DE60034546T2 - System and method for selective LDAP database synchronization - Google Patents

Description

FIELD OF THE INVENTION

The The present invention relates to computer networks, and more particularly on devices and methods for providing efficient, integrated and scalable Policy management services for remote private networks the Internet.

BACKGROUND OF THE INVENTION

The The growth and proliferation of computers and computer networks enables companies to efficient with their own components as well as with their business partners, To communicate with customers and suppliers. The flexibility and efficiency, However, these computers and computer networks offer more risks including security breaches from outside the Company, the accidental release of important internal information and inappropriate use of LAN, WAN, Internet or extranet.

at the administration of the extension of computer networks as well as with the solution Of the various security issues, network managers often use management services for network policies such as. Firewall protection, address assignment in the NAT procedure (Network Address Translation), Spar Filter, DNS Caching, Web Caching, VPN Organization (Virtual Private networks) and security as well as URL blockers to the To prevent network users from using the ISPs (Internet Service Provider) of the organization on certain websites access. However, any policy management service requires usually a separate device, that is configured, managed and monitored must become. Furthermore, the existing devices are always more numerous as the organization grows and spreads across multiple locations expands, thereby reducing the corresponding expenses and the overhead of configuration, Administration and monitoring the devices also rise.

The solution for this The problem is not just that, it has many management features for network policies into a single device integrate at every location and allow every location to exchange his policy data with other locations. Actually there There are many obstacles and challenges in implementing one such method. For example, a plan for efficient requires Specification and distribution of data for policy management via remote private network for the entire organization generally a well-designed object model. Synchronization of multiple databases within the organization With updates of the policy management data can also be a complex Pose a problem. Furthermore, the efficient management of Policy information within the organization a challenge. In addition, the creation of logs and statistics is off the remote private network in a widely distributed policy management system This is often a difficult task for efficient analysis and reporting. Usually Only the raw data is logged and stored, which in general time-consuming and custom programs need to get out of the raw data Create meaningful reports and statistics offline. There is further challenges for the implementation of a uniform policy management system. For increased benefit, these should be consistent Policy management functions implemented as far as possible in the hardware become. The implementation of policy management on a chip requires however, typically an efficient design partitioning.

In addition, should the unified policy management system the efficient configuration, Manage and update virtual private networks, which are over various remote locations extend.

in the Document "Enforcing security policies in large scale communication networks "by Apostolopoulos T.K et al., Proceedings of the 17th IEEE Symposium on Reliable Distributed Systems, pp. 393-397, 1998, ISBN: 0-8186-9218-9, provides a framework for the network administrator Implementation of security policies described, with access to a distributed database over a super administrator takes place.

In the patent WO 98/28880 describe a system and method for synchronized reconfiguration of a telecommunications network.

Accordingly There is a need in the industry for a network management solution that overcomes these and other obstacles in the current state of the art.

SUMMARY OF THE INVENTION

The present invention relates to a uniform policy management system in which various policies, in particular a certain number of rules and instructions governing network operation, can be created and enforced from a single location. According to one embodiment of the invention, the system comprises a first edge device associated with a first network having a first set of resources configured to match the policies for the first network corresponding to those in a first data bank stored policy settings. The system also includes a second edge device associated with a second network having a second set of resources configured to manage the policies for the second network according to the policy settings stored in a second database. The first and second edge devices function as policy enforcers for their respective networks. Policies enforced can be firewall policies, VPN policies, and the like.

The System also includes a central policy server, with the first and the second Edge device is connected. The policy server is corresponding configured to the first and second policy settings to define and the first and second edge device of a location out manage. This way, the network administrator does not have to additional Work or extra costs for the configuration and management of each policy enforcer spend.

In alternative embodiments The single policy management system includes one or more the following functions: The central policy server can be a central Database for storing the configuration information of policy enforcers include. In the central database as well as in the policy enforcers assigned Databases are LDAP (Lightweight Directory Access) databases Protocol), which correspond to a hierarchical object-oriented structure are constructed. This structure includes resource objects and policy objects for definition the policy settings for the policy enforcers. Such a structure carries help to simplify policy management by Elements of the policy management system be defined and organized in an intuitive and comprehensive way.

According to one variant invention, the resource objects include facilities, users, Hosts, services and time. Facilities are the policy enforcers at the edge of the respective private local network. Every device is users and assigned to a host. A host is a network (e.g., a LAN subnet) in an organization. Services are the various services (e.g. http, telnet, ftp) provided by the policy server. Time is another dimension in access control for network resources.

The central database stores the configuration information, including the Policy settings for all Policy enforcer. Will be a change made to the configuration information, the policy server creates a log of these changes and stores it in the central database for later transfer to the policy enforcers. Once the policy enforcers the change log receive, update their respective databases accordingly and report to the policy server, if the update was successful. Was this successful, becomes the change log for this Policy Enforcer deleted from the central database.

Of the central policy server can also have a Set of user application modules provided to a user, such as the network administrator, enable, the policy settings for the Defining Policy Enforcers and Policy Enforcers manage a location. The policy settings are preferably one Variety of resource objects, including facilities, users, Hosts, services and time assigned.

In an embodiment variant invention, the set of application modules comprises a central management submodule, to install and register the policy enforcer in the central policy server.

In another embodiment According to the invention, the set of application modules comprises a policy management submodule to manage and display the resource objects from a single Location off.

In a further embodiment invention, the policy server comprises a set of user application modules, to allow a user monitor the health and status of policy enforcers. Each Policy Enforcer collects state and status information in one predefined, common log format and transmits them to the policy server. The policy server can then on the basis of this information different reports create. It can therefore be assumed that the present invention is monitoring enables the resources in the organization during the transfer, whereby the invention further advantages over the previous state of the Technology that generally only collects raw data and the tedious creation of reports is required.

Policy enforcer policy enforcement functions for their respective networks may also be split to efficiently implement the hardware. According to one embodiment of the invention, each edge device preferably comprises a plurality of modules, including a classification engine, a policy engine and a packet forwarding engine. The classification engine defines a protocol in connection with an incoming packet. The Policy engine makes a forwarding decision for the packet based on the policy settings associated with this packet. The packet forwarding module then transmits the packet based on the policy settings.

In alternative embodiments can the module as well a security machine for checking the Include permission of a user who submits the package, and / or a statistics module for collecting statistics of the packets, going through the policy enforcer.

each The networks in the system can also consist of private networks and everyone the private network assigned policy enforcer is configured accordingly, to create a table with the information of the member networks, the above the policy enforcer can be reached. The table will be the other one Member Policy Enforcers provided in the VPN. This allows the Creation of VPNs whose member lists compile dynamically become.

Under A special aspect of the invention is the communication between the first and the second private network according to a security policy managed, which is assigned to the member networks. The security policy is preferably for defines a group of security policies, a so-called VPN cloud that enables a hierarchical organization of the group. The VPN cloud includes member networks (hosts), users who have access to have the member networks, and a rule to access controls the member networks. The secured by the VPN Clouds Hierarchical organization thus offers the network administrator the Possibility, Completely create networked VPNs, where each location within a VPN cloud over the full Connectivity with every other location. The network administrator must not any more Manually configure a connection in the VPN, all he needs is a VPN cloud to create and assigned to the VPN sites, users and To specify rules. Each connection is then based on the for configured the VPN cloud specified configuration. The hierarchical Organization thus facilitates the establishment of a VPN with a huge Number of locations.

Under Another aspect of the invention is the rule in the VPN at a firewall rule, which controls the access to traffic inside the member networks. Such firewall rules offer the administrator the opportunity for precise Access control for traffic through within the VPN, under the encrypted Access that such a VPN offers.

Under In another aspect of the invention, a remote user accesses from a remote location over a remote user terminal to the member networks. The terminal is configured to match the table using software dynamic member information from the edge device, with which it is connected to download. Updates to member information will be automatically transferred to the remote user terminal below, without having to reconfigure the terminal.

Of the Policy servers and Policy Enforcers, as well as other network devices, can also in terms of high availability be configured by next to the unit of first class (primary unit) a second-class unit (reserve unit) is present, whereby a single point of failure avoided becomes. In one aspect of the invention, the backup unit is located originally in inactive status and leaves later into active status, after a fault the primary unit was recorded.

Under In another aspect of the invention, each highly available device determines its own Status as primary unit, Reserve unit or stand-alone unit (third-class unit) while the initialization.

Under Another aspect of the invention is that in the databases the primary and reserve units stored configuration information synchronized, putting the first-class device in active state, the configuration changes receive the first database in the first class unit and are saved, the configuration changes to the unit second Transfer class and the configuration changes stored in the second-class unit. If the primary unit Switches to the inactive status, stores the reserve unit the configuration changes the second database in the second-class unit and transmits those changes to the primary unit, as soon as it returns to active status.

Under In another aspect of the invention, updates to the Primary- and reserve units, such as software updates, as well synchronized by transmitting the update information to the primary unit become, the primary unit is updated, the update of the primary unit transferred to the reserve unit and thus the reserve unit is updated. Thus, the network administrator needs not the same effort again to update the reserve units spend.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features, designs and Advantages of the present invention will become apparent upon reading the following, detailed description, the appended claims and the accompanying drawings, wherein:

1 FIG. 12 is a schematic block diagram of an exemplary, unified policy management system; FIG.

2 represents the hierarchical, object-oriented structure of the policies stored for an organization according to the principles of the invention;

3 presents a schematic block diagram of a policy server in the policy management system 1 group;

4 presents a schematic diagram of a central management submodule in the policy server 3 group;

5 FIG. 3 illustrates an exemplary flowchart of a facility registration process that originates from the central management sub-module 4 is carried out;

6 FIG. 12 illustrates a screen shot of an exemplary graphical user interface for registering a device; FIG.

7 FIG. 12 illustrates a screen shot of an example global user interface for monitoring status and status information of a device; FIG.

8th Figure 13 is a screen shot of an exemplary graphical user interface that exposes the policy management submodule in the policy server 3 offers;

9 Figure 12 is a screen shot of an exemplary graphical user interface for managing system devices;

10 Figure 12 is a screen shot of an example graphical user interface for managing system hosts;

11 Figure 12 is a screen shot of an exemplary graphical user interface for managing system devices;

12 Figure 13 is a screen shot of an exemplary graphical user interface for managing time groups;

13 Figure 12 is a screen shot of an exemplary graphical user interface displaying a number of VPN clouds;

14 Figure 12 is a screen shot of an example graphical user interface for entering a new firewall policy;

15 Figure 12 is a schematic block diagram of policy enforcers updating their respective VPN membership information;

16 Figure 10 is a block diagram of components in a self-extracting execution program for download by a remote VPN client;

17 is a functional block diagram for downloading the self-extracting execution program 16 ;

18 is a schematic block diagram of a policy enforcer in the policy management system 1 ;

19 is a detailed, schematic block diagram of a policy engine in the Policy Enforcer 18 ;

20 FIG. 12 is a more detailed, schematic block diagram of a Policy Enforcer Protocol Classification Engine 18 ;

21 is a more detailed, schematic block diagram of an Internet Protocol security machine in the Policy Enforcer 18 ;

22 is a schematic representation of a general protocol format according to an embodiment of the invention;

23 is a block diagram of an LDAP tree structure according to an embodiment of the invention;

24 is a more detailed block diagram of a branch of the LDAP tree 23 ;

25 is a flowchart of logging and forwarding LDAP changes to policy enforcers;

26 Fig. 10 is a schematic block diagram of a high availability system including a primary unit and a backup unit;

27 FIG. 10 is a flow chart of an example status determination process performed by a high availability unit; FIG.

28 FIG. 12 is a flowchart of a process for maintaining the configuration information in the primary and spare units. FIG 26 be synchronized;

29 FIG. 10 is an exemplary flowchart of updating the primary and reserve units 26 in which both are ready; and

30 FIG. 10 is an exemplary flowchart of updating the primary and reserve units 26 in which the primary unit is not ready for operation.

DETAILED DESCRIPTION OF THE INVENTION

I. UNIFORM ARCHITECTURE OF THE POLICY MANAGEMENT SYSTEM

1 FIG. 10 is a schematic block diagram of an exemplary unitary policy management system according to an embodiment of the invention. FIG. As in 1 shown are the private local networks 102 . 104 and 106 all via appropriate routers (generally with 110 and Internet Service Providers (ISPs) (not shown) with a public network, such as the Internet 108 , connected. Likewise via the ISPs with the public Internet 108 Connected are internet surfers 112 network users connected via temporary dial-up connections 114 , Server 116 that offer unauthorized websites, mail spammers 118 who send unsolicited junk mail, as well as remote VPN clients 140 having access to the private local networks 102 want to get.

According to one example, the local network connects 102 Users and resources, such as workstations, servers, printers, and the like, at a first location of the organization, such as the organization's headquarters, and the local area network 104 connects users and resources to a second location of the organization, such as a branch office. Furthermore, the local network connects 106 Users and resources of a customer of the organization who needs special access to the users and resources of the organization. Authorized users connected via dial-up connections 114 The organization is located at sites remote from the first and second local area networks and also requires special access to the users and resources of the organization. Furthermore, internet surfers communicate 112 with the internet server 120 the organization via the public Internet 108 and access the company's website.

The local network 102 includes a policy server 122 to define and manage network services and policies for the organization. The network policies are a set of rules and instructions that govern the operation of the network, firewall, VPN, bandwidth, and administrative policies. The firewall policies decide on the traffic in the network, which is from the public Internet 108 for the local networks 102 . 104 , is released and about the traffic that is to be blocked. The bandwidth policies determine the type of bandwidth to be allocated to the traffic on the local networks. The VPN policies set the rules for implementing multi-site connectivity over the local area networks. The administrative policies specify the users who have access to the administrative functions, the type of administrative functions assigned to these users, and the policy enforcers 124 . 126 for which these users can exercise these administrative functions. The firewall, VPN, bandwidth, and administration policies for the entire organization are preferably stored in a Policy Server database 130 stored by the policy server 122 is managed.

Every local network 102 . 104 , also includes an edge device, here as a policy enforcer 124 . 126 , designated for access control to the network. Each policy enforcer 124 . 126 , manages the network policies and services for the users and resources of their respective local area networks 102 . 104 , according to the release of the policy server 122 , The corresponding portions of the Policy Server database 130 be in the databases 132 . 134 , which copies the policy enforcer to allow the policy enforcers the network policies and services for the local networks 102 . 104 , can manage.

According to one embodiment of the invention, the policy server 122 and the policy enforcers 124 . 126 , are implemented in a similar way to the FORT KNOX policy routers by Alcatel Internetworking Inc. of Milpitas, California.

II. OBJECT MODEL FOR NETWORK POLICY MANAGEMENT

According to one embodiment of the invention, the policy server database is 130 and Policy Enforcer databases 132 . 134 to LDAP databases that adhere to a unified, hierarchical, object-oriented structure. The LDAP Directory Service model is based on entries, where each entry represents a collection of attributes that are named with a unique name (DN). Each attribute contains a type and one or more values. The type is usually a mnemonic string, such as "o" for organization, "c" for country (Country) or "mail" for e-mail addresses.The values depend on the attribute type, for example, the attribute "mail" may contain the value "babs@umich.edu." The attribute "jpegPhoto" may be a photo in a binary JPEG / JFIF format included. Further details about the LDAP Directory Service Model are described in RFC 1777 "The Lightweight Directory Access Protocol" (W. Yeong, T. Howes and Kille, Network Working Group, March 1995) and "LDAP Programming: Directory-enabled Applications with Lightweight Directory Access Protocol "(T. Howes and M. Smith, Macmillan Technical Publishing, 1997).

The Posts in the LDAP database are preferably in a hierarchical, treelike Structure built up, the political, geographical and / or organizational Limits taken into account. The entries, the countries represent, appear at the top of the tree. among them the entries appear, representing state or national organizations. Among the national or national organizations may make entries in relation to persons, organizational units, Printers, documents and the like listed become.

2 is a schematic representation of the unified, hierarchical, object-oriented structure to which the policy server database 130 holds according to an embodiment of the invention. The Policy Enforcer databases 132 . 134 , follow with the exception of a few differences of the same structure. For example, the policy enforcer databases preferably do not include a policy server domain object 201 or related policy server objects, nor a policy domain object 240 ,

As in 2 Each object in the structure is preferably stored as an LDAP entry. At the top of the hierarchy is the policy server domain object 201 arranged various policy server resources and a set of policy domain objects (generally with 204 designated). Each policy domain object 240 is a grouping of policy enforcers with shared policies. Each policy domain object 240 includes a resource root object 200 and a group root object 202 , All policy management functions are preferably implemented in the form of resource objects, the facilities 204 , Users 206 , Hosts 208 , Services 210 and time 220 include. Thus, a firewall policy can be defined simply by associating the policies, users, hosts, services, and times that apply to the policy. The facilities, users, hosts and services are preferably in groups 212 . 214 . 216 and 218 , organized with a group name, description, and member information to provide a more intuitive way of addressing and organizing resources.

The users 206 are preferably associated with a user domain that provides a secure and efficient means of checking user authorization. Each user domain has a single Policy Enforcer that has the authority to verify the user's permission. Thus, user domains ensure that the validated agent is generally on the same local network as the user. In this way, the cost of network dependency or network latency can be reduced during the user verification process. It should be noted, however, that users are also authorized users connected in the dialing process 114 and users from the customer network 106 can act. These users contact a remote validation agent, who submits the user review back to the appropriate proxy policy enforcer.

hosts 208 are the various networks that exist in an organization. For example, a particular LAN subnet may be specified as a host in a system. hosts 208 are preferably organized on the basis of their physical location within the organization. The physical location of a host is determined by the device (Policy Enforcer) 204 flag assigned to the host.

services 210 includes the various services provided by the policy server 122 to be provided. Such services include multimedia streaming / conferencing, information retrieval, security and privilege validation, database applications, e-mail applications, routing applications, standard communication protocols, and the like. The attributes associated with each service preferably include service name, description, type (eg, HTTP, HTTPS, FTP, TELNET, SMTP, Real Networks, and the like) and group.

facilities 204 are the policy enforcers 124 . 126 , at the edges of a particular local area network. Each entity / policy enforcer preferably includes users 206 and a host / network 208 that is managed by the policy enforcer.

Time 220 is another dimension for access control to network resources. When creating the firewall policies, different time objects that cover a specific time range can be created and used.

Similar to resources, network policies are preferably defined as objects for efficient and intuitive definition of policies ned. Policies are defined by the administrators and by the policy enforcers 124 . 126 , in the network traffic between the public Internet 108 and the local networks 102 and 104 enforced.

According to an embodiment variant of the invention comprises a policy object 222 a bandwidth policy 224 , a firewall policy 226 , a management policy 228 and a VPN policy 230 , The VPN policy 230 defines a security policy for the member networks and includes one or more VPN clouds 232 , Every VPN cloud 232 is a single VPN or group of VPNs that define a group of security policies that provide a list of sites 234 and users 236 includes that can communicate with each other. A site is preferably a group of hosts / networks that are physically behind one of the policy enforcers 124 . 126 are arranged. In other words, a location is the definition of a network that includes the policy enforcer associated with it. The policy enforcers for the sites act as VPN tunnel endpoints when the hosts at the sites begin to communicate. These communications are subject to certain rules 238 that are configured for each VPN cloud. The rules 238 Among other things, they can specify VPN access rights and security features, such as the level of encryption and the access authorization used for connectivity at the respective network level.

The object-oriented structure 2 gives network administrators the ability to define policies in an intuitive and comprehensive way. Such policies can be defined by simply assigning resources and policies. This enables a policy-driven management model that gives the administrator the impression that a single logical server provides the firewall, bandwidth management, and VPN services to the entire enterprise. The fact that the policy is enforced via individual policy enforcers in different locations is transparent to the administrator.

III. POLICY-BASED NETWORK ARCHITECTURE

3 is a more detailed schematic block diagram of the policy server 122 according to an embodiment of the invention. The policy server 122 preferably includes a management module 302 , which is the central controller of policy enforcers 124 . 126 , made possible from a single console. The policy server 122 also includes a log collection and archiving module 304 and a policy server report module 316 , The log collection and archiving module 304 collects information about the status and use of resources from policy enforcers 124 . 126 , as well as the management module 302 , and stores them in an archive database 318 , The policy server report module 316 Uses the collected logs and archive data to generate reports in a structured report format.

In terms of the management module 302 , includes the management module 302 preferably four submodules that support the central control, in particular a central management submodule 306 , a policy management submodule 308 , a secure, role-based management submodule 310 and a multi-site connectivity management submodule 312 ,

The central management submodule 306 provides the network administrator with the ability to install and manage individual policy enforcers from a central location. The network administrator preferably uses a web-based graphical user interface to define the policy enforcer's network configuration and to monitor various aspects of the device, such as device status, alarm messages, VPN port status, and the like.

The policy management submodule 308 provides the network administrator with the ability to create policies that include many policy enforcer functional aspects (eg, firewall, bandwidth management, and virtual private networks), multiple resources (eg, users, hosts, services, and time) and multiple policy enforcers.

The secure, role-based management submodule 310 Provides role-based management that allows administrators to delegate administrative functions to other administrators. This sub-module preferably ensures maximum security in terms of accessing the management functions.

The multi-site connectivity management submodule 312 Allows the network administrator to set up secure communication channels between one or more remote sites. This submodule uses the central management submodule 306 , the policy management submodule 308 , the dynamic routing capabilities of Policy Enforcers 124 . 126 and the management infrastructure to provide virtual private networks within the enterprise with detailed access control.

4 is a more detailed schematic of the central policy management submodule 306 according to an embodiment of the invention. The submodule includes a policy server installation wizard 404 who is an interactive User Interface provides assistance in installing the policy server 122 offers. For this purpose, the network administrator has access to a personal computer that has a connection cable, a hub, or the like to the LAN port of the policy server 122 connected. The network administrator connects to the policy server 122 preferably by entering the URL of the policy server 122 into a standard Internet browser, such as Microsoft Internet Explorer. The URL preferably has the following form:
"Http: // <ipaddress>: 88 / index.html", where <ipaddress> is the IP address associated with the policy server, and the IP address is automatically assigned to the policy server if the browser attempts to use it Address When the administrator's personal computer sends an Address Resolution Protocol request for the IP address, the policy server detects that it has a packet on port 88 is not claimed and takes the IP address.

Once the connection is made, the Policy Server Installation Wizard will call 404 the interactive user interface on to the network administrator when setting up the policy server 122 to support. The Policy Server Installation Wizard 404 Among other things, the administrator asks for a server name, an IP address for the server, and an IP address for the router. In addition, the Policy Server Installation Wizard prompts 404 Allow the administrator to select one of several default policies to create default firewall, VPN, bandwidth, and administrator policies. These policies will then be replicated to each new Policy Enforcer attached to the policy server 122 is registered.

The central management submodule 306 also includes a Policy Enforcer installation wizard 406 , which provides an interactive user interface to support the installation of Policy Enforcers 124 . 126 , offers. As with the installation of the policy server 122 , the access to the assistant takes place 406 preferably web-based via the network administrator's personal computer.

Once the connection is made, the Policy Enforcer Installation Wizard prompts 406 the interactive user interface on, the network administrator when setting up a particular policy enforcer 124 . 126 to support. The Policy Enforcer Installation Wizard 464 Among other things, the administrator asks for the IP address of the policy server, the IP address of the policy enforcer, and the IP address of the router. The policy enforcer will then be in the policy server 122 registered by calling the URL in the policy server with its own basic bootstrap information. Registration of the Policy Enforcer enables initialization of the Policy Enforcer database 132 . 134 , with the configuration information as well as monitoring the status and state of the policy enforcer via the policy server 122 ,

Before registering the policy enforcer in the policy server 122 , the network administrator preferably logs the policy enforcer in the policy server. This pre-logon allows you to create a wildcard node in the policy server for policy enforcer data when the policy enforcer actually registers. For this purpose, the central management sub-module includes 306 a configuration interface 410 which allows the pre-registration of a new Policy Enforcer.

5 is an exemplary flowchart for the pre-registration and registration process of a policy enforcer according to an embodiment of the invention. In step 401 The Policy Enforcer connects to the network using the Policy Enforcer Installation Wizard described above 406 installed at its actual, physical location. The network administrator who has the new facility's serial number logs in the policy enforcer by going to step 403 Add a new Policy Enforcer to a device group. For this purpose calls the configuration interface 410 an interactive graphical interface on, as in 6 presented to the network administrator, the device name 415 , the serial number 417 and the location information 419 enter; In addition, the administrator has the option of a device group 421 to select the new Policy Enforcer to belong to. By pressing a button 423 takes the new policy enforcer in step 405 with the policy server 122 Connection by preferably invoking a URL in the policy server. Once connected to the policy server, the new policy enforcer submits the policy server its registration package. The registration package includes at least the new Policy Enforcer serial number and the LAN, WAN, and DMS IP addresses in the Policy Enforcer. In step 407 compares the central management submodule 306 the serial number of the new Policy Enforcer with the list of policy servers 122 pre-registered policy enforcer. If a match is found, the policy server executes 122 the registration process by going in step 409 stores the settings that were set during the installation for the policy enforcer, preferably in a file in the LDAP data exchange format (ldif). In step 411 the file is transmitted to the Policy Enforcer, preferably over an HTTPS channel, by invoking a Common Gateway Interface (CGI) in the Policy Enforcer. The policy enforcer then uses the da tei to step in 413 its configuration database, eg the database 132 . 134 to initialize.

Again referring to 4 includes the central management submodule 306 also a global monitor user interface 402 and a data collection program 412 , each displaying and capturing the state and status of all Policy Enforcers sent by the policy server 122 to get managed. The data acquisition program 412 obtains the state and status information from all the up-and-running policy enforcers it manages, and transmits the relevant information to the global monitor UI. A state agent, which runs as a deamon in all policy enforcers that are regularly monitored, collects the device's data and analyzes its status. The collected data is sent to the policy server 122 when submitted by the data collection program 412 be retrieved.

7 Figure 12 is a screen shot of an exemplary global monitor user interface 402 which displays various types of status and status information. Such information can affect the state of the device, such as system load 712 and network usage information 714 Respectively. The information can also be updated on current alarm messages 716 for the facility, including alarm name, type, description and the like. The information can also look at current VPN connections 718 Include connection type, source / destination, duration, and VPN traffic volume.

Again referring to 3 enables the policy management submodule 308 the policy management of policy enforcers 124 . 126 , As described above, all policy management functions are implemented in the form of resource objects stored in policy databases 130 . 132 . 134 , including users, facilities, hosts, services and time. Preferably, all resources are associated with the default policy settings selected by the administrator during the installation process. The network administrator can centrally view the policies through a graphical user interface provided by the policy management submodule 308 is provided, display, add or modify. This provides a centralized policy management model, giving the administrator the impression that a single logical server provides firewall, bandwidth management, and VPN services to the entire enterprise. The fact that the policy is enforced via individual policy enforcers in different locations is transparent to the administrator.

8th is an exemplary graphical user interface provided by the policy management submodule 308 provided. The interface includes a resource palette 718 which includes a list of resource registers, including a user register 718a , a device register 718b , a host register 718c , a service register 718d and a time register 718e , The resource palette allows the administrator to add and modify resource definitions from a single console.

After selecting the user register 718a the system displays the user groups defined for the system 722 , New users can be added to the group by selecting a specific group and defining the different user attributes such as login name, full name, policy enforcer to which the user is assigned, authorization scheme, password and the like.

After selecting the device tab 718b are various device management icons used to manage the policy server 122 and the policy enforcer 124 . 126 , displayed as in 9 shown. An icon for the policy server system settings 750 provides the network administrator with the ability to set system settings such as LAN or WAN / DMS IP addresses of the policy server 122 to display and change. An icon for Policy Server archive options 752 Allows the specification of reports or other database archive options for the policy server 122 , A global URL blocking icon 754 gives the administrator the option of a list of unauthorized Internet sites 116 to be created by all Policy Enforcers 124 . 126 , the system should be blocked. In the same way, the symbol allows for a global spam list 756 the administrator, a list of all e-mail addresses of spammers 118 to be blocked by all Policy Enforcers.

The administrator can view the information about all Policy Enforcers 124 . 126 , show by the icon 758 selects.

Information about a specific policy enforcer can be obtained by selecting a specific policy enforcer 760 in a particular device group 761 are displayed. Such information includes information about the device settings 762 , Information about URL blocks 764 , Information about the spam list 766 and similar information specific to selected policy enforcers. For example, after selecting the icon for the URL blocking information 764 Policy Enforcer display the various URL categories 768 , the the Network administrator for blocking by the selected policy enforcer.

After selecting the host register 718c the display of various hosts (networks) of the system takes place, as in 10 shown. A host is organized based on its physical location as well as a specific policy enforcer 124 . 126 , assigned. Hosts are assigned to various attributes, including a unique name 770 , an IP address in the network 772 and a subnet mask 774 , In addition, the network administrator can specify whether the host is an external host 776 that belongs to a network that is not owned by the policy server 122 is managed. If it is an external host, the administrator specifies an IP address 778 the external device to which the host belongs. A furnishing field 780 allows the administrator to enter the name of the policy enforcer to which the host belongs. Each host is also a specific group 782 assigned by the administrator.

After selecting the service register 718d The display of various service groups is carried out by the policy server 122 be supported, as in 11 shown. Such service groups include, for example, multimedia streaming / conferencing, information retrieval, security and permissions, e-mail applications, routing applications, database applications, standard communication protocols, and the like. If desired, users can also add new service groups.

Each service is a name 784 , a description 786 and a service type 788 (eg HTTP, HTTPS, FTP, TELNET, SMTP, Real Networks or similar). In addition, each service is a service group 790 assigned. Based on the service type, additional information may also be specified for the service. For example, for an HTTP service, the administrator can specify whether the URL is blocked 792 should be activated.

After selecting the time register 718e the display of different time group symbols takes place 794 that cover the time range that should be used in the firewall policies, as in 12 shown. For example, selecting the icon of a working time group allows the network administrator to enter days and times to be set as working days and times.

Again referring to 8th The interface also includes a policy canvas 720 including a list of policies available in the system. A policy definition is preferably an association of a resource set that is from the resource palette 718 drawn and in the policy canvas 720 can be stored.

After selecting a firewall register 720a will display all firewall policies specified for a particular policy domain, including one or more policy enforcers. The network administrator decides to which domain the policy enforcer should belong during the policy enforcer's pre-registration. The interface gives the administrator the option of different policies from the policy server 122 view, add, and modify changes to the Policy Enforcers 124 . 126 to perform these changes individually to each Policy Enforcer.

According to one embodiment of the invention, each firewall policy comprises a policy identification attribute (ID). 724 to identify a specific policy rule in the list of policies. A number attribute 726 Policy rule specifies the order in which the policy should be applied. For this purpose, the policy enforcer calls 124 . 126 , one at a time for each local network, compares it to network traffic and preferably applies the first rule that corresponds to network traffic.

Each firewall policy also contains a description attribute 728 to describe the firewall policy to be implemented. For example, the description may indicate that the policy allows for saver blocking, URL blocking, VPN key management, and the like. An action tag attribute 730 Indicates whether traffic is allowed or denied for the displayed policy. An active flag attribute 732 Indicates whether the policy has been activated or deactivated. This allows the network administrator to create a policy and enable it at a later time. A deactivated policy preferably has no effect on network traffic.

Each firewall policy also includes a user attribute 734 , a source attribute 736 , a service attribute 738 , a destination attribute (not shown) and a time attribute (not shown). Each of these attributes is preferably represented by a group name or a resource name. The name acts as a pointer to an entry in the group root object 202 or the resource root object of the LDAP database 130 . 132 or 134 ,

The user attribute 734 preferably indicates the user groups and users that can be selected for the policy. The source attribute 736 indicates the origin point in the network traffic that assigned to the user. The service attribute 738 Specifies the services that are released or blocked by the policy. The destination attribute specifies a specific LAN, WAN or DMS segment or specific hosts in which the specified services are allowed or disabled. To configure SMTP POP services on an e-mail server, the host can represent the IP address on which the e-mail server is running, and the specified services are SMTP. The time attribute specifies a time slot in which the policy is effective.

Next The above includes any firewall policy as well Authentication attribute (not shown) representing the authentication scheme for the Policy (e.g., without, LDAP, SecurID, RADIUS, WinNT or all).

14 is a screen shot of an exemplary graphical user interface for adding a new policy policy firewall policy after clicking on the "Add" button 725 , The existing firewall policies can be changed by clicking on the "Change" button 727 or "delete" 729 be changed or deleted.

As in 14 As shown, a new firewall policy can be defined by simply describing the policy in the description area 728a is added by placing the action to be applied to the corresponding network traffic in an action box 730a is selected and in the active area 732a whether the policy should be activated or deactivated. In addition, the network administrator sets users, source, services, destination and time resources in the user area 734a , Source area 736a , Service area 738a , Target area 739a or time range 741 firmly. The network administrator dials in an authentication area 743 also an authentication scheme for the policy. After pressing the OK button 745 The corresponding entries in the LDAP tree of the Policy Server database are changed to reflect the entry of the new policy. The change will also be communicated to the respective policy enforcers, as described in detail below.

Again referring to 8th allows selection of the bandwidth register 720c displaying, adding, and changing various bandwidth policies that determine the type of bandwidth associated with the traffic flowing through a particular policy enforcer. Different bandwidths can be specified for different users, hosts and services.

The selection of the administrative register 720d Allows you to view, add, and modify various management policies that allow the top-level network administrator to delegate administrative responsibility to other administrators. To do this, the top-level network administrator specifies management policies that determine which users have access to which features and facilities. The management policies preferably include attributes similar to the firewall rules, except for the specification of a role attribute. Certain users may be granted additional administrative privileges depending on their role.

IV. VIRTUAL PRIVATE NETWORK WITH AUTOMATIC UPDATING USER REACHABILITY INFORMATION

Again referring to 3 enables the management module to connect multiple sites 312 creating VPNs with dynamic routing, where the VPN member lists are automatically created without static configuration of member information by the network administrator. Therefore, as soon as the administrator configures a VPN over a policy enforcer's LAN to another, the routing protocols, such as RIPv1 or RIPv2, running on LAN interfaces will be aware of the networks reachable through their respective interfaces. These networks then become members of the VPN and the policy enforcers 124 . 126 to create member tables on one side of the VPN by using the known routes. The member information is preferably via the LDAP databases 132 . 134 , between policy enforcers 124 . 126 , exchanged. In this way, the combined use of routing protocols and LDAP allows the creation of VPNs whose member lists are dynamically compiled.

Again in terms of 8th The network administrator configures VPN policies for multi-site connectivity using the resource palette 718 and the policy canvas 720 , After selecting the VPN register 720b in the policy canvas 720 the display shows a selection of VPN clouds 270 that have already been configured for the system, as in 13 shown. As described above, a VPN cloud is a single VPN or group of VPNs for which a security policy can be defined. Each VPN cloud includes a list of the locations of a site node 234 as well as the user of a user node 236 who can communicate with each other. A site is a set of hosts that are physically behind one of the policy enforcers 124 . 126 , are arranged. The policy enforcers for the sites preferably act as VPN tunnel endpoints as the hosts of the sites begin to communicate with each other.

The users in the VPN cloud are the users who have access to the sites 234 assigned hosts. Users access the hosts as VPN clients using the VPN client software installed on each user PC, as described in detail below.

Every VPN cloud 270 also includes a firewall rule node 276 including firewall rules that apply to all connections in the cloud. These rules determine, among other things, the VPN access permissions, the security features, such as the encryption level and the authentication used for network-level connectivity.

The provides hierarchical organization provided by the VPN clouds the network administrator thus the possibility of fully networked Create VPNs, with each location within a VPN cloud over the full Connectivity with all other sites. The network administrator needs not any more Manually configure connection within the VPN, he needs just create a VPN cloud and the sites, users and Specify rules to associate with the VPN. each Connection is then based on the specified for the VPN cloud Configuration made. The hierarchical organization facilitates thus setting up a VPN with a large number of sites.

The network administrator prefers to add a new VPN cloud by clicking the "Add" button. 280 actuated. The policy server then creates it 122 automatically the location node 272 , the user node 274 and the rule node 276 for the VPN cloud. The administrator then specifies the locations and users in the VPN.

According to one embodiment of the invention, the rule node comprises 276 initially a VPN default rule 278 according to the policy settings made by the network administrator during policy server setup 122 has selected. The VPN default rule 278 allows unrestricted access to the hosts in the VPN.

The administrator can implement access control within the VPN cloud by following the default rule 278 deletes and sets specific firewall rules for the VPN. Such firewall rules allow the administrator to provide detailed access control for traffic within the VPN as part of the encrypted access provided by such a VPN. The firewall rules are applied to the plaintext packet after it has been decrypted, or before it is encrypted.

According to one embodiment of the invention, the administrator selects the default rule 278 to make such changes to the default rule. After selecting the default rule, a graphical user interface is invoked, similar to the one in 8th shown. The network administrator defines detailed access rules for the VPN by defining the firewall rules that apply to the VPN. The parameters in these firewall rules are preferably identical to the general firewall rules defined in 8th are shown.

Once a VPN cloud has been configured, it will be used by the policy enforcers 124 . 126 , dynamically create VPN member information on the network. For this purpose, each VPN site includes a register that identifies the hosts associated with that site. At run time, the policy enforcers arrange 124 . 126 For each location, assign IP addresses to the registry by identifying the hosts at each site. In this way, the IP addresses can be determined dynamically without the need for a static configuration of the IP addresses.

To When creating the member tables, changes in the routing information are recorded and the policy enforcers of the members using a publish-subscribe procedure reported. The actual changes are retrieved from the Policy Enforcer by the LDAP database queries the respective network, the changed routing information equivalent.

15 is a schematic block diagram of the policy enforcers 124 . 126 at the opposite ends of a VPN tunnel, updating their respective routing information. As in 15 Each policy enforcer includes 124 . 126 , a gate module 252 . 261 , which is configured as a daemon to run one or more routing protocols to exchange links in the network. Such routing protocols may include RIPv1, RIPv2, OSPF, and the like.

If a network administrator does that with the Policy Enforcer 124 connected local network 102 To add a new route, the administrator reports the new route in step 241 in the gate module 252 of the policy enforcer 124 at. This is typically done by configuring a downstream in the Policy Enforcer for an additional network. This information is then passed through standard routing protocols to the gate module 252 of the policy enforcer 124 forwarded. The policy server 122 For example, the new route can be the Policy Enforcer 124 announce to which the new route should be assigned. For example, the route may be based on an LDAP statement such as For example, specify "LAN_Group @ PR1" which specifies a new path between policy enforcer PR1 and a LAN named LAN_Group 242 saves the gate module 252 the new track in a kernel 253 Policy Enforcer, including a VPN driver 254 so that the policy enforcer can correctly forward the corresponding messages about the new route. In addition, the gate module writes 252 the new route in step 243 in his LDAP database 132 ,

The gate module 252 sends the name of the new route in step 244 to a Distinguished Name Monitor (DN) monitor 255 which is configured to handle the updates in the LDAP database 132 to monitor. The DN monitor in turn informs in step 245a and 245b a VPN daemon 256 and a PDP machine (Policy Deployment Point) 257 about the change in the LDAP database 132 , The PDP engine then updates the modules that enforce the policies with the change.

In step 246 uses the VPN daemon 256 the route name to access the LDAP database 132 to get the full route information, a list of all VPNs to which the new route belongs, and a list of all the other policy routers connected to those VPNs. In step 247 transmits the VPN daemon 256 the new route name to all other policy routers.

If the policy router 126 a new route name from the policy router 124 receives his network daemon attacks 258 in step 248 to the LDAP database 132 in the Send Policy Router 124 to get the complete new route information. If the new route belongs to more than one VPN and has different parameters for the various VPNs, the routers in the various VPNs assign the various information to the respective VPNs.

In step 249 writes the network daemon 258 the received new route information into its own LDAP database 134 and forwards it to its own DN monitor module. As in the Send Policy Router 124 transmits the DN monitor module 259 in the receive policy router 126 the new route information to his PDP machine 260 to update its kernel 265 with the current changes.

Even though 15 With regard to the extension of a policy enforcer and its associated VPNs by a new route, it will be obvious to those skilled in the art that the essentially same techniques are also used to delete a link (for example, if a network component becomes inoperable or incapable of communication). or to change a route (the policy router can detect if a route already exists in another form and simply override it). In this way, the VPN system or systems can dynamically maintain the routing information between their policy enforcers with minimal system administrator work.

V. VIRTUAL PRIVATE NETWORK WITH AUTOMATIC UPDATING CLIENT REACHABILITY INFORMATION

Remote users communicate over the public Internet 108 with the others, behind the policy enforcers 124 . 126 , arranged members of the VPN after they have provided their respective credentials. These remote users have as VPN clients 140 access to private networks using VPN client software. According to an embodiment of the invention, the system provides the remote user with the ability to download a self-extracting program file that, after execution, installs both the VPN client software and the VPN reachability information unique to the remote user in the remote user terminal.

Each policy enforcer 124 . 126 , preferably includes a copy of the VPN client software self-extracting executable, including a setup program and the VPN reachability configuration template. With the help of the setup program, the VPN client software can be installed on the VPN client 140 be installed. When downloading the self-extracting executable, the configuration template is replaced with the VPN reachability information specific to the downloading user.

According to another embodiment of the invention, the system provides the VPN client 140 the ability to download a self-extracting executable that installs, after execution, only the VPN reachability information that is unique to the user. According to this embodiment, the VPN client software is already on the VPN client 140 Installed. In this scenario, the setup program allows the installation of the reachability information specific to the downloading user to the VPN client 140 ,

According to a third embodiment of the invention, the system provides the VPN client 140 the ability to view the VPN availability information automatically download each time you connect to the Policy Enforcer 124 . 126 , will be produced. In this way, the VPN reachability information is for each VPN client 140 always up to date. Once a VPN session is established, the connection between the VPN client applies 140 and the policy enforcer already considered safe. The VPN client preferably performs a Common Gateway Interface (CGI) query on a Web server running on the Policy Enforcer and downloads the current VPN reachability information from the corresponding LDAP database.

16 is a block diagram of the components in a self-extracting program file 290 according to an embodiment of the invention. The self-extracting program file 290 can be created using standard tools such as INSTALLSHIELD EXEBUILDER from InstallShield Software Corporation of Schaumburg, Illinois.

The self-extracting program file 290 preferably includes an executable setup file 292 to install the VPN client software and / or the VPN configuration information. The setup file 292 preferably forms the static portion 298 the self-extracting executable because this information does not change depending on the downloading VPN client. The self-extracting program file 290 also includes VPN configuration file templates for the VPN reachability information 294 and shared key information 296 of the VPN client. The VPN reachability information 294 and the common key information 296 of the VPN client preferably form the dynamic share 299 the self-extracting program file 290 because this information varies depending on the downloading VPN client. The self-extracting program file 290 will then be used as a template file in the policy enforcer 124 . 126 , stored and can then be downloaded by the remote users.

17 is a block diagram for downloading the self-extracting program file 290 out 16 according to an embodiment of the invention. In step 320 creates a new VPN client 140 First, a secure connection session with the policy enforcer 124 . 126 to the self-extracting program file 290 download. This is preferably done by means of an HTTPS protocol session in the web browser of the VPN client or the like. In step 322 and 324 The policy enforcers use the VPN client to perform an authentication procedure in which the policy enforcer queries the username and password and the VPN client provides this information. In step 326 The Policy Enforcer compares the information supplied with the entries in its VPN client database 328 , If the information is correct, the policy enforcer will find appropriate shared keys for the user, and determine in step 330 and the VPN reachability information of the client from a VPN configuration database 332 , The VPN client database 328 and the VPN configuration database 332 can be part of a single LDAP database 312 . 314 be saved by Policy Enforcer 124 . 126 , or they can each be separate LDAP databases.

In step 334 the policy enforcer replaces the dynamic share 299 the self-extracting program file 290 by the VPN reachability information and the shared key that is unique to the VPN client. The newly generated, self-extracting program file will then be in step 336 on the VPN client 140 downloaded. When the program file is running, it either installs the VPN client software and / or the VPN reachability information.

Similar Techniques can also to download a new and updated copy of the VPN configuration information be used on the VPN client, always when the client connects to the Policy Enforcer and requests a session key. In addition, can the user will receive the latest configuration of the VPN network by he explicitly requests this information from the Policy Enforcer. On This way, the VPN client does not have to be updated every time on the VPN reachability information, new be installed and configured.

VI. INTEGRATED POLICY ENFORCER

According to one embodiment of the invention, the functions of the policy enforcers 124 . 126 , to enforce the policy for the efficient implementation of the hardware. However, it will be obvious to those skilled in the art that some or all of the functions may be implemented in software, hardware, or various combinations thereof.

18 is a block diagram of the policy enforcer 124 . 126 in which the division of the various functions according to an embodiment of the invention is shown. The Policy Enforcer includes an Internet Protocol Security (IPSec) machine 502 to perform the security and authentication functions, for example to implement virtual private networks. A data stream table 506 assembles the packets that pass the policy enforcer into data streams. A protocol classification engine 508 decodes the protocols that are used in forwarding the packets. A policy engine enforces the policies on the packets based on the policy settings that are in the policy database 132 . 134 , are stored. A packet forwarding module 504 receives packets from the public Internet through the router 110 and cache the packets, forward them, or delete them based on enforced policies. A bandwidth management module 514 Ensures bandwidth shaping services for the packets that are routed based on the bandwidth settings that are in the policy database 132 . 134 , are stored.

In practice, there will be an incoming packet with the data stream table 506 compared to determine if a matching entry already exists in the table. If not, a new entry will be added. The data stream table preferably includes enough portions of the packet to uniquely identify a data stream. For example, when enforcing policies for IP-level three to IP-level four traffic, the stream table can store the source IP, destination IP, source port, destination port, and log number of the incoming packet.

The protocol classification engine 508 takes the new data stream and generates a detailed protocol decoding for the stream. Then, the policy rules to be applied to the data stream are in the policy engine 510 queried. Based on the policy rules used by the policy engine 510 the packet forwarding module processes 504 , the IPSec machine 502 and / or the bandwidth management module 514 the data streams accordingly. Processing may be recursive until all actions have been taken on the packets in the data stream specified in the policy rules that apply to them.

The policy enforcer also includes a statistics module 512 to generate statistics for the packets that are routed through the local network, as well as other status and resource usage information, and store them in logs and archives to be sent to the policy server 122 , According to an embodiment variant of the invention, the statistics module leads 512 running byte counts on the packets passing through the network 102 . 104 , to get redirected. These byte counts can be automatically sorted by class, based on specific resources (such as users, hosts, services), bytes blocked by the policies, or exceptions, such as firewall policies. For this purpose maintains the statistics module 512 in a cache, a status table containing a list of resources involved in the individual firewall-enabled connections. For each packet forwarded in the connection, the statistics module performs a packet and byte count for each of the resources in the list. The statistics module 512 then passes the structured information to the policy server 122 Next, the information is entered directly into tables, which are organized according to specific classes and are deleted regularly.

19 is a more detailed block diagram of the policy engine 510 according to an embodiment of the invention. The policy machine 510 includes a policy query table 602 , which acts as a queue for all policy decision queries. For this purpose, the portion of the packet that matches the information contained in the data stream table 506 stored, the policy machine 510 presented in the form of a policy query. The policy query is then queued for the Policy Query Table 602 set.

A resource machine 604 Maintains an up-to-date mapping of resource group names relative to member mapping. A database buffer for policy rules 608 saves a current policy rule set by the policy engine 510 should be applied. The in the buffer 608 stored policy rules are preferably in the group-based original rule specification format. The buffer 608 therefore stores a rule created for a group in its group-based form, instead of instantiating a rule for each member of the group.

A decision machine 606 includes logic to handle the incoming policy decision requests in the policy query table 602 by matching the policy rule set in the policy rule database buffer 608 based on the current member information provided by the resource machine 604 to be delivered. The relevant group-based rule that matches the traffic is identified and data bits are set in the stream table to implement the appropriate actions. The decision bits therefore represent the set of actions to be performed on the packets of the data stream. All packets that match the data stream are then processed based on these decision bits. The decision engine may also set an access control list (ACL), including a rule set that enables / disables traffic, a DiffServ standard to ensure quality of service quality for the traffic, and / or VPN implementation information.

20 is a more detailed block diagram of the protocol classification engine 508 according to egg ner embodiment of the invention. As in 20 includes the protocol classification engine 508 a data stream unit 702 , a data stream sliding window 704 , an ASN.1 block 706 , a Protocol Classification Status Machine 708 and a protocol definition signature database 710 , The data stream unit 702 Extracts and reassembles the data portion of an incoming packet stream and stores it in the stream flipping window 704 from. The data stream sliding window preferably follows FIFO protocols. The ASN.1 decoder decodes the data stream, if necessary, using standard ASN.1 encoding / decoding standards. The protocol classification state machine 708 then resembles the fully reassembled and decoded data with the log definition signature database 710 from. This database 710 preferably includes a mapping of the protocol names with the data patterns found in the data stream. The matched protocol is then sent to the data stream table 506 returned.

Thus, the protocol classification engine provides 508 a comprehensive protocol decoding and packet classification for level three through level seven, including the complete identification of dynamic data streams through the use of a dynamically updated signature database compiled on the basis of script protocol definitions. If new protocols are defined in the future and / or users create their own individual applications with individual protocols, it may be necessary to add a recognition of these protocols to the protocol classification engine. The described protocol classification engine architecture allows such extensions by simply adding the new script definition of the new protocol to the classification engine, without having to change the design each time a new protocol is added. This ensures the support of individual protocols and the future extensibility of protocols.

21 is a more detailed block diagram of the IPSec machine 502 according to an embodiment of the invention. As in 21 shown includes the IPSec machine 502 a pseudo-random number generator (PRNG) function 802 for generating random numbers used to generate encryption keys using well-known methods. A Diffie Hellman 804 as well as an RSA block 812 implement the appropriate asymmetric public encryption / decryption / signature algorithms also known to those skilled in the art. An IKE block 806 communicates with an IPSec SA table 808 to implement ISAKMP / Oakley (IKE) standard code exchange protocols. An encryption transcoding block 814 implements the standard symmetric encryption / decryption algorithms. An IPSec encapsulation / decapsulation block 810 performs standard encapsulation / decapsulation functions. Accordingly, the IPSec machine offers 502 a mature, standards-based IKE / IPSec implementation that supports public code certificates and the necessary encryption and decryption capabilities for packet forwarding through the private local area networks 102 . 104 , offers.

VII. NETWORK POLICY PROTOCOLS AND STATISTICS SETUP

Again in terms of 3 Collects the log collection and archiving module 304 the information about the status and use of resources by the policy enforcers 124 . 126 , as well as the management module 302 and saves them in the archive database 318 from. The policy server report module 316 then uses the captured logs and archives to create reports in a structured report format.

According to one embodiment of the invention, each policy enforcer maintains 124 . 126 , a log file containing information about the flow of traffic through the policy enforcers and the status and use of the resources associated with the policy enforcer. All log files conform to a predefined, common log format, which is preferably designed to create compact logs.

22 is a schematic representation of such a protocol format according to an embodiment of the invention. Each log entry includes a timestamp 820 in the format yyyymmddhhmmss, which specifies the year, month, hour, minute, and second when the log entry was created. A service field 822 Specifies the service type used by the policy enforcer 124 . 126 , is provided. Such services include VPN, FTP, Telnet, HTTP, packet filtering, bandwidth, and the like. Each log entry also contains source IP address and port 824 indicating the source from which a packet was received and destination IP address and port 826 that specify the destination to which the package was submitted.

A user ID field 828 indicates the user who submits the package. The user ID can be an entry in the LDAP database 130 . 132 or 134 , to be assigned to receive further information about the user.

A status field 830 indicates the status of an operation and may include a result code, an error code, and the like. For a package fil ter service, the status field may include, for example, the result code "p" if the packet could pass, or "b" if the packet was blocked.

An operation field 832 contains codes for the operation type offered by the service. Operations for a VPN service may include, for example, sending packets and receiving packets. Operations for an FTP service may include GET and PUT operations. Operations for an HTTP service may include GET and POST operations.

In addition to the above, each log entry includes an in bytes field 832 that specifies the number of bytes the Policy Enforcer received as a result of an operation and an Out Bytes field 834 that specifies the number of bytes submitted by the policy enforcer. It is also in a permanent field 836 the duration (eg in seconds) of the operation specified.

Certain Fields can in certain log entries be left free if you are looking for a particular service, such as FTP download. If there is no outgoing traffic, the Out Bytes field will be released. Furthermore you can dependent on additional fields are inserted by the type of service being logged. For example, an HTTP operation becomes the URL that is accessed is also recorded in the log entry. The additional Fields are preferably at the end of the standard log format attached.

Of the Professional will certainly recognize that adding, deleting and other types of changes can be done in protocol format, as long as the log format for All Policy Enforcers are the same and aim to have compact protocols to create.

The policy enforcers 124 . 126 Created log files are sent to the policy server based on the archive options specified by the policy server 122 transfer. To do this, the network administrator specifies a maximum size for the logs that are created by the policy enforcers by selecting the policy server archive option 752 out 9 , If the log file exceeds the specified size, it will be sent to the policy server 122 sent. Preferably, the logs are sent to the policy server at least once a day 122 even if the maximum size has not been exceeded. The logs can also be archived locally in the Policy Enforcer if so designated by the network administrator.

Once the policy server 122 When the logs are received, they are stored in the archive database 318 stored, preferably in the form of an SQL database. The policy server report module 316 queries this database for reports for each policy enforcer 124 . 126 , to create. In addition, the logs can be exported in a format that can be interpreted by commercial products such as WEBTRENDS, a product of WebTrends Corporation of Portland, Oregon.

The report module 316 Reports created include usage reports for the various resources, such as policy enforcers, users, services, hosts, and VPNs. For example, these reports can include VPN overviews, bandwidth overviews, packet filter reports, and the like for each policy enforcer.

The reports preferably indicate the use of all resources over a period of time. Start and end times for the report can be specified by the user. The user can also set the time dimension or resource dimension to display specific times and specific resources. For example, when creating the packet filter reports, the user can specify a start and an end time, the source IP address, the source port, the destination IP address, and the destination port. All packages that meet these criteria are then removed from the archive database 318 and displayed in a package report.

VIII. METHOD OF SELECTIVE LDAP DATA BANKS SYNCHRONIZATION

According to one embodiment of the invention, the databases are 130 . 132 . 134 , in the single policy management system 1 LDAP databases that store policy management information, including policies for firewall, VPNs, bandwidth, management, user records, network logs, services, and the like. As described above, the LDAP directory service model is based on the entries, where each entry represents a collection of attributes. The entries are arranged in a tree structure, which depends on the geographical and organizational structure. The entries are marked with a unique name (DN) according to their position in the hierarchy.

The policy server 122 preferably stores the policy management information for all policy enforcers in the policy server database 130 , This information is in the database 130 organized in the form of one or more DNs with the corresponding attributes. The correspond The shares of the policy server database are then stored in the policy enforcer databases 132 . 134 , copied.

23 is a block diagram of an LDAP tree that is an LDAP root 265 and a variety of branches 264 . 266 . 268 . 270 , includes. According to one example, the policy server maintains 122 in the policy server database 130 branches, 264 and 266 , with policy management information for all Policy Enforcers 124 . 126 , Each policy enforcer 124 . 126 , also cultivates shares of branches 264 and or 266 in the respective policy enforcer databases 132 . 134 , as sub-branches of the policy server database 130 , The shares of each policy enforcer 124 . 126 , maintained branches preferably refer to configuration information for this policy enforcer as well as some additional information about the other policy enforcers. This additional information is used to communicate with the other policy enforcers.

The policy server 122 can also do the branch 268 with storage information used only by the applications running on the server and the other policy enforcers 124 . 126 , not available. Similarly, the policy enforcers 124 . 126 , a share of the branch 268 maintain information that is only used by the applications on the policy enforcers and unavailable to others. Typically, those in branch 268 stored data is dynamically generated and used by the applications running on the corresponding server or agent.

branch 270 is preferably only for the policy server database 130 is included in the LDAP tree and stores the logged policy management changes sent to the Policy Enforcer 124 . 126 can be forwarded. Such changes include, for example, adding, deleting, or changing a user for a device, VPN cloud, bandwidth policy, or firewall policy that are made by the network administrator through the various graphical user interfaces described above. Such changes result in an update of the policy database 130 where the corresponding DN is added, deleted or changed to the LDAP tree. The policy server 122 also creates a log of the changes and saves them in branch 270 for later distribution to the policy enforcers 124 . 126 ,

24 is a more detailed block diagram of branch 270 the LDAP tree 23 , The LDAP root 265 includes an ApplyLog entry 270a which in turn is a user log entry 270b and a device log entry 270c includes. The user log entries include specific administrator log entries associated with specific DNs 270d that reflects the changes made by the respective administrators. The device log entry 270c includes specific device log entries containing specific DNs 270e that reflect the changes made to the respective policy enforcers 124 . 126 , to be distributed. Preferably, the changes made by the administrators after pressing the "Apply" button, such as the in 6 displayed button "Apply" 417 to the policy enforcers 124 . 126 , forwarded.

25 Figure 3 is a flow chart for logging and forwarding the LDAP changes to policy enforcers according to an embodiment of the invention. In step 420 A specific network administrator makes a change to a policy setting. According to one example, the administrator is the administrator "adm" working in the domain "domain1" and the change is adding a new user for a device.

In step 422 is the change made by the administrator in the policy server database 130 implemented. For this purpose, the branches 264 and 266 Modified the LDAP tree to reflect the policy setting change. Additionally, the policy server creates 122 in step 424 a log of changes for the administrator for later processing and shipment to the appropriate policy agent. In step 426 updates the policy server 122 the log of the administrator 270d to reflect the change. In the above example and as shown in FIG 24 the created protocol is called "A_L1" and the policy server 122 updated DN 270d for "adm" in "domain1" to get an "Apply" attribute 270f create the value "A_L1" 270g having. Other changes made by the administrator are recorded in separate logs (eg "A_L2", "A_L3") and to the existing value of the Apply attribute in the administrator log DN 270d attached.

In step 428 checks the policy server 122 whether the changes made by the administrator to the appropriate policy enforcers 124 . 126 , should be forwarded. As discussed above, it is preferred that the changes be forwarded upon actuation of the "Apply" button on the administrator's graphical user interface.

When the "Apply" button has been pressed en, creates the policy server in step 430 a log for each policy enforcer to whom the change should be submitted. For this purpose, the policy server is detected 122 Any changes made by the administrator in the values 270g . 270h the Apply attribute 270f the administrator's log DN 270d are included.

These changes are processed for each policy enforcer that belongs to the administrator's domain. This processing preferably includes reading out the relevant changes and the corresponding change of DNs for the Policy Enforcer LDAP. Such changes may be due, for example, to differences in the tree structures in the policy server database 130 and Policy Enforcer databases 132 . 134 , to be required. For example, a change in the admin protocol may include a DN that specifies the domain name of the policy enforcer. Applying this change to the policy enforcer does not specify the domain name in the DN because the Policy Enforcer tree does not contain a domain name.

The appropriate changes made to each Policy Enforcer's LDAP are then stored in a device log. The log DNs of all policy enforcers 270e will then be adapted to the change and sent to the respective policy enforcer. In the above example and as shown in FIG 24 the created device protocol is called "PE_L1", the policy server 122 updates the DN 270e for the respective policy enforcer "PE1" in "domain1" to an "Apply" attribute 270i create the value "PE_L1" 270j having.

In step 432 becomes the Apply attribute 270f for the administrator log DN 270d deleted from the LDAP tree. In step 434 will be the changes read out for each Policy Enforcer in the values 270j and 270k the Apply attribute 270i Policy Enforcer Protocol DN 270e to the Policy Enforcer to update its database 132 . 134 , transmitted. The changes are preferably sent over the HTTPS channel to the policy enforcers.

In step 436 checks the policy server 122 whether the updates were successful. The policy server waits for this purpose 122 until it receives confirmation from the Policy Enforcer that the updates have been successfully completed. After a positive response from the policy enforcer, the policy server deletes 122 the Apply attribute 270e from the policy DN of the policy enforcer 270e , However, if the update was unsuccessful (for example, because the Policy Enforcer was down), the Apply log will be resent the next time another Apply function is called. Alternatively, the failed policy enforcer submits a request to the policy server 122 on the log of unimplemented changes as soon as it is back online (eg after a reboot).

IX. STATUS TRANSITION PROTOCOL FOR HIGHLY AVAILABLE UNITS

According to one embodiment of the invention, the policy server 122 , the policy enforcers 124 . 126 , as well as other network devices, are configured for high availability by having a spare unit in addition to the primary unit.

26 is a schematic block diagram of a high availability system consisting of a primary unit 902 and a reserve unit 904 , The two units, 902 and 904 , communicate with each other by using the parallel ports 906a . 906b and a cable 908 Exchange heartbeats. In these parallel connections 906a . 906b , as well as the cable 908 these are conventional components that are commonly available in the art.

The primary unit 902 and the reserve unit 904 are each in a similar way with the other components 910 . 912 . 914 , about the connections 920a . 920b . 922a . 922b . 924a , respectively. 924b , connected. With these components 910 . 912 . 914 , may be hubs, switches, connectors or the like. As the primary unit 902 and the reserve unit 904 ensure similar services and functions and can be used interchangeable, each unit is preferably with the same components 910 . 912 . 914 , connected.

The parallel connection cable 908 is preferably a conventional LAP interconnect cable designed to connect two parallel ports and communicate with one another. The primary unit 902 and the reserve unit 904 preferably communicate via TCP packets over the highly available ports 906a . 906b , together. Preferably, a point-to-point connection exists between the primary unit 902 and the reserve unit 904 over the highly available connections 906a . 906b ,

Preferably, the primary unit 902 responsible for checking the status of their network connections for faults or failures. If the primary unit 902 For example, it detects that one of its network connections is not ready for operation, eg connection 922a , checks the primary unit 902 whether the corresponding connection 922b in the reserve unit 904 is ready for use. After finding that the corresponding port 922 in the reserve unit 904 is ready, sends the primary unit 902 a request to the reserve unit 904 to adopt the system functions as an active entity. The primary unit 902 then gives up its role as an active unit, shuts itself off and allows the reserve unit 904 , the tasks of the primary unit 902 to take over. If the primary unit 902 resumes operation receives the reserve unit 904 a request from the primary unit 902 to give up her role as an active entity.

If the primary unit 902 is active and does not detect any faults at its connections, it permanently checks the fault-tolerant connection 906a to the status of the reserve unit 904 to monitor. The primary unit 902 checks the fault-tolerant connection 906a to signals from the reserve unit 904 , If the reserve unit 904 is switched on and running, it connects to the primary unit 902 ago. Once the connection is made, the reserve unit starts 904 with the sending of heartbeats to the primary unit 902 , The reserve unit 904 continuously sends heartbeats to the primary unit at predefined intervals 902 , According to one embodiment of the invention, the reserve unit sends 904 a "Keep Alive @" packet once per second, including a KEEP_ALIVE command to the primary unit 902 ,

The primary unit 902 responds to the "Keep Alive" packet by modifying the command field of the packet into a KEEP_ALIVE_RESP command and returning the packet to the sender 904 over a predefined period of time (eg one second) no response to the "Keep Alive" packet from the primary unit 902 receives, the reserve unit begins 904 to prepare for taking on the active role. The predefined time period should preferably not be longer than two consecutive "keep alive" packets.

After taking over the role as active unit, the reserve unit tries 904 at regular intervals, reconnect to the primary unit 902 to determine whether the malfunction or failure of the primary unit has been remedied. If the fault or failure has been rectified, the reserve unit indicates 904 the control to the primary unit 902 after resetting the IP addresses of all network interface cards to the appropriate value.

In situations where the reserve unit 904 the active role of the primary unit 902 a warning / alarm message is sent to the network administrator in which this change is displayed. If the primary unit 902 no more heartbeats from the reserve unit 904 A warning / alarm message is also sent to the network administrator indicating that the backup unit has failed.

It may occur the situation in which both the primary unit 902 as well as the reserve unit 904 are fully functional and the reserve unit 904 still want to take the active role. In this case, the reserve unit transmits a shutdown command to the primary unit 902 which then gives the control. The reserve unit 904 continues its role as an active unit until the primary unit 902 a request to the reserve unit 904 to give up her active role.

According to one embodiment of the invention, the initial protocol for determining the status of each fault-tolerant unit as a primary, standby or stand-alone unit is based on a self-test method. 27 FIG. 10 is a flowchart of an exemplary status determination process according to an embodiment of the invention. FIG. In step 930 A first highly available unit (unit X), which has not yet definitively determined its status as primary or reserve unit, moves up and takes over in step 932 the role of a reserve unit. In step 934 Unit X searches the network for a primary unit and asks in step 936 on whether a primary unit has been detected. If the answer is YES, unit X will attempt to connect to the primary unit. If this is successfully established, unit X will initialize in step 938 as reserve unit. However, if unit X does not capture a primary unit, unit X takes over in step 940 the role of the primary unit.

In step 942 Unit X searches the network for a reserve unit. If a reserve unit is detected, as in step 944 requested, unit X connects to the reserve unit and initializes in step 946 as a primary unit. However, if unit X does not detect any other units in the network within a predefined period of time, unit X will initialize in step 948 as a standalone unit.

Once the primary and secondary units have been initialized, the primary unit configuration changes are also communicated to the reserve unit to synchronize the two units. The configuration information is preferably stored in an LDAP database, such as the central policy server database 130 or a policy agent database, 124 . 126 , saved.

28 FIG. 10 is a flow chart of a process for synchronizing the configuration information of the primary and spare units. In step 950 moves the primary unit up and in step 952 she records the reserve unit. In step 954 receives the reserve unit, the information about the configuration changes from the primary unit, if it is functional. Otherwise, the network administrator will enter the configuration changes directly into the reserve unit. If the configuration changes are to be transmitted to the primary unit, the primary unit notifies the standby unit if configuration changes occur in the primary unit. The changes are then transmitted to the reserve unit and implemented. The reserve unit, in turn, transmits the status of transmission and conversion back to the primary unit.

In step 956 the primary unit is checked to determine if it is functional. If this is the case, the primary unit is updated equally with the configuration change. If, however, the primary unit does not function, the reserve unit takes over the active role and becomes in step 958 to the active unit. The primary unit may become inoperative due to CPU, network interface card, or power failure and become inactive.

In step 960 the reserve unit marks the changes to be transmitted to the primary unit as soon as the primary unit becomes operational. As soon as the primary unit becomes operational, the primary unit is updated with the changes marked by the reserve unit as in step 962 shown.

According to one variant The invention will be software updates in the primary and the reserve unit also synchronized to the primary and the To update reserve unit serially in a single cycle, without having to perform several update cycles. The network administrator must therefore do its work to update the reserve unit Do not duplicate with the same information as the primary unit.

29 Figure 10 is an exemplary flowchart for updating the primary and reserve units when both are operational. In step 970 For example, an update, such as a software update not stored in the LDAP databases, is sent / transmitted to the primary unit by a management station accessible to the network administrator. The primary unit then updates in step 972 yourself. In step 974 the primary unit automatically sends / transmits the update information to the reserve unit. In step 976 itself updates the reserve unit with the update information received from the primary unit.

30 is an exemplary flowchart for updating the primary and backup units when the primary unit is not functional. In step 978 the primary unit becomes inoperable and in step 980 the network administrator sends / transmits an update directly to the reserve unit instead of to the primary unit. In step 982 itself updates the reserve unit with the information it has received from the management station and waits until the primary unit becomes operational again. As soon as the primary unit becomes operational, the update in step 986 automatically sent / communicated to the primary unit for updating. The primary unit updates in step 988 even.

Even though the present invention in detail with reference to the preferred Embodiments described it is for, it is for The expert certainly understands that the various changes and modifications made to the examples described herein can be.

The uniform policy management system 1 For example, it should be considered as an example rather than a limitation. It will be obvious to those skilled in the art, after reviewing the present invention, that numerous alternative configurations are possible. For example, additional networks with policy enforcers or no additional networks may be present. Likewise, the policy enforcers do not necessarily have to access the policy server over the Internet, but can connect using other means, such as WAN, MAN, etc. In short, the number and type of users and resources within and outside the organization can vary significantly without exceeding the scope of the present invention.

Legends to the pictures

1

• Policy Enforcer - Policy Enforcer
• Policy Server - Policy Server
• Public Internet - Public Internet
• Router - router
• Web server - Web server

2

• Admin. Groups - Administrator Groups
• Admin. Policies - Administrator Policies
• Administrators - Administrators
• Alarms - alarm messages
• Alternate DMZ - Alternating DMZ
• Alternate LAN - Alternating LAN LAN
• Archives - Archives
• Authentication - Authentication
• Bandwidth - Bandwidth
• Certs - Certifications
• Config. - Configuration
• Control - control
• Custom - Individual
• Device device
• Device Group - Device Group
• Dimensions - dimensions
• Direct Proxy - Direct proxy
• Dynamic Routes - Dynamic stretch
• FW Policy - Firewall policy
• Global Info - Global information
• Group Root - Group Root
• Host - host
• Host Group - Host Group
• License approval
• MO - administrative organization
• Nat - National
• Nat Pool - National pool
• Networks - Networks
• Policy Server - Policy Server
• Policy Server Domain - Domain of the policy server
• Priv. Key - Priv. key
• Proxy Port - Proxy Port
• Resource Root - resource source
• Routes - routes
• Rules - Rules
• Service - Service
• Service Group - Service Group
• Sites - Locations
• SNMP Settings - SNMP Settings
• Thresholds - limits
• Time - time
• User - User
• User Group - User Group
• Video Nat - Video, national
• VPN Clouds - VPN Clouds
• Weights - Weights

3

• Administrator - Administrator
• Centralized Management - Central administration
• Log Collecting and Archiving - Log collection and archiving
• Multi-site connectivity management - management of connectivity with multiple locations
• Policy Management - Policy Management
• Policy Server Reports - Policy Server Reports
• Secure Role Based Management - Secure, role-based administration

4

• Administrator - Administrator
• Configuration Interface - Configuration Interface
• Data Collector - Data Acquisition
• Global Monitor UI - Global Monitor UI
• Policy Server Install - Installation of the policy server
• Poliy Enforcer Install - Installation of the policy enforcer

5

• Start - Start
• Install and Connect Device to Network - Install the device and use the Connect network
• Add Device to Device Groupe - Add a device to a device group
• Transmit Registration Packet - submit registration package
• Serial NO. Matched - match the serial numbers
• Yes Yes
• No - no
• Package Settings for Policy Enforcer - Policy Enforcer package settings
• Transfer File to Policy Enforcer - Send file to Policy Enforcer
• Initialize Configuration Database - Initialize configuration database
• End - end

6 & 7

• Add New Device - Add new device
• Address Address
• Admin. - Administrator
• Alarms - alarm messages
• All - All
• All Devices - All equipment
• All Devices' Status - Status all devices
• Applet Viewer: Presentation Mainmenu - Applet Viewer: Appearance of the main menu
• Apply - Apply
• Attached Device Group - Associated Device Group
• Back - Back
• Bandwidth - Bandwidth
• Cancel - Cancel
• Description - Description
• Device Explored - Edited device
• Device Name - Device Name (Boston)
• Device Serial Number - serial number of the device
• East Coast Device Group - Device Group East Coast
• Edit - Edit
• Favorites - Favorites
• File - File
• Forward - Next
• Global Monitor Explored - Edited general monitor
• Global Spam List - General Spam list
• Global URL Blocking - General URL blocking
• Go - Go to
• Help - Help
• Left - Left
• Location - location
• Manager - Manage
• Monitor - Monitor
• Name - name
• Network - Network
• Network Status - Network Status
• OK - confirm
• Policy Server - Policy Server
• Policy Server Archive Options - policy server archive options
• Policy Server System Settings - Policy Server System Settings
• Registered - Registered
• Remove - Delete
• Reports - Reports
• Reset - Reset
• Stop - stop
• System Load - System utilization
• Time - time
• UITeam - UI team
• Up / Down - Next / Back
• View - view
• VPN Connections - VPN connections

8th

• Manager - Manage
• Monitor - Monitor
• Reports - Reports
• Admin. - Administrator
• Apply - Apply
• Help - Help
• User Explored - Edited user
• All - All
• Admin User - Administrator User
• Sales and Marketing - Sales and marketing
• Finance - Finance
• Manufacturing - Production
• Customer Service - Customer Service
• Engineering - Development
• Mobile Users - Mobile user
• Partners - Partners
• VPN Users - VPN Users
• Firewall - Firewall
• VPN - VPN
• Bandwidth - Bandwidth
• Administration - Administration
• Policy List - Policy List
• Add - Add
• Modify - Change
• Delete
• Up - Next
• Down - Back
• Filter - Filter
• Print - Print
• Refresh - New load
• ID - ID
• Order - order
• Description - Description
• Action action
• Active - Active
• User - User
• Source - Source
• Services - Services
• Allow any - All allow
• User Group - User Group
• All - All
• Spam blocking - spam To block
• Host group - host group
• URL blocking - URL To block
• VPN Key Ma .. - VPN key manager
• Internet Acc ... - Internet Account
• Allow - Allow

9

• Device Explored - Edited device
• Policy Server - Policy Server
• System Settings - System Settings
• Archive Options - Archive Options
• Global URL Blocking - General URL blocking
• Global Spam List - General Spam list
• All - All
• UITEam - UI team
• Authentication Settings - Authentication Settings
• East Coast Device Group - Device Group East Coast
• Modify URL of Aspen - URL change for Aspen
• Enable List Download - Download release the list
• Download URL - URL download
• Password - password
• Day of the Week - Weekday
• Time of Day - time of day
• Profile Management - Profile Management
• Categories - Categories
• Violence and Profanity - Violence and denigration
• Sexual text - lyrics with sexual content
• Sex Education - Sexology
• Sports and Leisure - Sports and leisure
• Partial Nudity - revealing portrayals
• Gross Depictions - Immoral images
• Gambling - Gambling
• Full Nudity - nude photos
• Militant and extremist - militants and extremist representations
• Null - void
• OK - confirm
• Reset - Reset
• Cancel - Cancel

10

• Manager - Manage
• Monitor - Monitor
• Reports - Reports
• Admin. - Administrator
• Apply - Apply
• Help - Help
• Host Explored - Edited host
• All - All
• LAN - LAN
• WAN - WAN
• DMZ / Servers - DMZ / Server
• Sales and Marketing - Sales and marketing
• Engineering - Development
• Manufacturing - Production
• Finance - Finance
• Partners - Partners
• Remote Sites - Remote Locations
• Mobile Users - Mobile user
• Customer Service - Customer Service
• Add New Host - New Add host
• Name - name
• IP Address - IP Address
• Netmask Netmask
• External Host - External host
• External Device IP Address - IP address of the external device
• Device device
• Attachted Host Group - Related Host Group
• Remove - Remove
• OK - confirm
• Reset - Reset
• Cancel - Cancel

11

• Manager - Manage
• sMonitor - Monitor
• Reports - Reports
• Admin. - Administrator
• Apply - Apply
• Help - Help
• Service Explored - Edited service
• All - All
• Multimedia Streaming / Conferencing - Multimedia Streaming / Conferencing
• Information retrieval - information retrieval
• Security and Authentication - Security and Authentication
• Mail Applications - Mail Applications
• Routing Protocols - Routing Protocols
• Standard Protocols - standard protocols
• Database Applications - Database Applications
• Popular Internet Protocols - Popular Internet protocols
• Modify service - service change
• Name - http and URL Tracking - Name - http and URL tracking
• Description - Description
• http with URL blocking enabled - http with URL blocking Approved
• Type - Type
• Attached Service Group - Related service group
• http Configuration - http Configuration
• Enable URL Blocking - URL blocking release
• OK - confirm
• Reset - Reset
• Cancel - Cancel

12

• Manager - Manage
• Monitor - Monitor
• Reports - Reports
• Admin. - Administrator
• Apply - Apply
• Help - Help
• Time Explored - Edited Period
• All - All
• Any - Any
• Evening - evening
• Work - working time
• Weekends - weekends
• Modifiy Time Work - change working hours
• Name - name
• Description - Description
• Working Hours / Week Days - Working Hours / Weekdays
• Day of Week / Hour of Day - day of the week / time of the day
• Sunday - Sunday
• Monday - Monday
• Tuesday - Tuesday
• Wednesday - Wednesday
• Thursday - Thursday
• Friday - Friday
• Saturday - Saturday
• AM / PM - morning / afternoon
• OK - confirm
• Reset - Reset
• Cancel - Cancel

13

• Firewall - Firewall
• Bandwidth - Bandwidth
• Administration - Administration
• VPN Policy - VPN policy
• West / Fast Coast Cloud - Cloud West / East Coast
• Host Group - Host Group
• Customer Service - Customer Service
• Device device
• Users Group - User Group
• Rules - Rules
• Sites - Locations
• Users - Users
• VPN Rule - VPN rule
• Order - order
• Desc: - Description
• Policy Created by System for VPN Cloud Functioning Policy to release the VPN cloud feature was created by the system

14

• Firewall - Firewall
• Bandwidth - Bandwidth
• Administration - Administration
• New / FW Policy - New / Firewall Policy
• Description - Description
• Action action
• Allow - share
• Active - Active
• User - User
• Source - Source
• Services - Services
• Destination - destination
• Time - time
• Authentication: None - Authentication: None
• OK - confirm
• Reset - Reset
• Cancel - Cancel

15

• DNMON - Domgin
• New Route - New route
• Gate - gate
• PDP engine - PDP machine
• Kernel kernel
• VPN Driver - VPN driver

16 & 17

• Setup File - Setup File
• VPN Reachability Configuration File - VPN reachability configuration file
• Client's VPN Preshared Key File - File with the predefined VPN client codes
• Self-extracting executable - self extracting program file
• Static Portion (Executable) - static part (program file)
• Dynamic Portion (Dynamic Configuration) - Dynamic Portion (Dynamic Portion) Configuration)
• Replace Dynamic Portion with Client-Specific VPN Configuration - Dynamic Share by client-specific Replace VPN configuration
• Verify Authentication - verify authentication
• VPN client - VPN client
• Client opens https connection - client opens https connection
• Reques Authentication - authentication request
• Respond to Authentication - transmit authentication
• Deliver self-extraction - self-extracting program file
• Executable - transfer
• Policy Enforcer - Policy Enforcer
• Authentication / Authorization DB - Database for authentication / authorization
• VPN Configuration DB - Database for VPN configuration
• Access VPN Configuration - Access on VPN configuration

18

• IP SEC Engine - IP SEC Machine
• Packet Forwarding - Packet Transfer
• Stream Table - Data Stream Table
• Stats - status
• Protocol Classification Engine - protocol classification engine
• Policy Engine - Policy Engine
• B / W Management - B / W Management

19

• Policy Request Table - Policy Query Table
• Decision Engine - Decision Machine
• User Group - User Group
• Host Group - Host Group
• Service Groupe - Service Group
• Time Group - Time Group
• Policy Rules Database Buffer - Database cache for policy rules
• Resource Engine - Resource Machine

20

• Stream Data Assembly - Compilation of the data stream
• Sliding Stream Data Window - Data stream sliding window
• ANS. 1 - answer 1
• Protocol Classification State Machine - machine for the status the protocol classification
• Protocol Definition Signature DB - database for the signature the protocol definition

21

• PRNG - Pseudo-random number generator
• Diffie Hellman - Diffie-Hellman block
• IKE - IKE block
• IPSEC SA Table - IPSEC SA table
• RSA - RSA block
• Bulk Cryptographic Transforms - Generic Encryption
• IPSEC encapsulation / decapsulation - IPSEC encapsulation / decapsulation

22 - 24

• Timestamp - timestamp
• Service - Service
• Source / Destination IP Address and Port - IP address and port from source / destination
• User ID - User ID
• Status - Status
• Operation - Operation
• In / Out Bytes - In / Outgoing bytes
• Duration - duration
• LDAP Root - LDAP root
• Branch - branch
• Apply Log - Application Log
• User - User
• Device device
• Domain - Domgin
• Apply - Apply

25

• Start - Start
• Admin. Makes a Policy Setting Change - admin changes the Policy settings
• Update LDAP Tree with Change - Update the LDAP directory tree with the change
• Create Log with Change - Change Log create
• Update Admin. Log DN - Administrator Log Domains To update
• Apply Invoked - Application called?
• Create Log for each Policy Enforcer in Domain Log for each Policy Enforcer create the domain
• Clear Apply Attributes in Admin's Log DN - Unique assignment of the Attributes in the administrator log
• Transmit Updates to Policy Enforcer - Submit updates to Policy Enforcer
• Update Successful? - Update successful?
• Clear Apply Attributes in Successful Policy Enforcers DN - Unique Apply the attributes in the domain of the successful policy enforcer
• End - end

26

• Primary Unit - Primary Unit
• Backup Unit - Reserve Unit

27

• Start - Start
• Boot up - start up
• Assume Role of First Class Unit - assuming the role as primary unit
• Search Network for Second Class Unit - Search for Reserve Unit in the web
• Second Class Unit Detected? - Reserve unit detected?
• Yes Yes
• Initialize as First Class Unit - Initialize as Primary Unit
• No - no
• Assume role of Second Class Unit - assuming the role as reserve unit
• Search Network for First Class Unit - Search after primary unit in the web
• First Class Unit Detected? - Primary unit detected?
• Initialize as Second Class Unit - Initialize as reserve unit
• Initialize as Third Class Unit - Initialize as Third Unit
• End - end

28

• Start - Start
• Boot up Primary Unit - Primary Unit go up
• Detect Backup Unit - Reserve Unit to capture
• Receive Config. Changes - Reception of configuration changes
• Primary Functional? - Primary unit functioning?
• Yes Yes
• No - no
• Backup Unit Becomes Active Unit - reserve unit becomes active unit
• Tag config. Changes - day for configuration changes put
• Update Primary Unit - Primary Unit To update

29

• Start - Start
• Management Station Sends Update to Primary Unit - Management Station sends update to primary unit
• Primary Unit Updates - Update the primary unit
• Primary Unit Sends Update to Backup Unit - Primary unit sends update at reserve unit
• Backup Unit Updates - Update the backup unit
• End - end

30

• Start - Start
• Primary Unit Becomes Nonfunctional - primary unit becomes inoperative
• Sends update station to backup unit management station sends update to reserve unit
• Backup Unit Updates - Update the reserve unit
• Primary Unit Becomes Functional - Primary unit becomes functional
• Backup Unit Sends Update to Primary Unit - Reserve unit sends update at primary unit
• Primary Unit Updates - Update the primary unit
• End - end

Claims (14)

System for managing policy services in an organization, this organization being a first network ( 102 ) and a second network ( 104 ) generated by the first network ( 102 ), the system comprising: a first edge device ( 124 ), the first network ( 102 ), wherein the first edge device ( 124 ) is configured to use policies for the first network ( 102 ) and a second edge device ( 126 ), the second network ( 104 ), wherein the second edge device ( 126 ) is configured to manage policies for the second network, a central policy server ( 122 ) connected to the first and second edge means ( 124 . 126 ) and a central database ( 130 ) which is capable of providing the configuration information for a plurality of edge devices ( 124 . 126 ), characterized in that the central policy server ( 122 ) is configured to make a change to the part of the configuration information which the respective edge device ( 124 . 126 ) in the central database ( 130 ) to create a log of these changes, the log in the central database ( 130 ) and the changes to the respective edge device ( 124 . 126 ), said edge means ( 124 . 126 ) is configured to handle the above changes in a subordinate database ( 132 . 134 ), the said edge device ( 124 . 126 ), said system being further characterized in that said respective edge means ( 124 . 126 ) is configured to send a request for a log of the changes that have not yet been implemented to said central policy server ( 122 ) when said respective edge device ( 124 . 126 ) with said network ( 102 . 104 ) is connected. The system of claim 1, wherein the protocol comprises a user protocol for associating the change with a particular user making the change, the particular user of the respective edge device ( 124 . 126 ) assigned. The system of claim 2, wherein the central policy server ( 122 ) means for identifying the respective edge device ( 124 . 126 ) based on the particular user making the change. The system of claim 3, wherein the protocol includes a device protocol for storing the change for the respective edge device ( 124 . 126 ). The system of claim 1, wherein the central policy server ( 122 ) means for receiving a status message for transmission from the respective edge device ( 124 . 126 ) and to delete the log from the central database ( 130 ) if a successful transfer is specified in the status message. The system of claim 1, wherein the central database ( 130 ) and the child database ( 132 . 134 ) are Lightweight Directory Access Protocol (LDAP) databases that are able to store the information as an LDAP entry with a specific name. The system according to claim 1, where the configuration information is information for policy administration is. A method for use in a system for managing policy services in an organization, the organization having a first network ( 102 ) and a second network ( 104 ) generated by the first network ( 102 ), the system having a first edge device ( 124 ), which corresponds to the first network ( 102 ), wherein the first edge device ( 124 ) is configured to match the policies for the first network ( 102 ), a second edge device ( 126 ), the second network ( 104 ), wherein the second edge device ( 126 ) is configured to use the policies for the second network ( 104 ), a central policy server ( 122 ) and a central database ( 130 ) which is capable of providing the configuration information for a plurality of edge devices ( 124 . 126 ), said method being characterized by the steps of: storing the configuration information for a plurality of said edge devices ( 124 . 126 ) in the central database ( 130 ), Storing a part of the configuration information corresponding to the respective edge device ( 124 . 126 ) in the subordinate database ( 132 . 134 ), the respective edge device ( 124 . 126 ), and implementing changes to the part of the configuration information in the central database ( 130 ), the respective edge device ( 124 . 126 ), whereby a log of the changes is created, the log being stored in the central database ( 130 ), whereby the changes to the respective edge device ( 124 . 126 ) and the subordinate database ( 132 . 134 ) is updated on the basis of the changes, said method being further characterized in that said respective edge means ( 124 . 126 ) a request to said central policy server ( 122 ) with the changes that have not yet been implemented when said respective edge device ( 124 . 126 ) with said network ( 102 . 104 ) is connected. The method of claim 8, wherein the creation of the log of the changes further comprises creating a user log to associate the change with a particular user making the change, the particular user of the respective edge device ( 124 . 126 ) assigned. The method according to claim 9, further comprising the identification of the respective edge device ( 124 . 126 ) based on the particular user making the change. The method of claim 10, wherein the creation of the log with the change also includes the creation of a device log for storing the change for the respective edge device ( 124 . 126 ). The method according to claim 8, which is au In addition, the following comprises: receiving a status message about the forwarding from the respective edge device ( 124 . 126 ) and delete the log from the central database ( 130 ) if the status message indicates a successful transfer. The method of claim 8, wherein the central database ( 130 ) and the child database ( 132 . 134 ) are Lightweight Directory Access Protocol (LDAP) databases that store the configuration information as an LDAP entry that is identified by a specific name. The method of claim 8, wherein the configuration information is policy management information.