Method and apparatus for role-based security policy management
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-021/00
출원번호
US-0844342
(2004-05-13)
등록번호
US-7484237
(2009-01-27)
발명자
/ 주소
Joly,Pascal
Berger,Olivier
Reves,Joe
Huynh,Jean Laurent
Pai,Suresh
출원인 / 주소
Hewlett Packard Development Company, L.P.
인용정보
피인용 횟수 :
22인용 특허 :
1
초록▼
A method and corresponding tool are described for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point. The method, comprises creating one or more policy templates representing classes of usage control models within the networ
A method and corresponding tool are described for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point. The method, comprises creating one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points; creating one or more policy instances, each based on one of the templates and instantiating the template for identified sets of hosts within the network to which the usage control model is to be applied, deploying the policy instances by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network. Access to the templates and policy instances is controlled so that the policy templates are only modifiable by a first predeterminable user group, the policy instances are only modifiable by the first or a second predeterminable user group and the policy instances are only deployable by a third predeterminable user group.
대표청구항▼
The invention claimed is: 1. A method for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point, comprising; creating one or more policy templates representing classes of usage control models within the network that are enforc
The invention claimed is: 1. A method for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point, comprising; creating one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points; creating one or more policy instances, each based on a different one of the policy templates and instantiating the policy template for identified sets of hosts within the network to which the usage control model is to be applied, deploying the policy instances by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network; controlling access to the policy templates and policy instances so that the policy templates are only modifiable by a first predeterminable user group, the policy instances are only modifiable by the first or a second predeterminable user group and the policy instances are only deployable by a third predeterminable user group. 2. A method as claimed in claim 1 wherein access to the policy templates is controlled such that policy instances can only be created by the first predeterminable group. 3. A method as claimed in claim 1 wherein the network is a partitioned network wherein a policy instance corresponds to one or more network partitions. 4. A method a claimed in claim 1 wherein at least some of the policy instances are deployed by configuring access control lists on router interfaces. 5. A method as claimed in claim 1 wherein at least some of the policy enforcement points are filters present in the network, wherein the filters comprise firewalls, routers, switches, or specific network appliances. 6. A method as claimed in claim 1 comprising detecting a change to one or more of the policy templates; automatically triggering the creation of one or more corresponding modified policy instances, and deploying the modified policy instances by generating and providing one or more modified configuration files for provisioning corresponding policy enforcement points within the network. 7. A tool for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point, the tool comprising; a policy creation environment for enabling a first predeterminable user group to create one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points and one or more policy instances, each based on one of the policy templates and instantiating the policy template for identified sets of hosts within the network to which the usage control model is to be applied, and for enabling a second predeterminable user group to modify the policy instances; and a deployment mechanism for enabling a third predeterminable user group to deploy the policy instances by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network; and an access control mechanism for controlling access to the policy templates and policy instances so that the policy templates are only modifiable by the first predeterminable user group, the policy instances are only modifiable by the second predeterminable user group and the policy instances are only deployable by the third predeterminable user group. 8. A tool as claimed in claim 7 wherein the access control mechanism is arranged so that access to the policy templates is controlled such that policy instances can only be created by the first predeterminable group. 9. A tool as claimed in claim 7 wherein the deployment mechanism deploys at least some of the policy instances by generating access control lists for configuration on router interfaces. 10. A tool as claimed in claim 7 comprising a mechanism for, in response to a change to one or more of the policy templates, automatically triggering the creation of one or more corresponding modified policy instances, and the deployment of the modified policy instances by generating and providing one or more modified configuration files for provisioning corresponding policy enforcement points within the network. 11. A method for security policy management in a partitioned network comprising a plurality of hosts and at least one configurable policy enforcement point, comprising: creating one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points; creating one or more policy instances, each based on one of the policy templates and instantiating the policy template for network partitions within the network to which the usage control model is to be applied, deploying the policy instances, including by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network by configuring access control lists on router interfaces; controlling access to the policy templates and policy instances so that the policy templates are only modifiable, and can only be created, by a first predeterminable user group, the policy instances are only modifiable by the first or a second predeterminable user group and the policy instances are only deployable by a third predeterminable user group. 12. A method as claimed in claim 11 comprising detecting a change to one or more of the policy templates; automatically triggering the creation of one or more corresponding modified policy instances, and deploying the modified policy instances by generating and providing one or more modified configuration files for provisioning corresponding policy enforcement points within the network. 13. A tool for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point, the tool comprising: a policy creation environment for enabling a first predeterminable user group to create one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points and one or more policy instances, each based on one of the policy templates and instantiating the policy template for identified sets of hosts within the network to which the usage control model is to be applied, and for enabling a second predeterminable user group to modify the policy instances; and a deployment mechanism for enabling a third predeterminable user group to deploy the policy instances by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network by generating access control lists for configuration on router interfaces; and an access control mechanism for controlling access to the policy templates and policy instances so that the policy templates are only modifiable and creatable by the first predeterminable user group, the policy instances are only modifiable by the second predeterminable user group and the policy instances are only deployable by the third predeterminable user group. 14. A tool as claimed in claim 13 comprising a mechanism for, in response to a change to one or more of the policy templates, automatically triggering the creation of one or more corresponding modified policy instances, and the deployment of the modified policy instances by generating and providing one or more modified configuration files for provisioning corresponding policy enforcement points within the network.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (1)
Bonn, David Wayne; Marvais, Nick Takaski, Generalized network security policy templates for implementing similar network security policies across multiple networks.
Albisu, Luis F.; DeVere, Patricia M.; Gula, Walter J.; Singel, David A., Enterprise desktop security management and compliance verification system and method.
Chen, Xuemin; Chen, Iue-Shuenn; Tan, Shee-Yen; Zhu, Hongbo; Ye, Qiang, Method and apparatus for constructing an access control matrix for a set-top box security processor.
Dellow, Andrew; Chen, Iue-Shuenn; Rodgers, Stephane (Steve); Chen, Xuemin (Sherman), Method and system for allowing no code download in a code download scheme.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.