Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-05-06
2004-05-18
Hua, Ly V. (Department: 2135)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C707S793000, C709S229000, C709S225000, C709S245000, C713S164000, C713S159000
Reexamination Certificate
active
06738908
ABSTRACT:
TECHNICAL FIELD
The present invention is directed to the field of automated network security.
BACKGROUND OF THE INVENTION
Network security devices provide various types of network security services to a network, such as a local area network connected to the Internet. For example, a network security device may perform access control and traffic monitoring and logging. Access control refers to the regulation of network traffic based upon its type, content, source, and/or destination. For example, access control services of a network security device can be employed to prevent email traffic from sources on the Internet from reaching computer systems inside the network other than a designated mail host computer system. Traffic monitoring and logging refers to observing network traffic, and storing important observations about the network traffic in a log. As an example, traffic monitoring and logging services of a network security device can be employed to log all unsuccessful attempts from sources on the Internet to access a server in the network containing sensitive information.
Unfortunately, in order to perform such functions, conventional network security devices generally must be configured manually, typically on-site at the location of the network. Such configuration can be extremely time-consuming. Also, because of the nature of typical configuration processes, they generally must be performed by a technical specialist whose time is both scarce and expensive. It is especially important that the configuration process be performed correctly, since misconfiguration of a security device often leaves the network that is to be protected by the security device vulnerable to attack or other abuse.
These shortcomings of conventional network security device configuration processes tend to make the installation and use of a network security device difficult and/or expensive. Accordingly, a streamlined, more highly automated configuration process that is capable of correctly configuring network security devices would make the proper use of such network security devices more accessible, and would therefore have significant utility.
SUMMARY OF THE INVENTION
The present invention provides a software facility for implementing similar network security policies across multiple networks (“the facility”). Each network is a collection of network elements, including a network security device that protects the network by implementing a network security policy (hereinafter simply “policy”) within the network. While Firebox II network security devices provided by WatchGuard Technologies, Inc., of Seattle, Wash. are suggested for use with the facility, the facility preferably also operates with other network security devices available from other sources.
The policy implemented in a particular network comprises a set of rules for managing network traffic. These rules are specified in terms of specific network elements, such as user workstations, servers, routers, and printers, that perform certain functions, or “roles.” For example, a rule in a network security policy for a particular network may specify that all email traffic must flow through a network element having a particular network address that is specifically configured as a mail host. In a sense, these rules establish trust relationships between specific network elements, or groups thereof.
The facility preferably provides a user interface for constructing one or
25
more network security policy templates (hereinafter simply “templates”) that can each be used to generate similar policies for any number of specific networks. A template contains rules expressed in terms of “aliases,” rather than in terms of specific network elements. For example, a template may include a rule specifying that all email traffic must flow through a “MailHost” alias that is not associated with a particular network address.
To generate a policy for a particular network from a template, the facility uses a profile of the network that maps the aliases occurring in the template to specific network elements within the network. For example, the network profile for a particular network maps the “MailHost” alias to a particular network element of the network having a particular network address. The facility preferably provides a user interface that makes it convenient for a user to generate network profiles.
The facility uses the profile for the network to replace occurrences of aliases in the template with the addresses of the corresponding specific network elements. The facility preferably sends the resulting network-specific policy to the network security device of the network for implementation. In certain embodiments, the policy may be further modified before transmission to the networks security device.
This process can be repeated to generate policies for each of a number of other networks. At a later time, the underlying template can be revised to add or change rules. Together with the network profiles, this revised template can be used to automatically generate revised policies corresponding to the revised template for all of the networks.
The facility is especially well suited for use by Internet service providers and other organizations responsible for providing network security to a large number of networks, as it enables these organizations to configure the network security devices for additional networks at a very low cost. The facility also enables such organizations to efficiently update the configuration of a large number of operating network security devices by merely modifying and reapplying one or more templates.
REFERENCES:
patent: 4677588 (1987-06-01), Benjamin et al.
patent: 5377354 (1994-12-01), Scannell et al.
patent: 5577209 (1996-11-01), Boyle et al.
patent: 5848233 (1998-12-01), Radia et al.
patent: 5968176 (1999-10-01), Nessett et al.
patent: 6167445 (2000-12-01), Gai et al.
patent: 6243747 (2001-06-01), Lewis et al.
patent: 6449650 (2002-09-01), Westfall et al.
patent: 6530024 (2003-03-01), Proctor
patent: WO 98/54644 (1998-12-01), None
Bonn David Wayne
Marvais Nick Takaski
Hua Ly V.
Perkins Coie LLP
WatchGuard Technologies, Inc.
LandOfFree
Generalized network security policy templates for... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Generalized network security policy templates for..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Generalized network security policy templates for... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3259963