Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for modeling behavior of a networking device, the method comprising: obtaining a plurality of behavior rules, the plurality of behavior rules defining the processing of a communication packet by the networking device, the communication packet comprising at least one predicate value; collecting a first subset of the plurality of behavior rules into at least one behavior group, the at least one behavior group defining a particular egress port from a plurality of egress ports of the networking device for a communication packet received from a plurality of ingress ports to the networking device; utilizing a second subset of the plurality of behavior rules to determine at least one security policy group, wherein each security policy group is associated with one of the plurality of egress ports of the network device and define the communication packets that are accepted for each of the plurality of egress ports: creating, utilizing a processing device, a spanning graph of a policy of the networking device comprising representations of one or more ingress ports of the plurality of ingress ports to the networking device, representations of one or more egress ports of the plurality of egress ports from the networking device, representations of the at least one behavior group, and the at least one security policy group, the spanning graph configured to display a communication pathway comprising the one or more ingress ports, the at least one behavior group, the one or more egress ports of the networking device, the at least one security policy group, the particular egress port from the plurality of egress ports of the networking device for the communication packet received from the one or more ingress ports to the networking device, and the communication packets that are accepted for each of the plurality of egress ports; and providing the spanning graph to a user of the networking device, wherein the at least one behavior group comprises a plurality of behavior groups, and combining at least two behavior groups of the plurality of behavior groups into an interface switch and wherein the spanning graph further comprises the interface switch in glace of the at least two behavior groups.
2. The method of claim 1 wherein at least one of the plurality of behavior rules comprises the at least one predicate value and an action portion, the at least one of the plurality of behavior rules configured to cause the networking device to perform the action portion of the at least one of the plurality of behavior rules when the communication packet matches the predicate value.
3. The method of claim 2 wherein the action portion of the at least one of the plurality of behavior rules defines an associated egress port from the one or more egress ports to the networking device for the communication packet.
4. The method of claim 2 wherein the action portion of the at least one of the plurality of behavior rules defines an associated translated field corresponding to a portion of the communication packet.
5. The method of claim 4 wherein the networking device replaces the portion of the communication packet with the translated field when the portion of the communication packet matches the at least one predicate value of the at least one of the plurality of behavior rules.
6. The method of claim 1 wherein the action portion of the at least one of the plurality of behavior rules defines an associated virtual router for the communication packet.
7. The method of claim 1 wherein the plurality of behavior rules define a security policy for a communication packet between a plurality of designated zones within the networking device.
8. The method of claim 1 wherein providing the spanning graph to a user of the networking device comprises displaying the spanning graph on a display device.
9. A non-transitory computer-readable medium encoded with instructions for modeling behavior of a network device, the instructions, executable by a processor, comprising: obtaining a plurality of behavior rules from a policy of the network device, the plurality of behavior rules defining the processing of a communication packet by the network device, the communication packet comprising at least one predicate value; collecting a first subset of the plurality of behavior rules into at least one behavior group representation such that the at least one behavior group representation comprises a portion of the plurality of behavior rules, the at least one behavior group representation defining a particular egress port from a plurality of egress ports of the networking device for a communication packet received from a plurality of ingress ports to the networking device; utilizing a second subset of the plurality of behavior rules to determine at least one security policy group, wherein each security policy group is associated with one of the plurality of egress ports of the network device and define the communication packets that are accepted for each of the plurality of egress ports; creating a spanning graph comprising representations of one or more ingress ports of the plurality of ingress ports to the network device, representations of the one or more egress ports of the plurality of egress ports from the network device, the at least one behavior group representation, the at least one security policy group, at least one flow indicator between a first representation of one or more ingress ports, the at least one behavior group representation, the at least one security policy group, a first representation of the one or more egress ports, the particular egress port from the plurality of egress ports of the networking device for the communication packet received from the one or more ingress ports to the networking device, and the communication packets that are accepted for each of the plurality of egress ports such that the flow indicator displays a communication pathway of a communication packet through the network device; and providing the spanning graph to a user of the network device, wherein the at least one behavior group representation comprises a plurality of behavior groups, and combining at least two behavior groups of the plurality of behavior groups into an interface switch and wherein the spanning graph further comprises the interface switch in place of the at least two behavior groups.
10. The non-transitory computer-readable medium of claim 9 , wherein at least one of the plurality of behavior rules comprises the predicate value and an action portion, the at least one of the plurality of behavior rules configured to cause the network device to perform the action portion when the communication packet matches the predicate value of the at least one of the plurality of behavior rules.
11. The non-transitory computer-readable medium of claim 10 , wherein the at least one behavior group representation is a routing behavior group representation and wherein the action portion of the at least one of the plurality of behavior rules defines an associated egress port from the one or more egress ports to the network device of the communication packet.
12. The non-transitory computer-readable medium of claim 10 , wherein the at least one behavior group representation is a network address translation behavior group, and wherein the action portion of the at least one of the plurality of behavior rules defines an associated translated field corresponding to a portion of the communication packet.
13. The non-transitory computer-readable medium of claim 12 , wherein the network device replaces the portion of the communication packet with the translated field when the portion of the communication packet matches the at least one predicate value of the at least one of the plurality of behavior rules.
14. The non-transitory computer-readable medium of claim 9 , the instructions further comprising: modeling a portion of the plurality of behavior rules from the policy of the network device as a plurality of bit strings; and creating a first hierarchical decision diagram from the plurality of bit strings.
15. The non-transitory computer-readable medium of claim 14 , the instructions further comprising: applying the first hierarchical decision diagram to the spanning graph to obtain one or more policy rules from the policy of the network device.
16. A system for modeling a network device policy rule set, the system comprising: a hardware processing device; and a non-transitory computer-readable medium with one or more executable instructions stored thereon, wherein the processing device executes the one or more instructions to perform the operations of: obtaining a plurality of behavior rules from the network device policy rule set, the plurality of behavior rules defining the processing of a communication packet by the network device, wherein at least one of the plurality of behavior rules comprises a predicate value and an action portion; creating a plurality of behavior group representations comprising a first subset of the plurality of behavior rules such that each of the plurality of behavior group representations comprise a portion of the plurality of behavior rules defining a particular egress port from a plurality of egress ports of the networking device for communication packet received from a plurality of ingress ports to the networking device; utilizing a second subset of the plurality of behavior rules to determine at least one security policy group, wherein each security policy group is associated with one of the plurality of egress ports of the network device and define the communication packets that are accepted for each of the plurality of egress ports; forming a spanning graph of the network device policy rule set comprising representations of one or more ingress ports of the plurality of ingress ports to the network device, representations of one or more egress ports of the plurality of egress ports from the network device, the plurality of behavior group representations, the at least one security policy group, and at least one flow indicator between the representations of one or more ingress ports, the plurality of behavior group representations, the at least one security policy group, and the representations of one or more egress ports, the particular egress port from the plurality of egress ports of the networking device for the communication packet received from the one or more ingress ports to the networking device, and the communication packets that are accepted for each of the plurality of egress ports such that the flow indicator displays a communication pathway of a communication packet through the network device; and providing the spanning graph to a user of the network device, and combining at least two behavior group representations into an interface switch and wherein the spanning graph further comprises the interface switch in place of the at least two behavior groups representations.
17. The system of claim 16 further comprising: a display device configured to display the spanning graph to the user of the network device.
18. The system of claim 16 wherein at least one behavior group representation is a routing behavior group representation and wherein the action portion of the at least one of the plurality of behavior rules defines an associated egress port from the one or more egress ports to the network device of the communication packet.
19. The system of claim 16 wherein the network device is a firewall device.
Unknown
February 23, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.