1. Field of Invention
This invention relates in general to the configuration and management of devices in a network. More specifically, the invention relates to methods and systems for device based policy configuration in a network.
2. Description of the Background Art
A network generally includes a large number of devices. These devices can be switches and routers for facilitating traffic, or user-end stations such as PCs, printers, servers, fax machines, hosts, workstations, and other user devices. A device belonging to the network may contain resources such as data, applications, software or hardware configurations, or any other source of information. The movement of resources from a source device to a destination device constitutes network traffic or traffic. The traffic enters or exits a device via interfaces.
An interface is a boundary across which two independent systems of devices communicate with each other. An interface can be physical or logical. A physical interface is provided by hardware of a device, whereas, a logical interface can be implemented by using a software. Both physical and logical interfaces are preferably configured for directing traffic in or out of the device.
The traffic across devices and interfaces is controlled by defining specific policies that may be applicable to these devices and interfaces. A policy includes a set of rules for allowing or disallowing a particular traffic by a specific user or groups of users under specific conditions. There are different types of policies, each of which is used to control network traffic in a specific way. For example, an Access Control List (ACL) is used for filtering (allowing or denying) traffic, whereas, a QoS policy is used for defining traffic priorities and queuing. A policy is applied to interfaces of a device in a specific direction. Sometimes, multiple instances of a particular policy may be applied to several interfaces of a device in different directions.
A policy may contain multiple rules, each of which is applicable to an interface or in a specific direction. The rules can either be of the same or different type. For example, a firewall policy usually contains three rules, one of which is a CBAC (Context Based Access Control) rule and the other two are ACLs. To make a policy effective, all the rules contained in the policy must be applied to their associated interfaces or directions, more specifically to an interface's inbound or outbound direction. There could be different policies as well. These different policies may be applicable to the traffic for a user or a device under a specific set of operational conditions.
An example policy could be a set of policies applicable to integrated security devices, such as Cisco's integrated security routers. These security devices combine traditional device functionality with security features, e.g., firewall, virtual private network (VPN), intrusion detection system (IDS), and intrusion prevention system (IPS). Since these devices require more knowledge and skill to correctly configure all policies while ensuring compatibility, configuring them in a network is complex. However, as these devices are becoming cheaper, novice users are increasingly configuring these devices themselves. The complexity of the network configuration implies that the novice users require assistance in the form of a security device management mechanism for policy configuration of integrated security devices.
One such policy management and configuration mechanism provides network topology diagrams to facilitate configuration of various devices in a network. Network topology diagrams are commonly provided in network-based management applications. Such applications include the Cisco Secure Policy Manager (CSPM) and Cisco Configmaker. A network-based management application includes the information of neighboring devices to help the user to configure a specific device. However, with respect to device management application, there are one or more of the following limitations.
Firstly, a device management application that is responsible for managing a single device in a network does not include information of the neighboring devices. Therefore, a network topology diagram cannot be provided in a device management application.
Secondly, device management applications display the rules corresponding to a policy in tabular forms. However, it is difficult to display a policy in a tabular form as it may include multiple rules of different type. Also, a rule may include one or more rule entries. The rule entries are displayed as a list. Since each rule may have its own parameters and settings, it is not possible to display different rules in the same table with common columns. A single table may not be able to present all the information to users. Therefore, this method is applicable only to simple devices or security applications, which usually require configuration of a policy with a single rule. Rules of different type may be displayed in different windows. Each window can only display rules of a specific type in a tabular form. To display a policy, a user may need to look into several windows. However, common rules and incompatibilities between different policies are not effectively displayed. Consequently, there is no easy way to depict policy/rules in association with interfaces/directions. Further, the user may fail to receive warnings in case the policies have not been configured properly. The user may not be able to understand the complete listed information easily. Therefore, this method cannot be effectively applied to management of integrated security devices. This is because these devices have complex features, which require configuration of multiple policies and rules on interfaces and directions.