Claims
- 1. A method for implementing an associative policy, the method comprising:
providing a policy on a policy server, the policy having a service definition that contains first and second relational components; providing first and second network entities; operatively coupling the first and second network entities to the policy server; dynamically associating the first network entity with the second network entity, wherein such associating includes
binding the first relational component of the service definition in the policy to the first network entity, and binding the second relational component of the service definition in the policy to the second network entity; and enforcing the policy on the first and second network entities.
- 2. The method of claim 1, wherein providing a policy on a policy server includes providing a security policy on a policy server.
- 3. The method of claim 1, wherein providing a policy on a policy server includes providing a policy having a service definition that contains first and second relational components, and wherein the service definition corresponds to an email service a sales service, a network basic input/output system (NetBIOS) service, or a web service.)
- 4. The method of claim 1, wherein providing a policy on a policy server includes providing a policy having a service definition that contains first and second relational components, and wherein each of the first and second relational components includes one or more packet filtering rulesets.
- 5. The method of claim 1, wherein providing a policy having a service definition that contains first and second relational components includes providing a policy having a service definition that includes a client relational component and a server relational component, and wherein providing first and second network entities includes providing a server device and a client device.
- 6. The method of claim 1, wherein providing first and second network entities includes providing first and second network entities selected from a group consisting of devices, users, and software packages.
- 7. The method of claim 1, wherein providing first and second network entities includes providing first and second members of a virtual private group (VPG) or a virtual private network (VPN).
- 8. The method of claim 1, wherein providing first and second network entities includes providing a first member of a first VPG and a second member of a second VPG.
- 9. The method of claim 1, wherein providing first and second network entities includes providing first and second network entities that are associated with one or more device sets.
- 10. The method of claim 1, wherein providing first and second network entities includes providing first and second network entities having Internet Protocol (IP) addresses that are assigned according to the Dynamic Host Configuration Protocol (DHCP).
- 11. The method of claim 1, wherein providing first and second network entities includes providing first and second network entities that each include a network interface device for managing an embedded firewall.
- 12. The method of claim 1, wherein operatively coupling the first and second network entities to the policy server includes sending the Internet Protocol (IP) addresses of the first and second network entities to the policy server.
- 13. The method of claim 1, wherein operatively coupling the first and second network entities to the policy server includes:
binding a first user to the first network entity, the first user being associated with a first role; binding a second user to the second network entity, the second user being associated with a second role; identifying a first Internet Protocol (IP) address of the first network entity; identifying a second IP address of the second network entity; sending the first role and first IP address information to the policy server; and sending the second role and second IP address information to the policy server.
- 14. The method of claim 1, wherein binding the first relational component of the service definition in the policy to the first network entity includes sending the first relational component of the service definition in the policy to the first network entity.
- 15. The method of claim 1, wherein binding the second relational component of the service definition in the policy to the second network entity includes sending the second relational component of the service definition in the policy to the second network entity.
- 16. A method for managing an associative policy on a policy server, the method comprising:
providing a policy having a service definition, wherein the service definition has one or more rulesets that each contain one or more placeholders; specifying a role associated with each ruleset; operatively coupling one or more devices to the policy server; and upon such coupling,
converting the policy into one or more device policies by inserting device information into the placeholders for each ruleset, and distributing the device policies to the corresponding devices.
- 17. The method of claim 16, wherein providing a policy having a service definition includes providing a security policy having a service definition.
- 18. The method of claim 16, wherein providing a policy having a service definition includes providing a policy having a service definition, wherein the service definition has one or more rulesets, and wherein each ruleset includes one or more packet filtering rules.
- 19. The method of claim 16, wherein providing a policy having a service definition includes providing a policy having a service definition, wherein the service definition has one or more rulesets that each contain one or more producer or consumer placeholders.
- 20. The method of claim 16, wherein specifying a role associated with each ruleset includes specifying a role selected from a group consisting of a client role, a server role, a peer-to-peer role, and a single-ended role.
- 21. The method of claim 16, wherein operatively coupling one or more devices to the policy server includes operatively coupling one or more devices that are members of a virtual private group (VPG) or a virtual private network (VPN) to the policy server.
- 22. The method of claim 16, wherein operatively coupling one or more devices to the policy server includes operatively coupling first and second devices to the policy server, wherein the first device is a member of a first VPG, and wherein the second device is a member of a second VPG.
- 23. The method of claim 16, wherein operatively coupling one or more devices to the policy server includes operatively coupling one or more devices having Internet Protocol (IP) addresses to the policy server, and wherein the device IP addresses are assigned according to the Dynamic Host Configuration Protocol (DHCP).
- 24. The method of claim 16, wherein operatively coupling one or more devices to the policy server includes operatively coupling one or more wireless devices to the policy server.
- 25. A computer-implemented method on a policy server, the method comprising:
providing a master policy on the policy server, the master policy having a first component and a second component; binding the policy server to a first device to obtain information about the first device; binding the policy server to a second device to obtain information about the second device; creating a first policy on the policy server using the first component of the master policy and the information about the second device; creating a second policy on the policy server using the second component of the master policy and the information about the first device; sending the first policy to the first device; and sending the second policy to the second device.
- 26. The computer-implemented method of claim 25, wherein:
binding the policy server to a first device to obtain information about the first device includes binding the policy server to a client device to obtain information about the client device; and binding the policy server to a second device to obtain information about the second device includes binding the policy server to a server device to obtain information about the server device.
- 27. The computer-implemented method of claim 25, wherein providing a master policy on the policy server includes providing a master security policy on the policy server.
- 28. The computer-implemented method of claim 25, wherein binding the policy server to a first device to obtain information about the first device includes obtaining Internet Protocol (IP) address information about the first device.
- 29. The computer-implemented method of claim 25, wherein binding the policy server to a second device to obtain information about the second device includes obtaining IP address information about the second device.
- 30. The computer-implemented method of claim 25, wherein the master policy further includes a third component, and wherein the method further comprises:
binding the policy server to a third device to obtain information about the third device; creating a first policy on the policy server using the third component of the master policy and the information about the first and second devices; and sending the third policy to the third device, wherein the first, second, and third devices are peer-to-peer devices.
- 31. A computer-implemented method on a client, the method comprising:
obtaining boot information for the client; obtaining role information for a user on the client; sending the boot information and the role information to a policy server; obtaining a client-specific security policy from the policy server; and enforcing the client-specific security policy on the client, wherein the client-specific security policy includes security information about a server that is associated with the client, and wherein the security information is based on boot information and role information for the server.
- 32. The computer-implemented method of claim 31, wherein obtaining boot information for the client includes obtaining an Internet Protocol (IP) address of the client.
- 33. The computer-implemented method of claim 32, wherein obtaining an IP address of the client includes obtaining an IP address of the client that has been assigned using the Dynamic Host Configuration Protocol (DHCP).
- 34. The computer-implemented of claim 31, wherein the method further comprises authenticating the role information for the user on the client.
- 35. A system, comprising:
a network; a first network entity coupled to the network; a second network entity coupled to the network; and a policy server coupled to the network, the policy server having a security policy that includes a first set of rules and a second set of rules, and each of the set of rules having one or more placeholders, wherein the policy server is operable to:
convert the security policy into a first entity policy by inserting entity information for the second network entity into the placeholders of the first set of rules; convert the security policy into a second entity policy by inserting entity information for the first network entity into the placeholders of the second set of rules; send the first entity policy to the first network entity; and send the second entity policy to the second network entity.
- 36. The system of claim 35, wherein the first network entity includes a first computer and a first network interface device, and wherein the second network entity includes a second computer and a second network interface device.
- 37. The system of claim 36, wherein the first and second network interface devices each include an embedded firewall for authorizing data packets.
- 38. The system of claim 35, wherein the first network entity includes a first computer having a first software component, and wherein the second network entity includes a second computer having a second software component.
- 39. A policy server, comprising:
a master security policy having a client component and a server component; an interface to couple the policy server with a server device and a client device; and wherein the policy server is operable to:
obtain server information about the server device; obtain client information about the client device; create a client policy using the client component of the master security policy and the server information; create a server policy using the server component of the master security policy and the client information; send the client policy to the client device; and send the server policy to the server device.
RELATED CO-PENDING APPLICATION
[0001] This application is related to co-pending patent application Ser. No. 10/234,223, filed Sep. 4, 2002 (Attorney docket 105.188US1).