Managing network firewall configuration utilizing source lists

US 10,116,698 B1
Filed: 04/06/2016
Issued: 10/30/2018
Est. Priority Date: 04/06/2016
Status: Active Grant

First Claim

Patent Images

1. A method for managing network-based communications comprising:

obtaining a set of network firewall configuration information for configuring a network firewall on behalf of a customer from a plurality of sources, wherein individual network configuration information is provided by a source different from a network point of presence;

parsing the set of network firewall configuration information to identify a list of network address information, the list of network address information associated with one or more source network address ranges;

processing the list of network address information, wherein processing the list of network address information includes prioritizing the list of network address information based on a size of source network address range in the list of network address information and a weight of a source of the network firewall configuration information, wherein the prioritized list is ordered such that a larger source network address range is listed before and has a higher priority relative to a smaller source network address range;

processing the prioritized list of network address information to limit a number of network address ranges in the prioritized list of network address information to be below a maximum threshold;

generating network firewall configuration information for the network firewall on behalf of the customer based on the prioritized list of network address information, wherein the generated network firewall configuration information causes communications from a network address that is included in the prioritized list to be blocked; and

causing the network firewall to be configured based on the generated network firewall configuration information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for configuration of network-based firewall services based on network firewall configuration information provided by one or more sources are provided. The network firewall configuration information can include one or more lists of network address ranges that will be used by the network firewall to process data communications received at a data center. The received network firewall configuration information can be prioritized and filtered to conform to a maximum threshold number of network address ranges that can be configured on a network firewall service. The filtered and processed network address range information can then be utilized to configure one or more network firewall services or application hosted within a data center.

18 Citations

20 Claims

1. A method for managing network-based communications comprising:
- obtaining a set of network firewall configuration information for configuring a network firewall on behalf of a customer from a plurality of sources, wherein individual network configuration information is provided by a source different from a network point of presence;
  
  parsing the set of network firewall configuration information to identify a list of network address information, the list of network address information associated with one or more source network address ranges;
  
  processing the list of network address information, wherein processing the list of network address information includes prioritizing the list of network address information based on a size of source network address range in the list of network address information and a weight of a source of the network firewall configuration information, wherein the prioritized list is ordered such that a larger source network address range is listed before and has a higher priority relative to a smaller source network address range;
  
  processing the prioritized list of network address information to limit a number of network address ranges in the prioritized list of network address information to be below a maximum threshold;
  
  generating network firewall configuration information for the network firewall on behalf of the customer based on the prioritized list of network address information, wherein the generated network firewall configuration information causes communications from a network address that is included in the prioritized list to be blocked; and
  
  causing the network firewall to be configured based on the generated network firewall configuration information.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, wherein processing the list of network address information includes removing any duplicate network address ranges.
  - 3. The method as recited in claim 1, wherein processing the list of network address information includes identifying network address ranges that are subsets of another network address range and removing the identified network address ranges.
  - 4. The method as recited in claim 1 further comprising identifying network address ranges in the list of network address ranges that do not match a pre-established range of network address information.
  - 5. The method as recited in claim 4 further comprising processing any identified network address ranges in the list of network address ranges that do not match a pre-established range of network address information to generate two or more supplemental network address ranges corresponding to the pre-established range of network address information.
  - 6. The method as recited in claim 1 further comprising causing configuration of a plurality of network firewalls located at one or more network points of presence.

7. Non-transitory computer storage storing computer-executable instructions, wherein the computer-executable instructions cause one or more computing devices to perform a process for managing network-based communications comprising:
- obtaining a set of network firewall configuration information for configuring a network firewall on behalf of a customer, wherein individual network configuration information is provided by a source different from a network point of presence;
  
  processing the set of network firewall configuration information to identify a list of network address information, the list of network address information associated with one or more source network address ranges;
  
  prioritizing the list of network address information based on a size of source network address range in the list of network address information and a weight of a source of the network firewall configuration information, wherein the prioritized list is ordered such that a larger source network address range is listed before and has a higher priority relative to a smaller source network address range;
  
  processing the prioritized list of network address information to limit a number of network address ranges in the prioritized list of network address information to be below a maximum threshold;
  
  generating network firewall configuration information for the network firewall on behalf of the customer based on the prioritized list of network address information, wherein the generated network firewall configuration information causes communications from a network address that is included in the prioritized list to be blocked; and
  
  causing the network firewall to be configured based on the generated network firewall configuration information.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 20)
- - 8. The non-transitory medium as recited in claim 7 further comprising parsing the set of network firewall configuration information to identify a listing of network address information, the list of network address information corresponding to one or more source network address ranges.
  - 9. The non-transitory medium as recited in claim 7, wherein processing the list of network address information includes prioritizing the list of network address information based on historical information.
  - 10. The non-transitory medium as recited in claim 9, wherein the historical information identifies a rating associated with previous network firewall configuration information.
  - 11. The non-transitory medium as recited in claim 7, wherein obtaining a set of network firewall configuration information for configuring network firewalls includes obtaining network firewall configuration information from two or more sources.
  - 12. The non-transitory medium as recited in claim 11, wherein processing the list of network address information includes prioritizing the list of network address information based on network address ranges identified in the network firewall configuration information from the two or more sources.
  - 13. The non-transitory medium as recited in claim 7, wherein the network firewall configuration corresponds to a text file including a list of network address ranges.
  - 14. The non-transitory medium as recited in claim 7, wherein processing the list of network address information includes at least one of identifying any subsets of network address ranges and removing any subsets of network address ranges.
  - 15. The non-transitory medium as recited in claim 7 further comprising:
    - obtaining information corresponding to operation of one or more network firewall services based on the generated network firewall configuration information; and
      
      associating at least one weighing factor for a source based on the obtained information.
  - 16. The non-transitory medium as recited in claim 7, wherein the network firewall configuration corresponds to network address ranges that should be blocked by the network firewall.
  - 20. The non-transitory medium as recited in claim 7, wherein configuring the network firewall includes causing at least one additional network address to be blocked by the network firewall.

17. A system comprising:
- one or more hardware computing devices in communication with one or more computer-readable memories storing executable instructions, the one or more hardware computing devices programmed by the executable instructions to at least;
  
  obtain a set of network firewall configuration information for configuring a network firewall on behalf of a customer, wherein individual network configuration information is provided by a source different from a network point of presence;
  
  process the set of network firewall configuration information to identify a list of network address information, the list of network address information associated with one or more source network address ranges;
  
  prioritize the list of network address information based on a size of source network address range in the list of network address information and a weight of a source of the network firewall configuration information, wherein the prioritized list is ordered such that a larger source network address range is listed before and has a higher priority relative to a smaller source network address range;
  
  process the prioritized list of network address information to limit a number of network address ranges in the prioritized list of network address information to be below a maximum threshold;
  
  generate network firewall configuration information for the network firewall on behalf of the customer based on the prioritized list of network address information, wherein the generated network firewall configuration information causes communications from a network address that is included in the prioritized list to be blocked; and
  
  cause configuration of the network firewall in accordance with the generated network firewall configuration information.
- View Dependent Claims (18, 19)
- - 18. The system as recited in claim 17, wherein the one or more hardware computing devices are further programmed to prioritize the list of network address information based on at least one of a weighing factor associated with a source of the network firewall configuration information or historical information.
  - 19. The system as recited in claim 17, wherein the one or more hardware computing devices are further programmed to process the prioritized list of network address information so that a number of network address ranges identified in the prioritized list of network address information falls below a maximum threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Atkinson, Lee, Dye, Nathan Alan, Vorwaller, Rich
Primary Examiner(s)
Lynch, Sharon S

Application Number

US15/092,513
Time in Patent Office

937 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263 Rule management

Managing network firewall configuration utilizing source lists

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Managing network firewall configuration utilizing source lists

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links