Generalized network security policy templates for implementing similar network security policies across multiple networks

Abstract

The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network.

Description

TECHNICAL FIELD The present invention is directed to the field of automated network security. BACKGROUND OF THE INVENTION Network security devices provide various types of network security services to a network, such as a local area network connected to the Internet. For example, a network security device may perform access control and traffic monitoring and logging. Access control refers to the regulation of network traffic based upon its type, content, source, and / or destination. For example, access control services of a network security device can be employed to prevent email traffic from sources on the Internet from reaching computer systems inside the network other than a designated mail host computer system. Traffic monitoring and logging refers to observing network traffic, and storing important observations about the network traffic in a log. As an example, traffic monitoring and logging services of a network security device can be employed to log all unsuccessful attempts...

AI Technical Summary

Benefits of technology

The facility is especially well suited for use by Internet service providers and other organizations responsible for providing network security to a large number of networks, as it enables these organizations to configure the network security devices for additional networks at a very low cost. The facility also enables such organizations to efficiently update the configuration of a large number of operating network security devices by merely modifying and reapplying one or more templates.

Problems solved by technology

Unfortunately, in order to perform such functions, conventional network security devices generally must be configured manually, typically on-site at the location of the network.

Such configuration can be extremely time-consuming.

Also, because of the nature of typical configuration processes, they generally must be performed by a technical specialist whose time is both scarce and expensive.

These shortcomings of conventional network security device configuration processes tend to make the installation and use of a network security device difficult and / or expensive.

Images