Firewall configuration validation

US 20030149766A1
Filed: 12/18/2002
Published: 08/07/2003
Est. Priority Date: 12/18/2001
Status: Active Grant

First Claim

Patent Images

1. A method of processing configuration of a network node, the configuration comprising a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action, said method comprising validating the configuration of the network node by determining, whether the processing rule base fulfils requirements defined in a validation rule base.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to processing configuration of a network node, such as for example a firewall, and for sharing the configuration management between several administrators. The configuration comprises a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action. The configuration of the network node is validated by determining, whether the processing rule base fulfils requirements defined in a validation rule base. The use of validation rule base enables verifying that processing rule bases managed by different administrators fulfil some set requirements. Additionally, the invention accounts for detecting human errors in configurations.

57 Citations

View as Search Results

24 Claims

1. A method of processing configuration of a network node, the configuration comprising a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action, said method comprising validating the configuration of the network node by determining, whether the processing rule base fulfils requirements defined in a validation rule base.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. A method according to claim 1, wherein the validation rule base comprises at least one validation rule having one or more identification values and at least one associated required action.
  - 3. A method according to claim 2, wherein the determining comprises:
    - finding the action(s) defined in the processing rule base for identification value(s) of a validation rule, passing the validation rule, if said action(s) conform to the required action(s) in said validation rule, and failing the validation rule, if said action(s) do not conform to the required action(s) in said validation rule, and passing the validation, if all validation rules are passed.
  - 4. A method according to claim 1, comprising validating the configuration as a response to a predefined action.
  - 5. A method according to claim 4, wherein the said predefined action is a command by a user to perform the validation, starting up of the network node, uploading a new or modified configuration to the network node or saving a configuration.
  - 6. A method according to claim 1, comprising rejecting the configuration, if the requirements defined in the validation rule base are not fulfilled.
  - 7. A method according to claim 1, comprising generating an error message, if the requirements defined in the validation rule base are not fulfilled.
  - 8. A method according to any one of claims 3 to 7, comprising outputting a rule of the processing rule base, which does not conform to a validation rule, or a validation rule, which has failed.
  - 9. A method according to claim 1, wherein several administrators are allowed to modify or create a processing rule base and in that a super user is allowed to modify or create a validation rule base.
  - 10. A method according to claim 1, wherein an administrator is allowed to modify or create a processing rule base and a validation rule base.
  - 11. A method according to claim 1, comprising generating a processing rule base model corresponding to said processing rule base and indicating the effective processing rule base rules, and using the processing rule base model in the determining step.
  - 12. A method according to claim 1, comprising generating a validation rule base model corresponding to said validation rule base and indicating the effective validation rule base rules, and using the validation rule base model in the determining step.
  - 13. A method according to any one of claims 11 and 12, wherein generating a processing or a validation rule base model comprises arranging rules of the rule base into groups of rules, the rules in a group having a common identification value while keeping a track of the order of the rules in the rule base.
  - 14. A method according to claim 13, wherein one group corresponds at least one service or port number.
  - 15. A method according to claim 11 or 12, wherein generating a processing or a validation rule base model comprises:
    - if there exist overlapping identification value combinations in two or more rules of the rule base, maintaining the first one of the two or more rules in the order of the rules unchanged and removing such overlapping identification values from others of the two or more rules for determining the effective identification values in each rule.
  - 16. A method according to claim 11 or 12, wherein generating a processing or a validation rule base model comprises combining the effects of NAT (Network Address Translation) rules into said processing rule base model by changing addresses and/or port numbers of rules in said processing rule base to real addresses and/or port numbers.
  - 17. A method according to claim 1, wherein said processing rule base is an access rule base or a routing table.
  - 18. A method according to claim 1, wherein said network node is a security gateway, a firewall, a router or a VPN (Virtual Private Network) gateway.

19. A computer-readable medium, containing a computer software which, when executed in a computer device, causes the computer device to provide a routine for processing configuration of a network node, the configuration including a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules including one or more identification values for identifying a data packet and an action, said routine comprising validating the configuration of the network node by determining, whether the processing rule base fulfils requirements defined in a validation rule base.
- View Dependent Claims (20, 21)
- - 20. A computer-readable medium according to claim 19, wherein the validation rule base comprises at least one validation rule having one or more identification values and at least one associated required action.
  - 21. A computer-readable medium according to claim 20, wherein the determining comprises:
    - finding the action(s) defined in the processing rule base for identification value(s) of a validation rule, passing the validation rule, if said action(s) conform to the required action(s) in said validation rule, and failing the validation rule, if said action(s) do not conform to the required action(s) in said validation rule, and passing the validation, if all validation rules are passed.

22. An arrangement for processing configuration of a network node, the configuration including a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules including one or more identification values for identifying a data packet and an action, the arrangement comprising a validation mechanism for validating the configuration of the network node by determining, whether the processing rule base fulfils requirements defined in a validation rule base.
- View Dependent Claims (23, 24)
- - 23. An arrangement according to claim 22, wherein the validation rule base comprises at least one validation rule having one or more identification values and at least one associated required action.
  - 24. An arrangement according to claim 23, wherein the validation mechanism is arranged to:
    - find the action(s) defined in the processing rule base for identification value(s) of a validation rule, pass the validation rule, if said action(s) conform to the required action(s) in said validation rule, and to fail the validation rule, if said action(s) do not conform to the required action(s) in said validation rule, and pass the validation, if all validation rules are passed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Stonesoft Corporation
Inventors
Lilius, Eino, Syvanne, Tuomo

Granted Patent

US 7,406,534 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

Firewall configuration validation

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall configuration validation

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links