policy; generating host group credentials from said meta-policy; generating network interface credentials from said meta-policy; generating perimeter element credentials from said meta-policy; generating NAT credentials from said meta-policy; generating rules from relationships from said meta-policy said generating rules comprising; for each monitored subnet object, finding all relationship objects that define traffic visible from said each monitored subnet object; for each network object, considering all relationships associated with the said network object; if said each network object is a reporting element, then considering also relationships of other network objects that implicitly or explicitly contain said network object; and for each relationship creating a set of rules that describe the traffic allowed for said each relationship; and generating rules per outcome component from said meta-policy said generating rules per outcome component comprising; using an outcome object, creating an actions associative array wherein the key is a protocol action and the value is an associative array the key of which is a condition and the value of which is a criticality, wherein said actions associative array has an entry for each action defined by a protocol to which said outcome object pertains; optionally optimizing by combining all actions of said actions array having a same value; for each key in said actions associative array, creating a rule for said protocol represented by said outcome, listing all protocol actions given by said each key, wherein in the outcome section of said created rule, creating a guarded clause for each condition given by the value of said actions associative array; for each said guarded clause, including the default clause of said outcome, creating a disposition comprising a severity matching the criticality of said condition; and said disposition having a name comprising an owner, if said owner can be determined, the name of said condition, and the criticality of said condition. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. An apparatus for generating a network security policy in a policy language from a meta-policy, said apparatus comprising:
-
means for providing a meta-policy for development of, implementation of, monitoring, and enforcing a network security policy, said system comprising; a meta-policy for representing said network security policy, said meta-policy comprising; an association with zero or more outcomes; an association with zero or more relationships; an association with zero or more network objects; and an association with zero, or more services; wherein a relationship of said zero or more relationships is associated with at most one of said zero or more services and is associated with at most one of said zero or more outcomes, wherein a protocol of said only one of said zero or more services must match a protocol at said only one of said zero or more outcomes, and wherein said relationship associated with an initiator network object and a target network object; wherein said outcome of said zero or more outcomes also comprises an attribute of owner and is associated with one or more components, each of said one or more components associated with a criticality; at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy; and means for inputting said at least one translation of said meta-policy into a tool capable of monitoring and enforcing said network security policy;
wherein a network object comprises an identity object;means for generating route information from said meta-policy; means for generating host information from said meta-policy; means for generating subnet credentials from said meta-policy; means for generating host group credentials from said meta-policy; means for generating network interface credentials from said meta-policy; means for generating perimeter element credentials from said meta-policy; means for generating NAT credentials from said meta-policy; means for generating rules from relationships from said meta-policy, said means for generating rules from relationships comprising; for each monitored subnet object, means for finding all relationship objects that define traffic visible from said each monitored subnet object; for each network object, considering all relationships associated with said network object; if said each network object is a reporting element, then means for considering also relationships of other network objects that implicitly or explicitly contain said network object; and for each relationship means for creating a set of rules that describe the traffic allowed for said each relationship; means for generating rules per outcome component from said meta-policy, said means for generating rules per outcome component comprising; means for using an outcome object, creating an actions associative array wherein the key is a protocol action and the value is an associative array the key of which is a condition and the value of which is a criticality, wherein said actions associative array has an entry for each action defined by a protocol to which said outcome object pertains; means for optionally optimizing by combining all actions of said actions array having a same value; for each key in said actions associative array, means for creating a rule for said protocol represented by said outcome, listing all protocol actions given by said each key, wherein in the outcome section of said created rule, and creating a guarded clause for each condition given by the value of said actions associative array; for each said guarded clause, including the default clause of said outcome, means for creating a disposition comprising a severity matching the criticality of said condition; and means for said disposition having a name comprising an owner, if said owner can be determined, the name of said condition, and the criticality of said condition. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
-
-
45. A method for generating a policy description output from meta-policy objects, said meta-policy objects, providing a meta-policy for representing said network security policy, said meta-policy comprising:
-
an association with zero or more outcomes; an association with zero or more relationships; an association with zero or more network objects; and an association with zero or more services; wherein a relationship of said zero or more relationships is associated with at most one of said zero or more services and is associated with at most one of said zero or more outcomes, wherein a protocol of said only one of said zero or more outcomes, and wherein said relationship is associated with an initiator network object and a target network object; wherein said outcome of said zero or more outcomes also comprises an attribute of owner and is associated with one or more components, each of more components associated with a criticality; providing at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy; and inputting said at least one translation of said meta-policy into a tool capable of monitoring and enforcing said network security policy; wherein a network object comprises an identity object; said meta-policy objects comprising a plurality of network objects and outcomes, said meta-policy objects representing a network security policy, said method comprising; generating a name index view and a network index view of said plurality of network objects; generating a view on specific network object detailed information about associated services and relationships between other network objects for each network object of said plurality of network objects; and generating a view on information of said outcomes; wherein said generating a view on specific network object information for each network object of said plurality of network objects, further comprising any combination of; showing all relationships in which said each network object is involved, either directly or as a result of said each network object'"'"'s implicit or explicit containment within other network objects; showing said all relationships in the order determined by said each network object'"'"'s containment hierarchy; providing a headings view, said view comprising, but not limited to name of said each network object, a hyperlink to a corresponding entry in said network index view, a list of hyperlinks to views of associated containing network objects, and name of a network interface object having an associated containing perimeter element name as a prefix; providing a body view comprising, but not limited to, lists of all services to which said each network object offers and requires, said services noted in ascending order by port with the lowest port of said ports used in case of multi-port services, wherein noted network objects hyperlink to associated network object views for each noted network object, and a description of Network Address Translation configuration for network interface objects; providing a relationship notation for each relationship comprising, but not limited to, the service name, the name of the network object where said each relationship is defined, the name of other network objects with which said network object is allowed to have said each relationship, wherein relationships per service are listed in the order determined by said network object'"'"'s containment hierarchy; and providing a footers view comprising, but not limited to, hyperlinks to said name and network, indexes, and outcomes view; and wherein said generating a view on information of said outcomes, further comprising any combination of; listing in alphabetical order each outcome of said outcomes; listing associated outcome components, the dispositions and criticalities of said outcome components of said each outcome, beneath said each outcome in alphabetical order of said outcome component names; and providing hyperlinks to said name and network indexes.
-
-
46. An apparatus for generating a policy description output from meta-policy objects, said meta-policy objects for representing said network security policy, said meta-policy comprising:
-
an association with zero or more outcomes; an association with zero or more relationships; an association with zero or more network objects; and an association with zero or more services; wherein a relationship of said zero or more relationships is associated with at most one of said zero or more services and is associated with at most one of said zero or more outcomes, wherein a protocol of said only one of said zero or more services must match a protocol at said only one of said zero or more outcomes, and wherein said relationship associated with an initiator network object and a target network object; wherein said outcome of said zero or more outcomes also comprises an attribute of owner and is associated with one or more components, each of said one or more components associated with a criticality; at least one translation of said meta-policy, said at least one translation used for said development of or implementation of said network security policy; and means for inputting said at least one translation of said meta-policy into a tool capable of monitoring and enforcing said network security policy;
wherein a network object comprises an identity object;said meta-policy objects comprising a plurality of network objects and outcomes, said meta-policy objects representing a network security policy, said apparatus comprising; means for generating a name index view and a network index view of said plurality of network objects; means for generating a view on specific network object information for each network object of said plurality of network objects; and means for generating a view on information of said outcomes, wherein said means for generating a view on specific network object information for each network object of said plurality of network objects, further comprising any combination of; means for showing all relationships in which said each network object is involved, either directly or as a result of said each network, object'"'"'s implicit or explicit containment within other network objects; means for showing said all relationships in the order determined by said each network object'"'"'s containment hierarchy; a headings view, said view comprising, but not limited to name of said each network object, a hyperlink to a corresponding entry in said network index view, a list of hyperlinks to views of associated containing network objects, and name of a network interface object having an associated containing perimeter element name as a prefix; a body view comprising, but not limited to, lists of all services to which said each network object offers and requires, said services noted in ascending order by port with the lowest port of said ports used in case of multi-port services, wherein noted network objects hyperlink to associated network object views for each noted network object, and a description of Network Address Translation configuration for network interface objects; a relationship notation for each relationship comprising, but not limited to, the service name, the name of the network object where said each relationship is defined, the name of other network objects with which said network object is allowed to have said each relationship, wherein relationships per service are listed in the order determined by said network object'"'"'s containment hierarchy; and a footers view comprising, but not limited to, hyperlinks to said name and network indexes, and outcomes view; and wherein said means for generating a view on information of said outcomes, further comprising any combination of; means for listing in alphabetical order each outcome of said outcomes; means for listing associated outcome components, the dispositions and criticalities of said outcome components of said each outcome, beneath said each outcome in alphabetical order of said outcome component names; and hyperlinks to said name and network indexes.
-
Specification