Search

US-12621348-B2 - Network security policy management

US12621348B2US 12621348 B2US12621348 B2US 12621348B2US-12621348-B2

Abstract

Systems, devices, and techniques are disclosed for network security policy management. A file including code written using a Domain Specific Language (DSL) for network security may be received. A cloud native enforcement artifact may be generated from the code written using DSL in the file. A policy domain model including hierarchical data, relational data, and graph data for a network security policy may be generated from the code written using DSL in the file and the cloud native enforcement artifact. The policy domain model may be stored in a persistent storage.

Inventors

  • Kaushal Bansal
  • Prabhat Singh

Assignees

  • SALESFORCE, INC.

Dates

Publication Date
20260505
Application Date
20221007

Claims (17)

  1. 1 . A computer-implemented method comprising: receiving, at a computing device, at least one file comprising code written using a Domain Specific Language (DSL) for network security; generating, by the computing device, from the code written using DSL in the file, at least one cloud native enforcement artifact; generating, by the computing device, from the code written using DSL in the file and the at least one cloud native enforcement artifact, a policy domain model comprising one or more of hierarchical data, relational data, and graph data for a network security policy; storing, by the computing device, the policy domain model in a persistent storage; displaying, by the computing device, a graph based on the graph data of the policy domain model, wherein nodes of the graph represent services made available by network security policies from the at least one cloud native enforcement artifact; receiving an input to the graph from a user, wherein the input indicates a change to the network security policy; and modifying the at least one cloud native enforcement artifact based on the indicated change to the network security policy from the input to the graph.
  2. 2 . The computer-implemented method of claim 1 , further comprising: updating the policy domain model based on the indicated change to the network security policy.
  3. 3 . The computer-implemented method of claim 1 , wherein the graph comprises nodes representing services exposed by the network security policy.
  4. 4 . The computer-implemented method of claim 1 , wherein the hierarchical listing comprises a hierarchy of two or more of ports, services, and protocols.
  5. 5 . The computer-implemented method of claim 1 , wherein the DSL is an intent-based language for defining network security policies.
  6. 6 . The computer-implemented method of claim 1 , wherein the at least one cloud native enforcement artifact implements network security policies defined in the code written in DSL.
  7. 7 . A computer-implemented system comprising: a storage; and a processor that receives at least one file comprising code written using a Domain Specific Language (DSL) for network security, generates, from the code written using DSL in the file, at least one cloud native enforcement artifact, generates from the code written using DSL in the file and the at least one cloud native enforcement artifact, a policy domain model comprising one or more of hierarchical data, relational data, and graph data for a network security policy, stores, in the storage, the policy domain model in a persistent storage, displays a graph based on the graph data of the policy domain model, wherein nodes of the graph represent services made available by network security policies from the at least one cloud native enforcement artifact receives an input to the graph from a user, wherein the input indicates a change to the network security policy, and modifies the at least one cloud native enforcement artifact based on the indicated change to the network security policy from the input to the graph.
  8. 8 . The computer-implemented system of claim 7 , wherein the processor further updates the policy domain model based on the indicated change to the network security policy.
  9. 9 . The computer-implemented system of claim 7 wherein the graph comprises nodes representing services exposed by the network security policy.
  10. 10 . The computer-implemented system of claim 7 , wherein the hierarchical listing comprises a hierarchy of two or more of ports, services, and protocols.
  11. 11 . The computer-implemented system of claim 7 , wherein the DSL is an intent-based language for defining network security policies.
  12. 12 . The computer-implemented system of claim 7 , wherein the at least one cloud native enforcement artifact implements network security policies defined in the code written in DSL.
  13. 13 . A system comprising: one or more computers and one or more non-transitory storage devices storing instructions which are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: receiving, at a computing device, at least one file comprising code written using a Domain Specific Language (DSL) for network security; generating, by the computing device, from the code written using DSL in the file, at least one cloud native enforcement artifact; generating, by the computing device, from the code written using DSL in the file and the at least one cloud native enforcement artifact, a policy domain model comprising one or more of hierarchical data, relational data, and graph data for a network security policy; storing, by the computing device, the policy domain model in a persistent storage; displaying, by the computing device, a graph based on the graph data of the policy domain model, wherein nodes of the graph represent services made available by network security policies from the at least one cloud native enforcement artifact; receiving an input to the graph from a user, wherein the input indicates a change to the network security policy; and modifying the at least one cloud native enforcement artifact based on the indicated change to the network security policy from the input to the graph.
  14. 14 . The system of claim 13 , wherein the one or more computers and one or more non-transitory storage devices further store instructions which are operable, when executed by the one or more computers, to cause the one or more computers to further perform operations comprising: updating the policy domain model based on the indicated change to the network security policy.
  15. 15 . The system of claim 13 , wherein the graph comprises nodes representing services exposed by the network security policy.
  16. 16 . The system of claim 13 , wherein the graph comprises nodes representing services exposed by the network security policy.
  17. 17 . The system of claim 13 , wherein the DSL is an intent-based language for defining network security policies.

Description

BACKGROUND An intent based domain specific language (DSL) may be used to define security policies for an application, such as a Software-as-a-Service (SaaS) application, running on a cloud computing server system. The DSL may be designed for use by developers of the application, who may not have detailed knowledge of network security. A service of the cloud computing server system may interpret policies defined using DSL to generate cloud native enforcement artifacts, which may be machine-readable files that specify network security policies in a manner that is useable by the cloud computing server system on which the policies are being enforced. This may make it difficult for network security engineers to both understand and modify the network security policies being used by an application, as the specification of the policies in the DSL may be too abstract, and the cloud native enforcement artifacts may be too obscure. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the disclosed subject matter, are incorporated in and constitute a part of this specification. The drawings also illustrate implementations of the disclosed subject matter and together with the detailed description serve to explain the principles of implementations of the disclosed subject matter. No attempt is made to show structural details in more detail than may be necessary for a fundamental understanding of the disclosed subject matter and various ways in which it may be practiced. FIG. 1 shows an example system suitable for network security policy management according to an implementation of the disclosed subject matter. FIG. 2 shows an example arrangement suitable for network security policy management according to an implementation of the disclosed subject matter. FIG. 3 shows an example arrangement suitable for network security policy management according to an implementation of the disclosed subject matter. FIG. 4A shows an example arrangement suitable for network security policy management according to an implementation of the disclosed subject matter. FIG. 4B shows an example arrangement suitable for network security policy management according to an implementation of the disclosed subject matter. FIG. 4C shows an example procedure suitable for network security policy management according to an implementation of the disclosed subject matter. FIG. 5 shows an example procedure suitable for network security policy management according to an implementation of the disclosed subject matter. FIG. 6 shows an example procedure suitable for network security policy management according to an implementation of the disclosed subject matter. FIG. 7 shows a computer according to an implementation of the disclosed subject matter. FIG. 8 shows a network configuration according to an implementation of the disclosed subject matter. DETAILED DESCRIPTION Techniques disclosed herein enable network security policy management, which may allow for the viewing and managing of network security policies generated using a Domain Specific Language (DSL) and implemented with cloud native enforcement artifacts. A file including code written using a DSL for network security may be received. A cloud native enforcement artifact may be generated from the code written using DSL in the file. A policy domain model including hierarchical data, relational data, and graph data for a network security policy may be generated from the code written using the DSL and the cloud native enforcement artifact. The policy domain model may be stored in a persistent storage. A graph based on the graph data of the policy domain model, a hierarchical listing based on the hierarchical data of the policy domain model, and a query interface for querying the relational data of the policy domain model may be displayed. An input to the graph, hierarchical listing, or query interface indicating a change to the network security policy may be received. A cloud native enforcement artifact may be modified based on the indicated change to the network security policy. A file including code written using a DSL for network security may be received. A DSL may be used by a developer of an application, such as a Software-as-a-Service (SaaS) application, to write code that defines the network security policies that will be needed by the application. The DSL may be an intent-based language. The policies described using a DSL may include, for example, the types of network services on a cloud computing server system the application will need access to in order to run properly on the cloud computing server system. For example, a SaaS application running on a cloud computing server system may need to be able to communicate with other SaaS applications running on that cloud computing server system. The code written in DSL for such a SaaS application may specify the need for this type of network access, for example, identifying the other SaaS