This specification relates to digital data processing and, in particular, to data network security policies.
A data network allows computers and other data processing devices to exchange information. A given data network can be part of a larger data network that includes other networks, can itself include multiple networks, or both. The boundaries between networks can be defined by logical associations of data processing devices, e.g., by network (or subnetwork) address. Network boundaries are often defined by human users so that a collection of data processing devices operated by an enterprise is found within a single network, i.e., an enterprise network. A single enterprise can also operate multiple data networks. Network boundaries—within and outside of an enterprise network—can also be defined by human users in accordance with physical location or other boundaries. For example, the residential dormitories of a university may be spanned by a local area network, whereas the engineering division at different sites of a multinational corporation may be interconnected by a wide area network.
Data networks are generally secured to ensure that information on the network cannot be accessed by unauthorized individuals, that the data on the network is authentic, or both. One example of a data network security mechanism is a firewall. A firewall is a system of one or more data processing devices that secure a data network and enforce network security. The data processing devices can be implemented in hardware, in software executed on a data processing device, or in combinations thereof. Firewalls are generally positioned at the boundary of a data network or subnetwork and regulate the traffic entering and exiting the data network or subnetwork. Firewalls regulate this traffic in accordance with a set of rules that have been specified in advance, e.g., by a network security administrator. This set of rules—also referred to as a firewall's policy—can include filtering rules that describe how traffic exchanged with the data network or subnetwork is to be filtered.