Method and system for policy simulation

US 8,943,575 B2
Filed: 04/29/2009
Issued: 01/27/2015
Est. Priority Date: 04/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method of managing access to resources on a secured network using a plurality of access rules, comprisingreading packet information in respective packets of a packet communication received at a security node;

applying an access rule of the plurality of access rules;

determining whether the security node is to block the respective packets or the packet communication from reaching one or more of the resources on the secured network based on the applied access rule;

if (i) the applied access rule is a simulated access rule and (ii) the security node is to simulate blocking the respective packets or the packet communication from reaching the one or more resources based on the applied simulated access rule, the security node;

(1) passing the respective packets or the packet communication towards the one or more resources on the secured network; and

(2) generating a log event that indicates blocking of the respective packets or the packet communication by the security node, and changing the simulated access rule or an order of the access rules to reduce an amount of over-blocking or under-blocking determined based on the log event, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for managing access to resources on a secured network is disclosed. The method includes reading packet information in respective packets of a packet communication received at a security node and applying one of the plurality of access rules. The method also includes determining whether the security node is to block the respective packets and/or the packet communication from reaching a resource on the secured network based on the applied access rule. If the security node is to block the respective packets and/or the packet communication, it is determined whether the applied access rule is a simulated access rule. Responsive to the applied access rule being a simulated access rule, the respective packets and/or the packet communication are passed towards the resource on the secured network and a log event is generated that indicates the security node blocked the respective packets and/or the packet communication.

222 Citations

22 Claims

1. A method of managing access to resources on a secured network using a plurality of access rules, comprisingreading packet information in respective packets of a packet communication received at a security node;
- applying an access rule of the plurality of access rules;
  
  determining whether the security node is to block the respective packets or the packet communication from reaching one or more of the resources on the secured network based on the applied access rule;
  
  if (i) the applied access rule is a simulated access rule and (ii) the security node is to simulate blocking the respective packets or the packet communication from reaching the one or more resources based on the applied simulated access rule, the security node;
  
  (1) passing the respective packets or the packet communication towards the one or more resources on the secured network; and
  
  (2) generating a log event that indicates blocking of the respective packets or the packet communication by the security node, and changing the simulated access rule or an order of the access rules to reduce an amount of over-blocking or under-blocking determined based on the log event, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 22)
- - 2. The method of claim 1, further comprising:
    - setting each of the access rules to one of;
      
      (1) a simulation mode in which access is granted to the one or more resources on the secure network and an effect of the respective access rule on the packet communication is simulated in log events or (2) an active mode in which access to the one or more resources is selectively granted to the packet communication in accordance with a currently active access rule.
  - 3. The method of claim 1, wherein when the respective packets or the packet communication are not to be blocked from reaching the one or more resources on the secured network, and the applied access rule is the simulated access rule,(1) passing the respective packets or the packet communication towards the one or more resources on the secured network;
    - and(2) generating the log event that indicates passing of the respective packets or the packet communication by the security node towards the one or more resources of the secured network.
  - 4. The method of claim 1, wherein when the respective packets or the packet communication are to be blocked from reaching the one or more resources on the secured network, and the applied access rule is a currently active access rule,(1) selectively blocking, by the security node, the respective packets or the packet communication from reaching the one or more resources on the secured network in accordance with the applied access rule;
    - and(2) generating the log event that indicates blocking of the respective packets or the packet communication by the security node.
  - 5. The method of claim 1, wherein when the respective packets or the packet communication are to not be blocked from reaching the one or more resources on the secured network, and the applied access rule is a currently active access rule,(1) selectively passing, by the security node, the respective packets or the packet communication towards the one or more resources on the secured network in accordance with the currently active access rule;
    - and(2) generating the log event that indicates passing of the respective packets or the packet communication by the security node.
  - 6. The method of claim 1, further comprising:
    - establishing, by a system administrator, a set of currently active access rules and another set of simulated access rules;
      
      setting a precedence order among the established currently active access rules and the established simulated access rules.
  - 7. The method of claim 6, further comprising:
    - changing the precedence order of the established currently active and simulated access rules to reduce an amount of over-blocking or under-blocking.
  - 8. The method of claim 7, wherein the changing of the precedence order includes:
    - generating, by the system administrator, expected events indicating passing or blocking of respective packets or the packet communication received by the security node;
      
      checking the expected events with actual log events generated from the passing or the blocking of respective packets or the packet communication received by the security node;
      
      adjusting the precedence order of the established currently active and simulated access rules to reduce discrepancies between the expected events and the actual log events.
  - 9. The method of claim 8, further comprising:
    - generating, without user intervention, the actual log events by aggregating actual log events having a common user and attempting to or gaining access to the one or more resources on the secured network prior to the checking of the expected events with the actual log events.
  - 10. The method of claim 9, wherein the adjusting and checking are repeated until the actual log events generated match the expected log events.
  - 11. The method of claim 1, further comprising:
    - changing one or more simulated access rules to reduce an amount of over-blocking or under-blocking.
  - 12. The method of claim 11, wherein the changing of the one or more simulated access rules includes:
    - generating, by the system administrator, expected events indicating passing or blocking of respective packets or the packet communication received by the security node;
      
      checking the expected events with actual log events generated from the passing or the blocking of respective packets or the packet communication received by the security node; and
      
      modifying, by the security node, the one or more simulated access rules to reduce discrepancies between the expected events and actual log events.
  - 13. The method of claim 12, further comprising;
    - generating, without user intervention, the actual log events by aggregating actual log events having a common user and attempting to or gaining access to the one or more resources on the secured network prior to the checking of the expected events with the actual log events.
  - 14. The method of claim 13, wherein the adjusting and modifying are repeated until the actual log events generated match the expected events, the method further comprising authorizing use of one or more simulated access rules responsive to the actual log events generated matching the expected events.
  - 15. The method of claim 13, further comprising:
    - establishing only simulated accesses rules for the security node; and
      
      analyzing simulated operation of the security node for blocking of the respective packets or the packet communication from the one or more resources or for passing the respective packets or the packet communication towards the one or more resources in accordance with the established simulated access rules for the security node.
  - 16. The method of claim 1, wherein the determining whether the security node is to block or to pass the respective packets or the packet communication includesanalyzing security information embedded in the respective packets that are read and criteria in the applied access rule to determine whether each respective packet read or the packet communication associated therewith is to be passed by the security node towards the one or more resources, the method further comprising:
    - blocking the respective packets or the packet communication from reaching the one or more resources when access is not granted based on a currently active access rule.
  - 22. A non-transitory computer readable storage medium storing computer code executable on a computer to implement the method of claim 1.

17. A method of managing access to resources on a secured network, comprisingreading packet information in respective packets of a packet communication received at a security node;
- applying, by a program processor of the security node, a simulated access rule;
  
  determining, by the program processor of the security node, whether the packet communication is authorized for one or more resources on the secured network using packet information in at least one of the respective packets and the applied, simulated access rule;
  
  responsive to the packet communication not being authorized by the simulated access rule, generating a log event indicating that the packet communication is simulated to be blocked by the security node; and
  
  changing the simulated access rule to reduce an amount of over-blocking or under-blocking determined based on the log event, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, further comprisingpassing, by the security node, the packet communication towards the one or more resources on the secured network.
  - 19. The method of claim 17, further comprising:
    - analyzing the packet information in the respective packets using one or more access rules to determine whether;
      
      (1) the respective packets or the packet communication is to be selectively passed by the security node towards the one or more resources on the secured network;
      
      or (2) the respective packets or the packet communication is to be selectively blocked by the security node from reaching the one or more resources on the secured network, responsive to the one or more access rules being currently active access rules.

20. A method of simulating an effect of access policies for managing access to a resource on a protected network, comprising,generating, by an administrator;
- a simulated rule or a set of simulated rules having a precedence order;
  
  authorizing use of the simulated rule or set of simulated rules at an enforcement point;
  
  generating log events at the enforcement point including;
  
  (1) simulating blocking of respective packets when the simulated rule or set of simulated rules provide for blocking of the respective data packets based on the analysis step;
  
  or (2) simulating transmission of respective packets when the simulated rule or set of simulated rules provide for access to the protected resource;
  
  analyzing the generated log events to determine an amount of over-blocking or under-blocking, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule;
  
  changing either the precedence order or the simulated rule to reduce the amount of over-blocking or under-blocking; and
  
  placing the simulated rule into service on the enforcement point as an actual rule.

21. A security node for managing access to a resource on a secured network using a plurality of access rules, comprisinga packet processor module for reading packet information in respective packets of a packet communication received at the security node;
- a rule enforcement unit for applying the plurality of access rules in a precedence order and for determining whether the security node is to block the respective packets or the packet communication from reaching the resource on the secured network based on an applied access rule of the plurality of access rules,an event logger for generating log events, andwherein if (i) the rule enforcement unit determines that the applied access rule is a simulated access rule and (ii) the security node is to simulate blocking the respective packets or the packet communication from reaching the resource based on the applied simulated access rule;
  
  (1) the packet processor passes the respective packets or the packet communication towards the resource on the secured network; and
  
  (2) the event logger generates a respective log event that indicates blocking of the respective packets or the packet communication by the security node, the precedence order or the simulated access rule changed to reduce an amount of over-blocking or under-blocking determined based on the log event, wherein over-blocking occurs if appropriate access to a protected resource is blocked by an access rule, and under-blocking occurs if inappropriate access to a protected resource is not blocked by the access rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kumar, Srinivas, Bettadapura, Vijayashree S.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Debnath, Suman

Application Number

US12/432,186
Publication Number

US 20090276204A1
Time in Patent Office

2,099 Days
Field of Search

726/1, 726/11, 726/13, 703/21, 713/782
US Class Current

726/11
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

Method and system for policy simulation

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

222 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for policy simulation

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

222 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links