公开(公告)号：US10116702B2

公开(公告)日：2018-10-30

申请号：US15498927

申请日：2017-04-27

Applicant: Cisco Technology, Inc.

Inventor： Denis Knjazihhin ,  Yedidya Dotan ,  Burak Say ,  Robin Martherus ,  Sachin Vasant

IPC: G06F17/00 ,  H04L29/06 ,  H04L12/24

Abstract: A management entity generates for display multiple icons, each icon representing an actor or a resource in a networking environment, and defines a generic security policy by receiving user input in the form of a line drawn between a first icon representing an actor and a second icon representing a resource to control abilities between the actor and the resource. The management entity translates the generic security policy to multiple native security policies each of which is based on a corresponding one of multiple native policy models associated with corresponding ones of multiple security devices, and supply data descriptive of the multiple native security policies to the corresponding ones of the security devices to configure the corresponding ones of the security devices to implement the native security policies.

公开(公告)号：US09992232B2

公开(公告)日：2018-06-05

申请号：US15131604

申请日：2016-04-18

Applicant: Cisco Technology, Inc.

Inventor： Daniel Hollingshead ,  Sachin Vasant ,  Yedidya Dotan ,  Umesh Kumar Miglani ,  Denis Knjazihhin

IPC: H04L29/06 ,  H04L12/24

CPC classification number: H04L63/20 ,  H04L41/0893 ,  H04L63/0263

Abstract: Presented herein are techniques for creating a policy block comprised of a group of lines of rules/statements across configuration files for network devices. An algorithm is provided that determines when multiple policies are to be merged together into one policy. In one embodiment, data is uploaded from a network that includes a plurality of network devices. The data represents policy rules configured on the plurality of network devices. The data representing the policy rules is compared for similarities in order to group together policy rules based on their similarities. Data is stored representing a plurality of clusters, each cluster representing a group of policy rules that have been grouped together. One or more configuration policies are generated to be applied across the plurality of network devices using the data representing each of the plurality of clusters, while maintaining context of policy rule processing.

公开(公告)号：US09680875B2

公开(公告)日：2017-06-13

申请号：US14600495

申请日：2015-01-20

Applicant: Cisco Technology, Inc.

Inventor： Denis Knjazihhin ,  Yedidya Dotan ,  Burak Say ,  Robin Martherus ,  Sachin Vasant

IPC: G06F17/00 ,  H04L29/06 ,  H04L12/24 ,  G06F21/60

CPC classification number: H04L63/20 ,  G06F21/604 ,  H04L41/0843 ,  H04L41/0893 ,  H04L63/10

Abstract: A management entity receives from multiple security devices corresponding native security policies each based on a native policy model associated with the corresponding security device. Each security device controls access to resources by devices associated with the security device according to the corresponding native security policy. The management entity normalizes the received native security policies across the security devices based on a generic policy model, to produce a normalized security policy that is based on the generic policy model and representative of the native security polices.

公开(公告)号：US09521167B2

公开(公告)日：2016-12-13

申请号：US14600548

申请日：2015-01-20

Applicant: Cisco Technology, Inc.

Inventor： Robin Martherus ,  Guy Telner ,  Yedidya Dotan ,  Denis Knjazihhin

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/10

Abstract: A management entity displays a plurality of icons, each icon representing an actor or a resource in a networking environment. The management entity defines security policy by receiving user input in the form of lines drawn between icons representing actors and resources to control abilities between actors and resources.

Abstract translation: 管理实体显示多个图标，每个图标表示网络环境中的演员或资源。 管理实体通过以表示角色和资源的图标之间绘制的线的形式接收用户输入来定义安全策略，以控制演员和资源之间的能力。

公开(公告)号：US09769210B2

公开(公告)日：2017-09-19

申请号：US15189755

申请日：2016-06-22

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Sanjay Agarwal ,  Robin Martherus

IPC: H04L29/06 ,  G06F3/0482 ,  G06F3/0484 ,  G06F17/24

CPC classification number: H04L63/20 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/04847 ,  G06F17/248 ,  H04L63/10 ,  H04L63/102

Abstract: A management entity imports information included in security policies from security devices configured to operate in accordance with respective ones of the security policies. The information is classified into security policy classifications based on commonality in the information across the security policies. The security policy classifications are displayed as selectable security policy classifications. An entry of a policy template name and selections of multiple security policy classifications are received. The security policies in the multiple selected security policy classifications are assigned to a security policy template identified by the entered policy template name.

公开(公告)号：US20170054757A1

公开(公告)日：2017-02-23

申请号：US14976338

申请日：2015-12-21

Applicant: Cisco Technology, Inc.

Inventor： Zachary D. Siswick ,  Umesh Kumar Miglani ,  Daniel Hollingshead ,  Karyll Catubig ,  Yedidya Dotan ,  Denis Knjazihhin

IPC: H04L29/06 ,  G06F3/0484 ,  G06F3/0481

CPC classification number: H04L63/20 ,  G06F3/04817 ,  G06F3/04842 ,  H04L63/02 ,  H04L63/102

Abstract: In a computer implemented method, selectable device icons that represent respective network security devices are generated for display. Responsive to a selection of one of the device icons, selectable interface icons that represent respective network interfaces used by the network security device represented by the selected device icon are generated for display. Responsive to a selection of one of the interface icons, selectable policy icons that represent respective security polices applied to the network interface represented by the selected interface icon are generated for display. Responsive to a selection of one of the policy icons, selectable object group icons that represent respective groups of security rule objects used in the network security policy represented by the selected policy icon are generated for display.

Abstract translation: 在计算机实现的方法中，生成表示相应的网络安全设备的可选设备图标用于显示。 响应于选择一个设备图标，生成表示由所选择的设备图标表示的网络安全设备使用的各个网络接口的可选接口图标以供显示。 响应于选择一个接口图标，生成表示应用于由所选接口图标表示的网络接口的相应安全策略的可选择策略图标以进行显示。 响应于选择一个策略图标，生成表示由所选择的策略图标表示的网络安全策略中使用的各组安全规则对象的可选择对象组图标以进行显示。

公开(公告)号：US09571524B2

公开(公告)日：2017-02-14

申请号：US14600473

申请日：2015-01-20

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Christopher Duane ,  Denis Knjazihhin

IPC: H04L29/06 ,  G06F21/10

CPC classification number: H04L63/20 ,  G06F21/10 ,  H04L63/0227 ,  H04L63/0254 ,  H04L63/102

Abstract: A management entity generates selectable security policy classifications each identifying security policies that share common security rules. Each of the security policies is applied by a corresponding one of different security devices to control access to a resource. The management entity creates a new policy template that includes all of the security policies identified by selected ones of the policy classification selections and then creates a new security policy based on the new policy template. The management entity applies the new security policy to a security device over a network.

Abstract translation: 管理实体生成可选择的安全策略分类，每个分类标识共享公共安全规则的安全策略。 每个安全策略由相应的一个不同的安全设备应用来控制对资源的访问。 管理实体创建一个新的策略模板，其中包括由选定的策略分类选择标识的所有安全策略，然后基于新的策略模板创建新的安全策略。 管理实体通过网络将新的安全策略应用于安全设备。

公开(公告)号：US20160344738A1

公开(公告)日：2016-11-24

申请号：US14807120

申请日：2015-07-23

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Christopher Duane ,  Daniel Hollingshead ,  Denis Knjazihhin

IPC: H04L29/06

CPC classification number: H04L63/101 ,  H04L63/0263 ,  H04L63/20

Abstract: First and second security rules are accessed in a configuration file. Comparison points for comparing the first and second security rules are determined. Each comparison point identifies respective rule parameters of the first and second security rules. Respective weights are assigned to the comparison points. For each comparison point, the respective rule parameters are compared against each other to produce a corresponding comparison score indicative of a level similarity. Each comparison score is weighted by the weight assigned to the comparison point corresponding to the comparison score. The weighted comparison scores are combined into a total score indicative of an overall level of similarity between the first and second security rules.

Abstract translation: 在配置文件中访问第一个和第二个安全规则。 确定比较第一和第二安全规则的比较点。 每个比较点标识第一和第二安全规则的相应规则参数。 相应权重分配给比较点。 对于每个比较点，将相应的规则参数彼此进行比较以产生指示水平相似度的相应比较分数。 每个比较分数由对应于比较分数的比较点的权重加权。 加权比较分数被组合成指示第一和第二安全规则之间的总体相似程度的总分数。

公开(公告)号：US20160212170A1

公开(公告)日：2016-07-21

申请号：US14600548

申请日：2015-01-20

Applicant: Cisco Technology, Inc.

Inventor： Robin Martherus ,  Guy Telner ,  Yedidya Dotan ,  Denis Knjazihhin

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/10

Abstract: A management entity displays a plurality of icons, each icon representing an actor or a resource in a networking environment. The management entity defines security policy by receiving user input in the form of lines drawn between icons representing actors and resources to control abilities between actors and resources.

Abstract translation: 管理实体显示多个图标，每个图标表示网络环境中的演员或资源。 管理实体通过以表示角色和资源的图标之间绘制的线的形式接收用户输入来定义安全策略，以控制演员和资源之间的能力。

公开(公告)号：US20160212167A1

公开(公告)日：2016-07-21

申请号：US14600436

申请日：2015-01-20

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Sanjay Agarwal ,  Robin Martherus

IPC: H04L29/06

CPC classification number: H04L63/20 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/04847 ,  G06F17/248 ,  H04L63/10 ,  H04L63/102

Abstract: A management entity connects with multiple security devices across a network. Each security device operates in accordance with one or more security policies. The management entity imports, over the network, data describing the security policies from the multiple security devices. The management entity classifies the imported security policies into security policy classifications based on commonality in information included in the security policies across the multiple security devices.

Abstract translation: 管理实体通过网络与多个安全设备连接。 每个安全设备根据一个或多个安全策略进行操作。 管理实体通过网络从多个安全设备中导入描述安全策略的数据。 管理实体根据多个安全设备中安全策略中包含的信息的通用性，将导入的安全策略分为安全策略分类。