Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
2000-06-12
2004-03-16
Amsbury, Wayne (Department: 2171)
Data processing: database and file management or data structures
Database design
Data structure types
C709S224000
Reexamination Certificate
active
06708187
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to computer networks, and more particularly, to devices and methods for updating configuration database information of remote private networks across the Internet.
BACKGROUND OF THE INVENTION
The growth and proliferation of computers and computer networks allow businesses to efficiently communicate with their own components as well as with their business partners, customers, and suppliers. However, the flexibility and efficiencies provided by such computers and computer networks come with increasing risks, including security breaches from outside the corporation, accidental release of vital information from within it, and inappropriate use of the LAN, WAN, Internet, or extranet.
In managing the growth of computer networks as well as addressing the various security issues, network managers often turn to network policy management services such as firewall protection, Network Address Translation, spam email filtering, DNS caching, Web caching, virtual private network (VPN) organization and security, and URL blocking for keeping network users from accessing certain Web sites through use of the organization's ISP. Each policy management service, however, generally requires a separate device that needs to be configured, managed, and monitored. Furthermore, as an organization grows and spreads across multiple locations, the devices maintained also multiplies, multiplying the associated expenditures and efforts to configure, manage, and monitor the devices.
The solution to this problem is not as simple as just integrating multiple network policy management functions into a single device at each location and allowing each location to share its policy information with other locations. In fact, there are many obstacles and challenges in adopting such an approach. One of these challenges is devising a scheme for specifying, distributing, and updating policy management information effectively across the entire organization. The challenges increase if a directory service protocol such as a Lightweight Directory Access Protocol (LDAP) directory is used to store the policy management information. LDAP database management typically suffers from a lack of flexibility that becomes increasingly relevant as the size of the database increases. These problems generally become more severe in a network with multiple databases that must be synchronized together with multiple applications that require updates to only selected portions of a larger database. For example, conventional approaches to LDAP database management such as SLURPD (stand-alone LDAP update replication daemon) require updates of the entire database and do not include application-specific notification.
Accordingly, there remains a need in the art for a method for efficiently synchronizing multiple LDAP databases storing configuration information including policy management information.
SUMMARY OF THE INVENTION
The present invention is directed to a unified policy management system where various policies, namely, the set of rules and instructions that determine the network's operation, may be established and enforced from a single site. According to one embodiment of the invention, a central policy server maintains a central database storing configuration information for a plurality of edge devices in an organization. Relevant portions of the configuration information are transferred to subordinate databases associated with each of the edge devices. Each edge device may then manage policies for a network in the organization according to the configuration information in its database.
Any changes to the configuration information are made by the central policy server in the central database. The central policy server further creates a log of the changes, stores the log in the central database, and transfers the changes to the affected edge devices for updating their databases.
In one particular aspect of the invention, the central policy server maintains user logs and device logs for the changes. User logs associate the configuration changes to particular users making the changes (e.g. particular network administrators). Policy logs associate the configuration changes to particular edge devices affected by the changes. In creating the policy logs, the changes in the user logs are collected and filtered for each affected edge device and stored in the policy logs associated with the edge device for a later transfer to the edge device.
In another particular aspect of the invention, the central policy server receives a status of the transfer of the configuration changes from the affected edge devices. If the status indicates a successful transfer, the log of changes is deleted from the central database.
REFERENCES:
patent: 5677905 (1997-10-01), Bigham et al.
patent: 6070243 (2000-05-01), See et al.
patent: 6073175 (2000-06-01), Tavs et al.
patent: 6088451 (2000-07-01), He et al.
patent: 6141686 (2000-10-01), Jackowski et al.
patent: 6148336 (2000-11-01), Thomas et al.
patent: 6374295 (2002-04-01), Farrow et al.
Common Information Model(CIM)Specification; Specification; Version 2.2; Distributed Management Task Force, Inc.; Jun. 14, 1999; pp-1-97.
Directory-enabled Networks, Information Model and Base Schema; Version 3.0c5; pp. 1-113.
DMTF LDAP Schema for the CIM v2.4 Core Information Model v1.0, May 6, 2002; DMTF Specification, DSP0117; Distributed Management Task Force, Inc. (DMTF) 2000; pp. 1-55.
Dynamic Host Configuration Protocol(DHCP)Service; Version 0.0-1; Feb. 18, 1998; 7 pp.
Network Services—Internet Protocol Security; Version 0.0-2; Feb. 17, 1998; 7 pp.
Signaled Quality of Service; Version0.0-14; Jan. 12, 1998; 6 pp.
Simple Network Management Protocol; posted Feb. 20, 2002; pp. 1-10.
Biswas, Debasish;Application Class of Service Schemata; Berkeley Networks Inc.; Feb. 19, 1998; pp. 1-7.
Case, J. et al.;Introduction to Version 3 of the Internet-standard Network Management Framework; Network Working Group, Request for Comments: 2570; Apr. 1999; 20 pp.
Case, J. et al.;A Simple Network Management Protocol(SNMP); Network Working Group, Request for Comments: 1157; May 1990; 32 pp.
Chaudhury, R. et al.;Directory Schema for Service Level Administration of Differentiated Services and Integrated Services in Networks; pp. 1-17.
Moore, B. et al.;Information Model for Describing Network Device QoS Datapath Mechanisms; Policy Framework Working Group; Internet-Draft; Category: Standards Track; Feb., 2002; pp 1-90.
Moore, B. et al.;Policy Core Information Model—Version 1 Specification; Network Working Group; Request for Comments: 3060; Feb. 2001; pp. 1-100.
Rajan, R. et al.;A Simple Framework and Architecture for Networking Policy draft-rajan-policy-framework-00.txt; Internet Engineering Task Force; Internet Draft; May 23, 1999; 27 pp.
Rajan, R.;Networking Policy Condition Information Model; Internet Engineering Task Force; Internet Draft; Apr. 5, 1999; pp. 1-17.
Rajan, R.;Policy Action Classes for Differentiated Services and Integrated Services; Internet Engineering Task Force; Apr. 5, 1999; pp. 1-23.
Snir, Y. et al.;Policy QoS Information Model; Policy Framework Working Group; Nov. 2001; pp. 1-69.
PCT Search Report for PCT corresponding application, Application No. PCT/US00/16246, including two cited articles, Mar. 6, 2001.
Pohlmann, N., “Sichere It-Loesungen,” Net—Zeitschrift Fuer Kommunikationsmanagement, Huthig Verlag, Heilderberg, DE, vol. 51, No. 8/09, 1997, pp. 34-37, XP000720702.
Sun, N., “Internal Firewalls Can Protect Subnetworks form Unauthorized Access,” Computer Technology Review, Westworld Production Co.: Los Angeles, vol. 17, No. 6, Jun. 1, 1997, pp 14,16, 18, XP000740492.
Apsani Lavanya
Shanumgam Udayakumar
Alcatel
Amsbury Wayne
Christie Parker & Hale
Cordeiro David A.
Reader Scot A.
LandOfFree
Method for selective LDAP database synchronization does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for selective LDAP database synchronization, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for selective LDAP database synchronization will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3240730