US2014068747A1PendingUtilityA1

Automatic Completeness Checks of Network Device Infrastructure Configurations During Enterprise Information Technology Transformation

44
Assignee: BURCHFIELD NANCYPriority: Aug 31, 2012Filed: Aug 31, 2012Published: Mar 6, 2014
Est. expiryAug 31, 2032(~6.1 yrs left)· nominal 20-yr term from priority
H04L 63/02
44
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Techniques for automatically determining configuration completeness during information technology (IT) transformation from a pre-transformation source environment to a post-transformation target environment. A method includes obtaining a record of each of multiple data flows in a source environment, transforming each data flow in the source environment to a transformed data flow that corresponds to a target environment, and automatically determining that each of the transformed data flows is covered by a firewall configuration of one or more interfaces in the target environment.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for automatically determining configuration completeness during information technology (IT) transformation from a pre-transformation source environment to a post-transformation target environment, the method comprising:
 obtaining a record of each of multiple data flows in a source environment;   transforming each data flow in the source environment to a transformed data flow that corresponds to a target environment; and   automatically determining that each of the transformed data flows is covered by a firewall configuration of one or more interfaces in the target environment;   wherein at least one of the steps is carried out by a computer device.   
     
     
         2 . The method of  claim 1 , wherein said record comprises a log and/or a report of flows in the source environment. 
     
     
         3 . The method of  claim 1 , wherein said obtaining a record of each of multiple data flows in a source environment comprises obtaining a record of each data flow that was observed to be accepted or denied in the source environment. 
     
     
         4 . The method of  claim 1 , wherein said transforming comprises applying a mapping function to convert one or more parameters in the each of multiple data flows in a source environment into corresponding values that are relevant in the target environment. 
     
     
         5 . The method of  claim 1 , wherein said transforming comprises applying a reduction function to eliminate a flow that was accepted in the source environment but is to be denied in the target environment. 
     
     
         6 . The method of  claim 1 , wherein said transforming comprises applying an enhancement function to allow a flow that was denied in the source environment but is to be permitted in the target environment. 
     
     
         7 . The method of  claim 1 , comprising dividing the transformed data flows into one or more sets, wherein each set corresponds to one interface of a network device in the target environment. 
     
     
         8 . The method of  claim 7 , comprising using a classifier component on input of the transformed data flows and a zone inventory for the target environment. 
     
     
         9 . The method of  claim 8 , wherein the zone inventory includes information about a list of firewall interfaces in the target environment, corresponding internet protocol addresses, and the security zone structure of the target environment. 
     
     
         10 . The method of  claim 1 , wherein said automatically determining comprises utilizing a firewall emulator tool. 
     
     
         11 . The method of  claim 10 , wherein said firewall emulator tool is configured with each of one or more rules corresponding to each firewall interface in the target environment. 
     
     
         12 . The method of  claim 11 , wherein said firewall emulator tool determines whether each transformed data flow is covered by the one or more rules for each firewall interface in the target environment. 
     
     
         13 . The method of  claim 1 , comprising generating a completeness report that indicates which of the transformed data flows are covered by a firewall configuration of one or more interfaces in the target environment and which of the transformed data flows are not covered by a firewall configuration of one or more interfaces in the target environment. 
     
     
         14 . The method of  claim 1 , comprising generating one or more recommendations for reconfiguring a firewall interface in the target environment.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.