Today, information security is one of the critical concerns in computer networks and services. One of the strategies for protecting IT infrastructure is implementing network and application security measures aimed to protect networks and respective resources and services from malicious attacks (e.g. theft of data, Denial of Service attacks, unauthorized modification, destruction, misuse, disclosure, etc.). Various methods have been developed for protection of various resources and services; usually these methods include implementation of one or more security policies, combinations and hierarchies thereof. A security policy may be enforced by various devices and/or combinations thereof (e.g. switches, routers, firewalls, VPN devices, network monitoring devices, network and data application servers, etc.).
Nowadays, a security policy may include hundreds of rules related to hundreds and even thousands of objects, such policies are, typically, dynamic and frequently changing. Keeping track of continuously evolving security policies presents an increasing challenge to security departments worldwide. The problem has been recognized in the Prior Art and various systems have been developed to provide a solution, for example:
U.S. Pat. No. 6,484,261 (Wiegel) entitled “Graphical network security policy management” discloses a method of establishing a representation of an abstract network security policy. The representation is established in the form of a decision tree that is constructed by assembling graphical symbols representing policy actions and policy conditions. A user modifies properties of the graphical symbols to create a logical representation of the policy.
U.S. Pat. No. 6,826,698 (Minkin et al.) entitled “System, method and computer program product for rule based network security policies” discloses a system, method and computer program product provided for affording network security features. A plurality of network objects are identified and rule sets associated with one or more of the identified network objects are retrieved. Each rule set includes a plurality of policy rules that govern actions relating to the identified network objects. Overlapping policy rules of the rule sets are reconciled amongst the network objects. The reconciled rule sets are executed. A computer program product and a method are also provided for establishing network security. A plurality of network objects of a network and a plurality of rule sets are provided. The network objects are associated with the rule sets. The rule sets include a plurality of policy rules that govern actions relating to the identified network objects during operation of the network.
US Patent Application No. 2002/0169975 (Good) entitled “Security policy management for network devices” discloses a system and method for use within a computer network that allows for automated provisioning, configuration, and maintenance of the servers and other devices connected to a computer network in accordance with established policies. This system and method make use of templates which represent security polices which are applicable to all devices within the system, a subset of the devices, or a particular type of device.
US Patent Application No. 2005/0278790 (Birk) entitled “System and method for using security levels to simplify security policy management” discloses a system and method for reducing the complexity and improving the performance of enforcing security restrictions on the execution of program code in a runtime environment. In a preferred embodiment, units of executable code, such as methods or functions, are classified by “security level.” Code units belonging to a “trusted” security level may call any other code unit in the runtime environment, but other security levels are restricted in the code units they can call. In a preferred embodiment, the security levels are represented by corresponding permission objects. Each permission object that is associated with a particular security level includes a numerical value that denotes that security level. Security policies can be enforced with respect to caller and caller code units by comparing numerical values of corresponding permission objects. This security level scheme also improves runtime performance by making it unnecessary to check individually-defined permissions in many cases.
US Patent Application 2005/0138416 (Quian et al.) entitled “Method for policy-based firewall service management” discloses an object model provided as a general framework for managing network services, such as firewall services. A user or an administrator of a computer may utilize the object model to manage and configure the firewall services. The object model isolates a user and/or an administrator from having to deal with the many possible issues involved in configuring the services. The object model includes two main name spaces: a policy engine platform and a policy object model. The policy engine platform is the central point for interacting with the policy for the services and the kernel components that actually perform the services. The policy object model is used to specify policies that the services support.
US Patent Application No. 2005/0257244 (Berger et al.) entitled “Method and apparatus for role-based security policy management” discloses a method and corresponding tool for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point. The method comprises creating one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points; creating one or more policy instances, each based on one of the templates and instantiating the template for identified sets of hosts within the network to which the usage control model is to be applied, deploying the policy instances by generating and providing one- or: more configuration files for provisioning corresponding policy enforcement points within the network. Access to the templates and policy instances is controlled so that the policy templates are only modifiable by a first predeterminable user group, the policy instances are only modifiable by the first or a second predeterminable user group and the policy instances are only deployable by a third predeterminable user group.
European Patent Application 1,710,978 (Yang) entitled “Method and apparatus for reducing firewall rules” discloses a method and apparatus for reducing obsolete firewall rules by using existing network routing information as well as firewall rule configuration information to help analyze firewall access logs to identify obsolete and unused firewall rules so that these obsolete firewall rules can be removed.