The present invention is directed to the field of automated network security.
Network security devices provide various types of network security services to a network, such as a local area network connected to the Internet. For example, a network security device may perform access control and traffic monitoring and logging. Access control refers to the regulation of network traffic based upon its type, content, source, and/or destination. For example, access control services of a network security device can be employed to prevent email traffic from sources on the Internet from reaching computer systems inside the network other than a designated mail host computer system. Traffic monitoring and logging refers to observing network traffic, and storing important observations about the network traffic in a log. As an example, traffic monitoring and logging services of a network security device can be employed to log all unsuccessful attempts from sources on the Internet to access a server in the network containing sensitive information.
Unfortunately, in order to perform such functions, conventional network security devices generally must be configured manually, typically on-site at the location of the network. Such configuration can be extremely time-consuming. Also, because of the nature of typical configuration processes, they generally must be performed by a technical specialist whose time is both scarce and expensive. It is especially important that the configuration process be performed correctly, since misconfiguration of a security device often leaves the network that is to be protected by the security device vulnerable to attack or other abuse.
These shortcomings of conventional network security device configuration processes tend to make the installation and use of a network security device difficult and/or expensive. Accordingly, a streamlined, more highly automated configuration process that is capable of correctly configuring network security devices would make the proper use of such network security devices more accessible, and would therefore have significant utility.
The present invention provides a software facility for implementing similar network security policies across multiple networks (xe2x80x9cthe facilityxe2x80x9d). Each network is a collection of network elements, including a network security device that protects the network by implementing a network security policy (hereinafter simply xe2x80x9cpolicyxe2x80x9d) within the network. While Firebox II network security devices provided by WatchGuard Technologies, Inc., of Seattle, Wash. are suggested for use with the facility, the facility preferably also operates with other network security devices available from other sources.
The policy implemented in a particular network comprises a set of rules for managing network traffic. These rules are specified in terms of specific network elements, such as user workstations, servers, routers, and printers, that perform certain functions, or xe2x80x9croles.xe2x80x9d For example, a rule in a network security policy for a particular network may specify that all email traffic must flow through a network element having a particular network address that is specifically configured as a mail host. In a sense, these rules establish trust relationships between specific network elements, or groups thereof.
The facility preferably provides a user interface for constructing one or 25 more network security policy templates (hereinafter simply xe2x80x9ctemplatesxe2x80x9d) that can each be used to generate similar policies for any number of specific networks. A template contains rules expressed in terms of xe2x80x9caliases,xe2x80x9d rather than in terms of specific network elements. For example, a template may include a rule specifying that all email traffic must flow through a xe2x80x9cMailHostxe2x80x9d alias that is not associated with a particular network address.
To generate a policy for a particular network from a template, the facility uses a profile of the network that maps the aliases occurring in the template to specific network elements within the network. For example, the network profile for a particular network maps the xe2x80x9cMailHostxe2x80x9d alias to a particular network element of the network having a particular network address. The facility preferably provides a user interface that makes it convenient for a user to generate network profiles.
The facility uses the profile for the network to replace occurrences of aliases in the template with the addresses of the corresponding specific network elements. The facility preferably sends the resulting network-specific policy to the network security device of the network for implementation. In certain embodiments, the policy may be further modified before transmission to the networks security device.
This process can be repeated to generate policies for each of a number of other networks. At a later time, the underlying template can be revised to add or change rules. Together with the network profiles, this revised template can be used to automatically generate revised policies corresponding to the revised template for all of the networks.
The facility is especially well suited for use by Internet service providers and other organizations responsible for providing network security to a large number of networks, as it enables these organizations to configure the network security devices for additional networks at a very low cost. The facility also enables such organizations to efficiently update the configuration of a large number of operating network security devices by merely modifying and reapplying one or more templates.