A method and apparatus for implementing network management policies is provided. A communication path is determined that passes through a domain of a network. The communication path characterizes the first domain as a node, but does not lose information. A management policy is then implemented using the communication path. Another aspect of the invention provides a method implementing a management policy using topology reduction. A network is abstracted into domains, and each domain may be cloudified if that domain is determined to have a cloudification characteristic. Domains that are cloudified are subsequently represented as having reduced topology and internal connectivity, but this representation does not incur information loss when management policies are implemented using the cloudified domains. In other aspects, the invention provides a computer-readable medium and system configured to carry out the foregoing.
A method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application's needs, and a firewall API is provided that informs the firewall or firewalls of the application's needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.
A method includes advertising a policy characterizing communication properties supported by a node. The policy may be distributed to another node in response to a request for the policy. Policy expressions in the policy include one or more assertions that may be grouped and related to each other in a plurality of ways. A system includes a policy generator for generating at least one policy characterizing properties of a node. A policy retriever retrieves a policy from another node and a message generator generates a message to the other node, wherein the message conforms to the policy from the other node.
A method includes retrieving an intermediate node policy characterizing communication properties supported by an intermediate node, the intermediate node being between a source node and a destination node in a communication path. The method includes forming a first policy-compliant message in accordance with the intermediate node policy, the first policy-compliant message including a request for a destination node policy characterizing communication properties supported by the destination node. A system includes a policy retriever comparing a source policy to one to an intermediate policy to determine whether the source policy is compatible with the intermediate policy. A message generator generates a policy request message by applying the intermediate policy to a request for a policy related to a destination node.
