Many computing devices are difficult to configure. For example, the configuration of integrated network security systems is complex. To configure these devices, one must understand the configuration and interrelation of network elements that enforce security policies, such as routers, switches, firewalls, virtual private networks (VPN), and Intrusion Detection Systems (IDS).
One approach to configuring these complex systems is to manually configure each device using command-line interface (CLI) commands that are entered using a terminal interface or packaged in a configuration file on each device. In this approach, multiple configuration parameter values are needed to fully specify the configuration for the device. The configuration parameter values are specified using key-value pairs. The problem with this approach is that much expertise is needed by the party configuring the device, e.g. knowing the appropriate keys and values are for the desired configuration. Another problem with this approach is that it is difficult to compare the configuration of a device to another configuration or to analyze the configuration with respect to a set of best-practice configuration rules. A third problem with the approach is that it does not give an overview summary of the entire security configuration. Still another problem is that the correct configuration must be applied to multiple devices that cooperate to enforce security.
A second approach to configuring complex devices is to use a network management system having a graphical user interface (GUI). For a given feature, the user will go to a fixed location on the interface to configure each aspect of the device. One problem with this approach is that the operator configuring the device needs expertise to know where to navigate. Another problem with this approach is that it is difficult to compare the configuration to another configuration or to analyze the configuration with respect to a set of best-practice configuration rules. Still another problem is that the correct configuration must be applied to multiple devices that cooperate to enforce security. The approach also does not give an overview or summary of the entire security configuration.
A third approach to configuring complex devices is to use a wizard. In using a wizard, an operator is provided a series of steps for configuring the device. The approach overcomes the need for a priori knowledge of key-value configuration parameters and knowledge of parameter specification locations in a GUI. A problem with the approach is that the number of steps in the wizard is proportional to the number of parameters that need to be configured. In a complex system with many parameters, therefore, the number of steps in the wizard will be many and, therefore, using the wizard will be inefficient. Another problem with this approach is that it is difficult to compare the configuration to another configuration or to analyze the configuration with respect to a set of best-practice configuration rules. The approach also does not give an overview summary of the entire security configuration.
A fourth approach to configuring complex devices is using an assessment tool, such as a Router Assessment Tool (RAT). A RAT tool is typically implemented with a web server to which an operator uploads a configuration file via a web page. The RAT tool then returns a web page containing a comparison of the uploaded configuration file to second configuration file stored on the RAT tool. A problem with the approach is that the page returned from the RAT tool needs to be interpreted by a human operator and implemented as changes in the local configuration file. In some instances, the output of the RAT tool includes human-readable warnings about certain parameters, in which case operator expertise is needed to understand and correct the parameters in the configuration file associated with the warning. For example, if the output reads “Password not set”, the operator must be able to find in the file where to set the password and know the proper syntax to set the password. In other cases, where the RAT tool outputs a suggested line to add to the configuration file, the operator must cut and paste the suggested line into the configuration file. The manual cut and paste step is time consuming and can lead to operator error. Another problem with the approach is that it does not give an overview summary of the entire security configuration.
Therefore, it is clearly desirable to have techniques for configuring a device that overcome the problems of needing expertise in the process of configuring the device; not being able to analyze the configuration with respect to sets of configuration information; not being able to view an overview of the configuration; not needing to cut and paste configuration information; and not requiring the expertise needed to interpret human-readable instructions on how to modify the configuration manually. Furthermore, it is clearly desirable to have the techniques for configuring security devices, since these devices are especially complicated and any error in configuration could have serious consequences including opening security vulnerabilities.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.