Browse Prior Art Database

PACKET FLOW DRIVEN SECURITY CONFIGURATION

IP.com Disclosure Number: IPCOM000249759D
Publication Date: 2017-Mar-31
Document File: 4 page(s) / 259K

Publishing Venue

The IP.com Prior Art Database

Related People

Ted Bedwell: AUTHOR [+3]

Abstract

A visual navigational element represents the complex set of security polices managed by a next generation firewall. This graphical tool aims to alleviate user confusion related to order of operations, policy intent, current activation state, policy scoping, and workflow continuity.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 48% of the total text.

Copyright 2017 Cisco Systems, Inc. 1

PACKET FLOW DRIVEN SECURITY CONFIGURATION

AUTHORS: Ted Bedwell

Andrew Williams Hiral Vora

CISCO SYSTEMS, INC.

ABSTRACT

A visual navigational element represents the complex set of security polices

managed by a next generation firewall. This graphical tool aims to alleviate user confusion

related to order of operations, policy intent, current activation state, policy scoping, and

workflow continuity.

DETAILED DESCRIPTION

Modern next generation firewalls have the potential to inspect traffic passing

through them in many different ways. In practice, each of these detection technologies may

often be configured independently of one another. Users often lack understanding as to

how these disparate detection technologies may be sequenced, interact with one another,

and affect the traffic flowing through the device. This is a constant source of user

uncertainty and confusion.

As such, a next generation firewall provides the following disparate security

policies that may or may not be enabled by the administrator of the system:

• Security intelligence: Internet Protocol / Universal Resource Locator / Domain

Name Servers

• Traffic decrypt

• Encapsulated traffic (tunnel) handling

• Malware identification

• Intrusion prevention

• Identity/authentication

A visual navigational element serves a number of key purposes in order to address

the confusion engendered by today's complex security offerings.

Copyright 2017 Cisco Systems, Inc. 2

1. Order of Operations

In many cases the order in which the different security policies should be applied

to traffic passing through the next generation firewall is unclear. This may lead to

ineffective policy authoring and/or unexpected results from applied policies. The new

visual navigational element of the policies may be constructed to graphically represent the

order in which the policies are to evaluate packets.

2. Policy Intent

Because there are so many different policies, users often do not understand why

one particular policy is preferable over another. Understanding both the ordering and the

intent of the policy may be another key capability provided by this navigational element.

For example, contextual information may be exposed to the user when the user selects the

graphical entities representing each policy type.

3. Policy State

Users are also frequently confused which policies are currently being applied to

their traffic. Simply determining which security policies are currently enabled for a given

firewall often requires navigating the disparate policies. In addition, the user may be

required to remember which options are on and which options are off. By providing state

information within the visual navigation element, a holistic view of the system state may

be communicated to these users.

4. Policy Scoping

The various policies are bound to the central access policy within the system.

However, some policies are "global" in nature, while others are applied at a per rule level. ...