Network security path identification and validation
US-12170668-B2 · Dec 17, 2024 · US
System and method for migrating existing access control list policies to intent based policies and vice versa
US2020162467A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2020162467-A1 |
| Application number | US-201916368695-A |
| Country | US |
| Kind code | A1 |
| Filing date | Mar 28, 2019 |
| Priority date | Nov 20, 2018 |
| Publication date | May 21, 2020 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Present technology is directed to a system and method for implementing an offline scheme to automatically and efficiently transform a set of conventional IP-based Access Control Entries in a supplied configuration into compressed form that can then be represented as Object-Group based Access Control Entries. The compression is performed on contiguous blocks of the supplied Access Control List having a common prescribed filtering access. The compression is performed by iteratively selecting a data field with mismatching data values across the ACEs and merging the data values into a corresponding data field of the output ACE. The common values of other data fields are then imported to the corresponding data fields of the output ACE. The process is repeated in an iterative manner by assigning a different data field as the selected data field for each iteration round.
First claim
Opening claim text (preview).
1 . A computer-implemented method comprising: grouping a plurality of canonical Access Control entries (ACEs), each comprising a plurality of data fields, into one or more candidate compression groups (CCGs); identifying, in each of the one or more CCGs, a plurality of equivalent canonical ACEs corresponding to a plurality of mismatching data values across a designated data field and a same data value across a plurality of remaining data fields; and merging together, in each of the one or more CCGs, the plurality of equivalent canonical ACEs in an iterative manner by varying the designated data field, to thereby convert the plurality of canonical ACEs, in each of the one or more CCGs, into at least one of one or more Object-group based ACEs or one or more Security-group based ACEs. 2 . The computer-implemented method of claim 1 , wherein each data field from the plurality of data fields corresponds to a non-wildcard value. 3 . The computer-implemented method 1 , wherein each data field from the plurality of data fields is selected from a group consisting of <action>, <protocol>, <source address>, <source port>, <destination address> and <destination port>. 4 . The computer-implemented method of claim 3 , wherein a value of a destination address data field corresponds to one or more destination IP addresses. 5 . The computer-implemented method of claim 4 , further comprising identifying one or more overlapping IP addresses in the destination address data field of one or more neighboring ACEs located in different CCGs from the plurality of CCGs. 6 . The computer-implemented method of claim 3 , wherein a value of a source address data field corresponds to one or more source IP addresses. 7 . The computer-implemented method of claim 6 , further comprising identifying one or more overlapping IP addresses in the source address data field of one or more neighboring ACEs located in different CCGs from the plurality of CCGs. 8 . The computer-implemented method of claim 1 , wherein the method is performed in an offline environment using one or more conventional security policy configurations as input to produce one or more object-group based ACEs as output. 9 . The computer-implemented method of claim 1 , wherein the one or more Object-group based ACEs or the one or more Security-group based ACEs facilitate an implementation of an access control policy to thereby provide micro-segmentation of traffic in a Virtual Network. 10 . A system comprising: one or more processors; and at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to: group a plurality of canonical Access Control entries (ACEs), each comprising a plurality of data fields, into one or more candidate compression groups (CCGs); identify, in each of the one or more CCGs, a plurality of equivalent canonical ACEs corresponding to a plurality of mismatching data values across a designated data field and a same data value across a plurality of remaining data fields; and merge together, in each of the one or more CCGs, the plurality of equivalent canonical ACEs in an iterative manner by varying the designated data field, to thereby convert the plurality of canonical ACEs, in each of the one or more CCGs, into one or more Object-group based ACEs. 11 . The system of claim 10 , wherein each data field from the plurality of data fields is selected from a group consisting of <action>, <protocol>, <source address>, <source port>, <destination address> and <destination port>. 12 . The system of claim 11 , wherein a value of a source address data field corresponds to one or more source IP addresses. 13 . The system of claim 12 , further comprising instructions which, when executed by the one or more processors, cause the one or more processors to: identify one or more overlaps in the value of the source address data field corresponding to one or more neighboring ACEs located in different CCGs from the plurality of CCGs. 14 . The system of claim 11 , wherein a value of a destination address data field corresponds to one or more destination IP addresses. 15 . The system of claim 14 , further comprising instructions which, when executed by the one or more processors, cause the one or more processors to: identify one or more overlaps in the value of the destination address data field corresponding to one or more neighboring ACEs located in different CCGs from the plurality of CCGs. 16 . The system of claim 10 , wherein the instructions stored on the at least one computer-readable storage medium are executed by the one or more processors in an offline environment. 17 . The system of claim 10 , wherein the one or more Object-group based ACEs facilitate an implementation of an access control policy to thereby provide micro-segmentation of traffic in a Virtual Network. 18 . At least one non-transitory computer-readable storage medium having stored therein instructions which, when executed by one or more processors, cause the one or more processors to: group a plurality of canonical Access Control entries (ACEs), each comprising a plurality of data fields, into one or more candidate compression groups (CCGs); identify, in each of the one or more CCGs, a plurality of equivalent canonical ACEs corresponding to a plurality of mismatching data values across a designated data field and a same data value across a plurality of remaining data fields; and merge together, in each of the one or more CCGs, the plurality of equivalent canonical ACEs in an iterative manner by varying the designated data field, to thereby convert the plurality of canonical ACEs, in each of the one or more CCGs, into one or more Object-group based ACEs. 19 . The at least one non-transitory computer-readable storage medium of claim 18 , wherein the instruction are executed by the one or more processors in an offline environment. 20 . The at least one non-transitory computer-readable medium of claim 18 , wherein the one or more Object-group based ACEs facilitate an implementation of an access control policy to thereby provide micro-segmentation of traffic in a Virtual Network.
Assignees
Inventors
Classifications
Grouping of entities · CPC title
Virtual LANs, VLANs, e.g. virtual private networks [VPN] (LAN interconnection over a bridge based backbone H04L12/462; encapsulation techniques H04L12/4633; routing of packets H04L45/00; packet switches H04L49/00; virtual private networks for security H04L63/0272) · CPC title
Protocols for data compression, e.g. ROHC · CPC title
- H04L63/101Primary
Access control lists [ACL] · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2020162467A1 cover?
- Present technology is directed to a system and method for implementing an offline scheme to automatically and efficiently transform a set of conventional IP-based Access Control Entries in a supplied configuration into compressed form that can then be represented as Object-Group based Access Control Entries. The compression is performed on contiguous blocks of the supplied Access Control List h…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/101. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu May 21 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).