Abstract: Security policies that regulate communication packets on a network may be segmented into independent sets, where each security policy of an independent set does not regulate communication packets other than those defined for that set. A management algorithm is performed separately for each independent set, rather than for all of the security policies together.

Abstract: A method and apparatus for negotiating a shared secret among members of a multicast group are disclosed. A tree that represents the group is created and stored in a memory. Each node of the tree is associated with a group member. The shared secret is generated by traversing the tree in post-order, and at each node of the tree, recursively generating a partial key value for use in the shared secret and a base value for use in subsequent recursive partial key value generation. At each node, a partial key value is computed by accumulating the exponent portion of the Diffie-Hellman key equation and computing a new base value for use in subsequent computations. If a particular node has a left or right child sub-tree, each sub-tree is also recursively traversed in post-order fashion. When traversal of the entire tree is complete, all nodes have the shared secret key.

Abstract: Enforcement firewalls and other security devices are located on a network for a given source node and destination node. Nodes in the network topology are programmatically identified as being part of a non-looping communication path between the source node and the destination node. These nodes may be part of a path closure set. Security devices that are part of the path closure set are identified as the enforcement security devices for the given source and destination node.

Abstract: A method is disclosed for removing redundancies from a list of data structures. A list of data structures is sorted by first attribute into sub-lists having a common first attribute. Each of these sub-lists is sorted by second attribute into sub-lists having a common first attribute and a common second attribute. Each of these sub-lists is combined into a single combined data structure that includes a third attribute set. Each third attribute set includes third attributes of the data structures in the sub-list from which the combined data structure including that set was formed.