Method and apparatus for network wide policy-based analysis of configurations of devices

US 8,135,815 B2
Filed: 11/08/2005
Issued: 03/13/2012
Est. Priority Date: 03/27/2001
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method performed by an analysis platform including a processor and a memory programmed to perform the method, the method comprising:

determining by the analysis platform a plurality of network devices within a network arranged in a network topology, wherein the plurality of network devices includes a first application server hosting a first application; and

a client computer hosting a client application;

receiving by the analysis platform a policy for the network, wherein the policy comprises requirements; and

wherein the requirements include a description of a first set of required network traffic associated with the first application server, the first application, the client computer and the client application;

receiving by the analysis platform a plurality of configuration files associated with the plurality of network devices in the processor;

building by the analysis platform an internal software configuration model of the network using the plurality of configuration files, the model comprising a plurality of network paths between at least one network gateway, the first application server and the client computer;

analyzing the software network configuration model against the network policy, comprising;

simulating, by the analysis platform, actions of the at least one network gateway relating to packets relating to the first set of required network traffic, comprising a request sent from the first client computer to the first application server; and

simulating, by the analysis platform, a configuration of the first application server by preparing a response to the request and simulating the actions of the at least one network gateway when the response is sent from the fist application server to the first client computerdetermining by the analysis platform when the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy; and

generating by the analysis platform a report indicating whether the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for a computer system includes determining network devices within a network topology, wherein the network devices includes a first application server hosting a first application, receiving a policy for the network comprising requirements of a first application server including a description of a set of required network traffic, receiving a plurality of configuration files associated with the plurality of network devices, determining a network configuration model in response to the plurality of configuration files, computing network traffic on all network paths to and from the first application server to determine a plurality of computed paths, determining if the network traffic includes at least the set of required network traffic associated with the first server, and generating a report indicating whether the network traffic includes at least the set of required network traffic.

213 Citations

29 Claims

1. A computer implemented method performed by an analysis platform including a processor and a memory programmed to perform the method, the method comprising:
- determining by the analysis platform a plurality of network devices within a network arranged in a network topology, wherein the plurality of network devices includes a first application server hosting a first application; and
  
  a client computer hosting a client application;
  
  receiving by the analysis platform a policy for the network, wherein the policy comprises requirements; and
  
  wherein the requirements include a description of a first set of required network traffic associated with the first application server, the first application, the client computer and the client application;
  
  receiving by the analysis platform a plurality of configuration files associated with the plurality of network devices in the processor;
  
  building by the analysis platform an internal software configuration model of the network using the plurality of configuration files, the model comprising a plurality of network paths between at least one network gateway, the first application server and the client computer;
  
  analyzing the software network configuration model against the network policy, comprising;
  
  simulating, by the analysis platform, actions of the at least one network gateway relating to packets relating to the first set of required network traffic, comprising a request sent from the first client computer to the first application server; and
  
  simulating, by the analysis platform, a configuration of the first application server by preparing a response to the request and simulating the actions of the at least one network gateway when the response is sent from the fist application server to the first client computerdetermining by the analysis platform when the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy; and
  
  generating by the analysis platform a report indicating whether the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1wherein the first set of required network traffic comprises IP traffic.
  - 3. The method of claim 2wherein the first set of required network traffic includes traffic between the first application server and the client computer.
  - 4. The method of claim 3wherein the first application server is selected from a group consisting of:
    - e-commerce server, domain name server, e-mail server, database server, financial data server, CRM server, ERP server, and data storage server; and
      
      wherein the client application is selected from a group consisting of;
      
      worm, virus, Trojan, spyware, and key logger.
  - 5. The method of claim 2wherein the plurality of network devices also includes a second application server hosting a negative application;
    - wherein the policy also comprises additional requirements associated with the second application server, wherein the additional requirements include a description of a second set of required network traffic and an additional targeted server associated with the second set of required network traffic;
      
      wherein the method further comprises simulating, by the analysis platform, actions of the at least one network gateway relating to packets relating to the first set of required network traffic, comprising a request sent from the first client computer to the second application server; and
      
      simulating, by the analysis platform, a configuration of the second application server by preparing a response to the request and simulating the actions of the at least one network gateway when the response is sent from the second application server to the first client computerwherein generating the report further comprises generating by the computer system the report indicating whether the simulated actions of the second application server processed the set of required network traffic as required by the policy.
  - 6. The method of claim 5wherein generating the report further comprises determining a first plurality of threat metrics associated with the first application server and a second plurality of threat metrics associated with the second application server by the analysis platform.
  - 7. The method of claim 6wherein the report includes a prioritization of the first application server over the second application server;
    - wherein the prioritization is based upon threat metrics from the first plurality of threat metrics and the second plurality of threat metrics; and
      
      wherein threat metrics are selected from a group consisting of;
      
      probability of threats, potential harm of threats, ease of remediation of threats, commonality of servers in both the first plurality of computed paths and the second plurality of computed paths.
  - 8. The method of claim 2wherein first application server also hosts a business application;
    - wherein the requirements include a description of a second set of required network traffic and a second server associated with the second set of required network traffic;
      
      wherein the report also indicates whether the second network traffic includes at least the second set of required network traffic.
  - 9. The method of claim 8wherein the report indicates that the business application was successful when the second network traffic includes at least the second set of required network traffic.
  - 10. The method of claim of claim 9wherein a specific type of network traffic belongs to both the first set of required network traffic and the second set of required network traffic;
    - andwherein the report also indicates the specific type of network traffic.
  - 11. The method of claim 10 wherein the report also indicates that inhibiting the specific type of network traffic would violate the policy.
  - 12. The method of claim of claim 10 wherein the report also suggests an action selected from a group consisting of:
    - upgrade to a different software version of the business application, install a software patch to the business application, upgrade to a different software version of an operating system of the first application server, install a software patch to the operating system.

13. An analysis platform comprising:
- a memory storing a network topology of a network including a plurality of network devices, wherein the plurality of network devices includes a first application on a first application host, a client application on a client computer and wherein the memory stores a policy associated with the network, wherein the policy comprises requirements, wherein the requirements include a description of a first required set of network traffic associated with the first application, the first application server, the client application and the client computer and wherein the memory stores a plurality of configuration data for at least some of the plurality of network devices; and
  
  a processor coupled to the memory, wherein the processor is configured to;
  
  build an internal software configuration model of the network using the plurality of configuration data, the model comprising a plurality of network paths between at least one network gateway, the first application server and the client computer;
  
  analyze the software network configuration model against the network policy, comprising;
  
  simulating actions of the at least one network gateway relating to packets relating to the first set of required network traffic, comprising a request sent from the first client computer to the first application server; and
  
  simulating a configuration of the first application server by preparing a response to the request and simulating the actions of the at least one network gateway when the response is sent from the fist application server to the first client computerdetermine when the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy; and
  
  generate a report indicating whether the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The analysis platform of claim 13wherein the packets relating to the first set of required network traffic comprise IP packets.
  - 15. The analysis platform of claim 14 wherein the report indicates that the first set of required network traffic was processed as required by the policy.
  - 16. The analysis platform of claim 15 wherein the report includes the plurality of network paths.
  - 17. The analysis platform of claim 14wherein the requirements associated with the first set of network traffic comprise data selected from a group consisting of:
    - a specific application running on the first targeted application host, a specific version number for the application running on the first targeted application host, a specific patch level for the application running on the first targeted application host, a specific operating system running on the first targeted application host, and a specific operating system patch level running on the first targeted application host.
  - 18. The analysis platform of claim 14wherein the first application host is selected from a group consisting of:
    - e-commerce application host, domain name application host, e-mail application host, database application host, financial data application host, ERP application host, CRM application host, and data storage application host; and
      
      wherein the client application is selected from a group consisting of;
      
      worm, virus, Trojan, spyware, key logger.
  - 19. The analysis platform of claim 14wherein the plurality of network devices also includes a second application server hosting a threat;
    - wherein the policy also comprises additional requirements associated with the second application, wherein the additional requirements includes a second set of required network traffic.
  - 20. The analysis platform of claim 19wherein the report includes a prioritization of the first set of required network traffic over the second set of required network traffic in response to a metric selected from a group consisting of:
    - threat probability, potential threat damage, ease of threat remediation, commonality of application hosts in both the first plurality of predicted computed paths and the second plurality of predicted computed paths.

21. A computer program product embodied in a non-transitory medium for a computer system including a memory comprising:
- code that directs a processor to determine a network topology in response to a network topology and in response to user input;
  
  code that directs the processor to determine a plurality of network devices within a network arranged in the network topology, wherein the plurality of network devices includes a first application on a first application server, and a client computer hosting a client application;
  
  code that directs the processor to receive a policy for the network, wherein the policy comprises requirements associated with the first application server, wherein the requirements include a description of a first set of required network traffic;
  
  code that directs the processor to receive a plurality of configuration data associated with the plurality of network devices;
  
  code that directs the processor to build an internal software configuration model of the network using the plurality of configuration data, the model comprising a plurality of network paths between at least one network gateway, the first application server and the client computer;
  
  code that directs the processor to analyze the software network configuration model against the network policy, comprising;
  
  simulating, by the analysis platform, actions of the at least one network gateway relating to packets relating to the first set of required network traffic, comprising a request sent from the first client computer to the first application server; and
  
  simulating, by the analysis platform, a configuration of the first application server by preparing a response to the request and simulating the actions of the at least one network gateway when the response is sent from the fist application server to the first client computer;
  
  code that directs the processor to determine when the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy; and
  
  code that directs the processor to generate a report indicating whether the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The computer program product of claim 21wherein the packets relating to the first set of required network traffic comprises IP packets.
  - 23. The computer program product of claim 22wherein the network topology includes changes to the network topology selected from a group consisting of:
    - a new network device, a new application server, and moving an application from one application server to another application server.
  - 24. The computer program product of claim 22wherein the first application server is determined based upon criteria selected from a group consisting of:
    - a specific application running on the first application server, a specific version number for the application running on the first application server, a specific patch level for the application running on the first application server, a specific operating system running on the first application server, and a specific patch level of a specific operating system running on the first application server.
  - 25. The computer program product of claim 24 wherein the first application server is selected from a group consisting of:
    - e-commerce server, domain name server, e-mail server, database server, financial data server, ERP server, CRM server, and data storage server.
  - 26. The computer program product of claim 22 wherein the first client application is selected from a group consisting of:
    - worm, virus, Trojan, spyware, key logger.
  - 27. The computer program product of claim 22wherein the plurality of network devices also includes a second server hosting a second application;
    - wherein the policy also comprises additional requirements associated with the second application server, wherein the additional requirements includes a description of a second set of required network traffic.
  - 28. The computer program product of claim 27wherein code that directs the processor to generate the report further comprises code that directs the processor to prioritize the first set of required network traffic over the second set of required network traffic in response to a plurality of metrics.
  - 29. The computer program product of claim 28wherein a metric from the plurality of metrics is selected from a group consisting of:
    - probability of threats, potential harm of threats, ease of remediation of threats, commonality of servers in both a first plurality of traffic paths between the first server and the second server and a second plurality of traffic paths between the second server and the client computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Redseal, Inc.
Original Assignee
Redseal Systems Incorporated
Inventors
Mayer, Alain Jules
Primary Examiner(s)
Jaroenchonwanit, Bunjob

Application Number

US11/270,806
Publication Number

US 20060129670A1
Time in Patent Office

2,317 Days
Field of Search

709/221, 709/224
US Class Current

709/223
CPC Class Codes

G06F 15/173   using an interconnection ne...

H04L 41/00   Arrangements for maintenanc...

H04L 41/0853   by actively collecting conf...

H04L 41/0873   Checking configuration conf...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 41/145   involving simulating, desig...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 69/16   Implementation or adaptatio...

H04L 69/24   Negotiation of communicatio...

H04L 9/40   Network security protocols

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

213 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for network wide policy-based analysis of configurations of devices

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

213 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links