Abstract: Techniques for using an end-to-end policy controller to utilize an inventory of enforcement points to generate a chain of enforcement points having capabilities to enforcement individual operations of an intent-based security policy associated with an entity accessing a resource. A network controller may intelligently split an intent-based security policy and send portions thereof to enforcement points along a path configured for an entity to access a resource. For example, a portion of a security policy corresponding to an operation may be mapped to and implemented by an enforcement point having a capability to perform the operation. Once each operation of a security policy has been mapped to an enforcement point, a chain of enforcement points may be generated.

Abstract: Techniques for using an end-to-end policy controller to utilize an inventory of enforcement points to generate a chain of enforcement points having capabilities to enforcement individual operations of an intent-based security policy associated with an entity accessing a resource. A network controller may intelligently split an intent-based security policy and send portions thereof to enforcement points along a path configured for an entity to access a resource. For example, a portion of a security policy corresponding to an operation may be mapped to and implemented by an enforcement point having a capability to perform the operation. Once each operation of a security policy has been mapped to an enforcement point, a chain of enforcement points may be generated.

Abstract: Techniques for using an end-to-end policy controller to automatically discover and inventory enforcement points in a network. A network controller may leverage data associated with network devices in a network to identify paths between source endpoints and destination endpoints to establish an inventory of enforcement points along the paths. For example, the controller may consume telemetry data indicative of network events (e.g., firewall events, IPS event logs, netflow events, etc.) to figure out where enforcement points are provisioned with respect to traffic being observed. Additionally, the SDN controller may dynamically build a network topology providing indications of roles and/or locations of enforcement points.