Real-time association of a policy-based firewall with a dynamic DNS hostname

US 10,298,543 B2
Filed: 12/12/2016
Issued: 05/21/2019
Est. Priority Date: 12/12/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for associating a firewall policy with a dynamic domain name system (DNS) hostname, the method comprising:

associating, by a policy configuration portal in an external network, a first hostname with a first network address associated with a device in an internal network;

setting, by the policy configuration portal, a first firewall policy configuration associated with the first hostname to include the first network address;

receiving, by the policy configuration portal, a first address update message that associates the first hostname with a second network address, wherein the second address is associated with the device in the internal network;

in response to receiving the first address update message, associating, by the policy configuration portal, the second network address with the first hostname; and

modifying the first firewall policy configuration to include the second network address instead of the first network address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the invention disclosed herein provide techniques for associating a firewall policy with a dynamic domain name system (DNS) hostname. A policy configuration portal associates a first hostname with a first network address. The policy configuration portal sets firewall policy configuration associated with the first hostname to include the first network address. The policy configuration portal receives a first message that associates a DNS hostname with a second network address. The policy configuration portal, in response to receiving the first message, associates the second network address with the first hostname. The policy configuration portal modifies a firewall policy configuration associated with the first hostname to include the second network address. At least one advantage of the disclosed techniques is that a firewall policy can be implemented for a residential home or small business that employs dynamic IP addressing.

Citations

20 Claims

1. A computer-implemented method for associating a firewall policy with a dynamic domain name system (DNS) hostname, the method comprising:
- associating, by a policy configuration portal in an external network, a first hostname with a first network address associated with a device in an internal network;
  
  setting, by the policy configuration portal, a first firewall policy configuration associated with the first hostname to include the first network address;
  
  receiving, by the policy configuration portal, a first address update message that associates the first hostname with a second network address, wherein the second address is associated with the device in the internal network;
  
  in response to receiving the first address update message, associating, by the policy configuration portal, the second network address with the first hostname; and
  
  modifying the first firewall policy configuration to include the second network address instead of the first network address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the first address update message includes customer profile specific resolution information, and further comprising updating the first firewall policy configuration to include the customer profile specific resolution information.
  - 3. The computer-implemented method of claim 1, further comprising:
    - authenticating an identity of a transmitter of the first address update message; and
      
      determining that the transmitter is authorized to change a dynamic DNS address associated with the first hostname from the first network address to the second network address.
  - 4. The computer-implemented method of claim 1, wherein the first message is received from a router in the internal network, wherein the router is associated with the first hostname.
  - 5. The computer-implemented method of claim 1, wherein the first address update message is received from a name server in the external network, wherein the name server:
    - receives the second network address from a router in the internal network, wherein the router is associated with a first client device;
      
      in response to receiving the second network address, associates the second network address with the first hostname; and
      
      transmits the first address update including the first hostname and the second network address.
  - 6. The computer-implemented method of claim 1, further comprising transmitting, to a recursive resolver in the external network, a first firewall policy configuration update message that includes:
    - the first network address; and
      
      an indication that the first network address is expired.
  - 7. The computer-implemented method of claim 6, wherein, in response to receiving the first firewall policy configuration update message, deleting, by the recursive resolver, a second firewall policy configuration associated with the first network address.
  - 8. The computer-implemented method of claim 6, further comprising transmitting, to the recursive resolver, a second firewall policy configuration message that includes:
    - the second network address, andthe first firewall policy configuration,wherein the recursive resolver applies the first firewall policy configuration to network traffic in the external network associated with the first hostname.

9. One or more non-transitory computer-readable storage media including instructions that, when executed by one or more processors, cause the one or more processors to associate a firewall policy with a dynamic domain name system (DNS) hostname, by performing the steps of:
- associating, by a policy configuration portal in an external network, a first hostname with a first network address associated with a device in an internal network;
  
  setting, by the policy configuration portal, a first firewall policy configuration associated with the first hostname to include the first network address;
  
  receiving, by the policy configuration portal, a first address update message that associates the first hostname with a second network address, wherein the second address is associated with the device in the internal network;
  
  in response to receiving the first address update message, associating, by the policy configuration portal, the second network address with the first hostname; and
  
  modifying the first firewall policy configuration to include the second network address instead of the first network address.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The non-transitory computer-readable storage media of claim 9, wherein the instructions further comprise the steps of:
    - receiving the first hostname from a client device related to the first hostname, wherein the client device is in the internal network; and
      
      modifying the first firewall policy configuration to include the first hostname.
  - 11. The non-transitory computer-readable storage media of claim 10, wherein the client device is associated with a router in the internal network that supports dynamic DNS.
  - 12. The non-transitory computer-readable storage media of claim 11, wherein a name server in the external network is associated with a dynamic DNS provider, and the instructions further comprise the steps of:
    - receiving, by the router from an internet services provider (ISP), the second network address; and
      
      transmitting, by the router to the name server, the second network address.
  - 13. The non-transitory computer-readable storage media of claim 9, wherein the instructions further comprise the steps of:
    - authenticating an identity of a transmitter of the first address update message; and
      
      determining that the transmitter is authorized to change a dynamic DNS address associated with the first hostname from the first network address to the second network address.
  - 14. The non-transitory computer-readable storage media of claim 9, wherein the first address update message is received from a router associated with the first hostname, wherein the router is in the internal network.
  - 15. The non-transitory computer-readable storage media of claim 9, wherein the first message is received from a name server in the external network.
  - 16. The non-transitory computer-readable storage media of claim 15, wherein the name server is associated with a dynamic DNS provider.
  - 17. The non-transitory computer-readable storage media of claim 15, wherein the instructions further comprise the steps of:
    - receiving, by the name server from a router in the internal network associated with the client device, the second network address; and
      
      in response to receiving the second network address, associating, by the name server, the second network address with the first hostname.
  - 18. The non-transitory computer-readable storage media of claim 9, wherein the instructions further comprise the steps of:
    - after modifying the first firewall policy configuration, transmitting, to a recursive resolver in the external network, a first firewall policy configuration update message that includes;
      
      the second network address, andthe first firewall policy configuration,wherein the recursive resolver applies the first firewall policy configuration to network traffic in the external network associated with the first hostname.

19. A computing device in an external network, comprising:
- a memory that includes a policy configuration application; and
  
  a processor that is coupled to the memory and, when executing the policy configuration application, is configured to;
  
  associate a first hostname with a first network address associated with a device in an internal network;
  
  set a first firewall policy configuration associated with the first hostname to include the first network address;
  
  receive a first address update message that associates the first hostname with a second network address, wherein the second address is associated with the device in the internal network;
  
  in response to receiving the first address update message, associate the second network address with the first hostname; and
  
  modify the first firewall policy configuration to include the second network address instead of the first network address.
- View Dependent Claims (20)
- - 20. The computing device of claim 19, wherein, when executing the policy configuration application, the processor is further configured to transmit, to a recursive resolver, a first policy configuration update message that includes the first firewall policy configuration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Glenn, Nathan, Thakar, Sameer
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen T

Application Number

US15/376,533
Publication Number

US 20180167362A1
Time in Patent Office

890 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/5076   Update or notification mech...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

Real-time association of a policy-based firewall with a dynamic DNS hostname

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time association of a policy-based firewall with a dynamic DNS hostname

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links