A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a myriad of different services and communication protocols. Each of the different services and communication protocols exposes the network to different security vulnerabilities.
Due to increasing reliance on network-accessible computers, network security has become a major issue for organizations and individuals. To help ensure security of their computers, organizations and individuals may install security devices between public networks and their private networks. Such security devices may prevent unwanted or malicious information from the public network from affecting devices in the private network.
Example security devices include firewalls, intrusion detection and prevention (“IDP”) devices, and secure socket layer (SSL) virtual private network (VPN) devices. Typically, these devices reside at an edge of a network and may be statically configured or provisioned to apply security policies of an organization or individual. When multiple security devices are deployed by an organization to protect computing devices located at various office locations, for example, an administrator typically has to design security policies for the different subnet at the various office locations. Furthermore, each security device must be statically configured or provisioned to apply the security policies. As the number of deployed security devices increases, the likelihood that the administrator will make an error increases and the amount of administrator time required to configure the security devices increases.
By grouping the security devices, an administrator may statically configure or provision multiple security devices with the same configuration information more quickly and reliably. However, the administrator must have knowledge of the network design and must determine which security devices need to be configured in order to protect particular network resources located within a private network or to protect network traffic traveling between private networks. Furthermore, if a client device moves to a different location such as a different private network, the administrator must determine which security devices are affected and reconfigure those security devices.