Enforcing instructions of a segmentation policy on a network midpoint device
US-10965648-B2 · Mar 30, 2021 · US
Identifying and providing network application security policies governing connections to and from hosts in a network
US11178187B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11178187-B2 |
| Application number | US-202016898997-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 11, 2020 |
| Priority date | Jun 11, 2019 |
| Publication date | Nov 16, 2021 |
| Grant date | Nov 16, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computer system automatically generates a proposal for network application security policies to be applied on a telecommunications network. The system provides output representing the proposed network application security policies to a user. The user provides input either approving or disapproving of the network application security policies. If the user approves, then the system applies the of the proposed microsegmentation. This process may be repeated for a plurality of hosts and subsets thereof within the same network, and may be repeated over time to modify one or more existing network application security policies. The network application security policies govern inbound and outbound connections to the hosts in the network.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for use with a telecommunications network, the telecommunications network including a plurality of hosts, the method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising: (1) identifying a first functional component in the telecommunication network, wherein the first functional component comprises a first subset of the plurality of hosts, wherein hosts in the first subset satisfy a similarity criterion; (2) identifying a first plurality of network application security policies that control access to the first subset of the plurality of hosts; (3) providing first output, representing the first subset of the plurality of hosts, to a user; (4) receiving first input, from the user, indicating approval of the first subset of the plurality of hosts; and (5) in response to receiving the first input, applying the first plurality of network application security policies to the first subset of the plurality of hosts. 2. The method of claim 1 , further comprising: (6) identifying a second functional component in the telecommunication network, wherein the second functional component comprises a second subset of the plurality of hosts, wherein hosts in the second subset satisfy a similarity criterion; (7) identifying a second plurality of network application security policies that control access to second subset of the plurality of hosts; (8) providing second output, representing the second subset of the plurality of hosts, to a user; (9) receiving second input, from the user, indicating disapproval of the second subset of the plurality of hosts; and (10) in response to receiving the second input, not applying the second plurality of network application security policies to the second subset of the plurality of hosts. 3. The method of claim 1 , wherein the first input comprises a single gesture. 4. The method of claim 1 , wherein identifying the first plurality of network application security policies comprises identifying network application security policies that govern inbound connections to the first subset of the plurality of hosts. 5. The method of claim 1 , wherein identifying the first plurality of network application security policies comprises identifying network application security policies that govern outbound connections from the first subset of the plurality of hosts. 6. The method of claim 1 , wherein (3) comprises providing first output representing at least one name of at least one of the first subset of the plurality of hosts. 7. The method of claim 1 , wherein (3) comprises providing first output representing at least one Internet Protocol (IP) address of at least one of the first subset of the plurality of hosts. 8. The method of claim 1 , wherein (3) comprises providing the first output through a user interface. 9. The method of claim 1 , wherein (3) comprises providing the first output through an Application Program Interface (API) to a computer program. 10. A system use with a telecommunications network, the telecommunications network including a plurality of hosts, the system comprising at least one non-transitory computer-readable medium storing computer program instructions executable by at least one computer processor to perform a method, the method comprising: (1) identifying a first functional component in the telecommunication network, wherein the first functional component comprises a first subset of the plurality of hosts, wherein hosts in the first subset satisfy a similarity criterion; (2) identifying a first plurality of network application security policies that control access to the first subset of the plurality of hosts; (3) providing first output, representing the first subset of the plurality of hosts, to a user; (4) receiving first input, from the user, indicating approval of the first subset of the plurality of hosts; and (5) in response to receiving the first input, applying the first plurality of network application security policies to the first subset of the plurality of hosts. 11. The system of claim 10 , wherein the method further comprises: (6) identifying a second functional component in the telecommunication network, wherein the second functional component comprises a second subset of the plurality of hosts, wherein hosts in the second subset satisfy a similarity criterion; (7) identifying a second plurality of network application security policies that control access to second subset of the plurality of hosts; (8) providing second output, representing the second subset of the plurality of hosts, to a user; (9) receiving second input, from the user, indicating disapproval of the second subset of the plurality of hosts; and (10) in response to receiving the second input, not applying the second plurality of network application security policies to the second subset of the plurality of hosts. 12. The system of claim 10 , wherein the first input comprises a single gesture. 13. The system of claim 10 , wherein identifying the first plurality of network application security policies comprises identifying network application security policies that govern inbound connections to the first subset of the plurality of hosts. 14. The system of claim 10 , wherein identifying the first plurality of network application security policies comprises identifying network application security policies that govern outbound connections from the first subset of the plurality of hosts. 15. The system of claim 10 , wherein (3) comprises providing first output representing at least one name of at least one of the first subset of the plurality of hosts. 16. The system of claim 10 , wherein (3) comprises providing first output representing at least one Internet Protocol (IP) address of at least one of the first subset of the plurality of hosts. 17. The system of claim 10 , wherein (3) comprises providing the first output through a user interface. 18. The system of claim 10 , wherein (3) comprises providing the first output through an Application Program Interface (API) to a computer program.
Assignees
Inventors
Classifications
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- H04L63/105Primary
Multiple levels of security · CPC title
Assignment of logical groups to network elements · CPC title
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
Filtering policies (mail message filtering H04L51/212) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11178187B2 cover?
- A computer system automatically generates a proposal for network application security policies to be applied on a telecommunications network. The system provides output representing the proposed network application security policies to a user. The user provides input either approving or disapproving of the network application security policies. If the user approves, then the system applies the …
- Who is the assignee on this patent?
- Zscaler Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 16 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).