Method and apparatus for distributing firewall rules
First Claim
1. A method of distributing firewall rules, the method comprising:
- specifying a firewall rule and a group identifier that identifies a group of enforcement nodes at which the firewall rule should be enforced;
to each of a plurality of devices associated with at least one enforcement node from the group of enforcement nodes identified by the group identifier, distributing the specified firewall rule along with a set of node identifiers identifying a set of enforcement nodes associated with the device at which the specified firewall rule has to be enforced, wherein each device supplies the specified firewall rule to each enforcement node that is associated with the device and that is identified by a node identifier in the set of node identifiers received by the device;
modifying the group of enforcement nodes associated with the group identifier by adding or removing at least one enforcement node to or from the group; and
in response to the modification, distributing a group update to each device that is associated with an enforcement node affected by the modification to the group for the device to use to supply the specified rule to one or more enforcement nodes added to the group or to eliminate the specified rule from one or more enforcement nodes removed from the group.
0 Assignments
0 Petitions
Accused Products
Abstract
Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced). As the AppliedTo tuples of the firewall rules can refer to dynamically modifiable constructs, the application of the AppliedTo firewall rules (i.e., rules that are specified to include an AppliedTo tuple) can be dynamically adjusted for different locations within a network by dynamically adjusting the membership of these modifiable constructs.
174 Citations
18 Claims
-
1. A method of distributing firewall rules, the method comprising:
-
specifying a firewall rule and a group identifier that identifies a group of enforcement nodes at which the firewall rule should be enforced; to each of a plurality of devices associated with at least one enforcement node from the group of enforcement nodes identified by the group identifier, distributing the specified firewall rule along with a set of node identifiers identifying a set of enforcement nodes associated with the device at which the specified firewall rule has to be enforced, wherein each device supplies the specified firewall rule to each enforcement node that is associated with the device and that is identified by a node identifier in the set of node identifiers received by the device; modifying the group of enforcement nodes associated with the group identifier by adding or removing at least one enforcement node to or from the group; and in response to the modification, distributing a group update to each device that is associated with an enforcement node affected by the modification to the group for the device to use to supply the specified rule to one or more enforcement nodes added to the group or to eliminate the specified rule from one or more enforcement nodes removed from the group. - View Dependent Claims (2, 3, 4, 5, 16, 17, 18)
-
-
6. A non-transitory machine readable medium storing a program for distributing firewall rules, the program comprising sets of instructions for:
-
specifying a firewall rule and a group identifier that identifies a group of enforcement nodes at which the firewall rule should be enforced; to each of a plurality of devices associated with at least one enforcement node from the group of enforcement nodes identified by the group identifier, distributing the specified firewall rule along with a set of node identifiers identifying a set of enforcement nodes associated with the device at which the specified firewall rule has to be enforced, wherein each device supplies the specified firewall rule to each enforcement node that is associated with the device and that is identified by a node identifier in the set of node identifiers received by the device; modifying the group of enforcement nodes associated with the group identifier by adding or removing at least one enforcement node to or from the group; and in response to the modification, distributing a group update to each device that is associated with an enforcement node affected by the modification to the group for the device to use to supply the specified rule to one or more enforcement nodes added to the group or to eliminate the specified rule from one or more enforcement nodes removed from the group. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A firewall system comprising:
-
a plurality of devices each associated with a set of one or more firewall enforcement nodes; a set of servers for specifying a firewall rule and a group identifier that identifies a group of enforcement nodes at which the specified firewall rule should be enforced, and for distributing the specified firewall rule to each of a set of devices associated with at least one enforcement node from the group of enforcement nodes identified by the group identifier, said specified firewall rule distributed to each of the set of devices along with a set of node identifiers identifying a set of enforcement nodes associated with the device at which the specified firewall rule has to be enforced, each device in the set supplying the specified firewall rule to each enforcement node that is associated with the device and that is identified by a node identifier in the set of node identifiers received by the device; the set of servers further for modifying the group of enforcement nodes associated with the group identifier by adding or removing at least one enforcement node to or from the group, and for distributing a group update to each device that is associated with an enforcement node affected by the modification to the group for the device to use to supply the specified rule to one or more enforcement nodes added to the group or to eliminate the specified rule from one or more enforcement nodes removed from the group. - View Dependent Claims (12, 13, 14, 15)
-
Specification