Abstract: The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network.

Abstract: A software facility for automatically identifying subnetworks in a network is described. The facility receives a plurality of addresses of hosts in the network, and accesses a binary tree. The nodes of the binary tree each represent a range of addresses within the network. A facility traverses the binary tree to identify candidate nodes where both child nodes have one or more descendent leaf nodes representing host addresses. The facility tests the address range represented by each candidate node visited in the traversal to determine whether the address range is a subnet address range for a subnet being used on the network. If testing indicates that a visited candidate node represents such an address range, the facility identifies the visited candidate node as a subnet node. The facility skips, in the traversal, any candidate notes that are descendents of an identified subnet node.

Abstract: The present invention is directed to a facility for distributing network security information. The facility receives network security information and recipient selection information specifying a characteristic of perspective recipients to be used in selecting recipients for the security information. The facility then compares the received recipient selection information to each of a plurality of perspective recipient profiles. Each perspective recipient profile corresponds to one or more perspective recipients and indicates one or more characteristics of the perspective recipients relating to the receipt of network security information. Based upon this comparison, the facility selects at least a portion of the plurality of perspective recipients as recipients of the network security information, and addresses the network security information to each of the selected recipients.

Abstract: The present invention is directed to a facility for using a security policy manager device to remotely manage multiple network security devices (NSDs). The manager device can also use one or more intermediate supervisor devices to assist in the management. Security for the communication of information between various devices can be provided in a variety of ways. The system allows the manager device to create a consistent security policy for the multiple NSDs by distributing a copy of a security policy template to each of the NSDs and by then configuring each copy of the template with NSD-specific information. For example, the manager device can distribute the template to multiple NSDs by sending a single copy of the template to a supervisor device associated with the NSDs and by then having the supervisor device update each of the NSDs with a copy of the template. Other information useful for implementing security policies can also be distributed to the NSDs in a similar manner.

Abstract: The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network.

Abstract: A software facility for automatically identifying subnetworks in a network is described. The facility receives a plurality of addresses of hosts in the network, and accesses a binary tree. The nodes of the binary tree each represent a range of addresses within the network. A facility traverses the binary tree to identify candidate nodes where both child nodes have one or more descendent leaf nodes representing host addresses. The facility tests the address range represented by each candidate node visited in the traversal to determine whether the address range is a subnet address range for a subnet being used on the network. If testing indicates that a visited candidate node represents such an address range, the facility identifies the visited candidate node as a subnet node. The facility skips, in the traversal, any candidate notes that are descendents of an identified subnet node.

Abstract: The present invention is directed to a facility for classifying network packets. The classified network packets each contain a source address, a source port number, a destination address, and a destination port number. The facility first sums the source address, the source port number, the destination address, and the destination port number contained by the packet. The facility then determines the modulo remainder of the sum over a constant predetermined value. The facility uses the determined modulo remainder to classify the packet into a class of packets predicted to relate to the same network session.

Abstract: The present invention is directed to a facility for using a security policy manager device to remotely manage multiple network security devices (NSDs). The manager device can also use one or more intermediate supervisor devices to assist in the management. Security for the communication of information between various devices can be provided in a variety of ways. The system allows the manager device to create a consistent security policy for the multiple NSDs by distributing a copy of a security policy template to each of the NSDs and by then configuring each copy of the template with NSD-specific information. For example, the manager device can distribute the template to multiple NSDs by sending a single copy of the template to a supervisor device associated with the NSDs and by then having the supervisor device update each of the NSDs with a copy of the template. Other information useful for implementing security policies can also be distributed to the NSDs in a similar manner.

Abstract: A software facility for automatically identifying subnetworks in a network is described. The facility receives a plurality of addresses of hosts in the network, and accesses a binary tree. The nodes of the binary tree each represent a range of addresses within the network. A facility traverses the binary tree to identify candidate nodes where both child nodes have one or more descendent leaf nodes representing host addresses. The facility tests the address range represented by each candidate node visited in the traversal to determine whether the address range is a subnet address range for a subnet being used on the network. If testing indicates that a visited candidate node represents such an address range, the facility identifies the visited candidate node as a subnet node. The facility skips, in the traversal, any candidate notes that are descendents of an identified subnet node.

Abstract: The present invention is directed to a facility for classifying network packets. The classified network packets each contain a source address, a source port number, a destination address, and a destination port number. The facility first sums the source address, the source port number, the destination address, and the destination port number contained by the packet. The facility then determines the modulo remainder of the sum over a constant predetermined value. The facility uses the determined modulo remainder to classify the packet into a class of packets predicted to relate to the same network session.

Abstract: Embodiments of the invention provide a display screen for a network security device. The screen includes representations of a source and a destination having respective source and destination indicators, such as LEDs. The source indicator is operable to indicate whether the source is authorized or unauthorized. The destination indicator is also operable to indicate whether the destination is authorized or unauthorized to receive the packet. A directional indicator oriented to point from the representation of the source to the representation of the destination is activated if the source and the received packet is authorized, The screen can further comprise additional indicators to indicate whether the security device is operational, to indicate a level of traffic through the security device, or to display a level of activity of a processor for the security device. The screen can be displayed on a computer screen.