Host controlled dynamic firewall system

US 20040128545A1
Filed: 12/31/2002
Published: 07/01/2004
Est. Priority Date: 12/31/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for operating a firewall, the method comprising:

monitoring one or more communication channels at a host within a domain protected by a firewall;

detecting a communication protocol command in a communication channel at the host;

generating a firewall command at the host, wherein information within the firewall command is based on information within the communication protocol command; and

sending the firewall command from the host to the firewall to create a filtering condition at the firewall such that subsequent data transfers in accordance with the communication protocol command are allowed by the firewall.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, apparatus, and computer program product are presented for dynamically controlling a set of filtering-related operations at a firewall from one or more hosts. Instead of having a firewall monitor all of the command channels of different hosts within the protected domain, each host monitors its own command channels, and each host instructs the firewall as to which ports to open when communication protocol commands are detected. A host sends a command to the firewall to request the establishment of a filter rule at the firewall; these firewall operations may be secured through encryption, authentication, and authorization operations. Thereafter, the firewall allows data transfers that correspond to the detected protocol commands. The resulting firewall is much more lightweight and much faster than typical firewall implementations because the firewall neither has to monitor command channels nor parse differently formatted commands from different applications.

37 Citations

View as Search Results

21 Claims

1. A method for operating a firewall, the method comprising:
- monitoring one or more communication channels at a host within a domain protected by a firewall;
  
  detecting a communication protocol command in a communication channel at the host;
  
  generating a firewall command at the host, wherein information within the firewall command is based on information within the communication protocol command; and
  
  sending the firewall command from the host to the firewall to create a filtering condition at the firewall such that subsequent data transfers in accordance with the communication protocol command are allowed by the firewall.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - parsing the communication protocol command at the host to determine a protocol command type.
  - 3. The method of claim 2 further comprising:
    - extracting protocol command parameters from the communication protocol command;
      
      determining a port number from the extracted protocol command parameters; and
      
      placing the port number in the firewall command.
  - 4. The method of claim 1 further comprising:
    - performing an authentication check at the host based an identity of a requesting entity at the host.
  - 5. The method of claim 1 further comprising:
    - performing an authorization check at the host based on information within the communication protocol command and an identity of a requesting entity at the host.
  - 6. The method of claim 1 further comprising:
    - wherein the host is a data processing system.
  - 7. The method of claim 1 further comprising:
    - wherein the host is an application.

8. An apparatus for operating a firewall, the apparatus comprising:
- means for monitoring one or more communication channels at a host within a domain protected by a firewall;
  
  means for detecting a communication protocol command in a communication channel at the host;
  
  means for generating a firewall command at the host, wherein information within the firewall command is based on information within the communication protocol command; and
  
  means for sending the firewall command from the host to the firewall to create a filtering condition at the firewall such that subsequent data transfers in accordance with the communication protocol command are allowed by the firewall.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8 further comprising:
    - means for parsing the communication protocol command at the host to determine a protocol command type.
  - 10. The apparatus of claim 9 further comprising:
    - means for extracting protocol command parameters from the communication protocol command;
      
      means for determining a port number from the extracted protocol command parameters; and
      
      means for placing the port number in the firewall command.
  - 11. The apparatus of claim 8 further comprising:
    - means for performing an authentication check at the host based an identity of a requesting entity at the host.
  - 12. The apparatus of claim 8 further comprising:
    - means for performing an authorization check at the host based on information within the communication protocol command and an identity of a requesting entity at the host.
  - 13. The apparatus of claim 8 further comprising:
    - wherein the host is a data processing system.
  - 14. The apparatus of claim 8 further comprising:
    - wherein the host is an application.

15. A computer program product in a computer readable medium for use in operating a firewall, the computer program product comprising:
- means for monitoring one or more communication channels at a host within a domain protected by a firewall;
  
  means for detecting a communication protocol command in a communication channel at the host;
  
  means for generating a firewall command at the host, wherein information within the firewall command is based on information within the communication protocol command; and
  
  means for sending the firewall command from the host to the firewall to create a filtering condition at the firewall such that subsequent data transfers in accordance with the communication protocol command are allowed by the firewall.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product of claim 15 further comprising:
    - means for parsing the communication protocol command at the host to determine a protocol command type.
  - 17. The computer program product of claim 16 further comprising:
    - means for extracting protocol command parameters from the communication protocol command;
      
      means for determining a port number from the extracted protocol command parameters; and
      
      means for placing the port number in the firewall command.
  - 18. The computer program product of claim 15 further comprising:
    - means for performing an authentication check at the host based an identity of a requesting entity at the host.
  - 19. The computer program product of claim 15 further comprising:
    - means for performing an authorization check at the host based on information within the communication protocol command and an identity of a requesting entity at the host.
  - 20. The computer program product of claim 15 further comprising:
    - wherein the host is a data processing system.
  - 21. The computer program product of claim 15 further comprising:
    - wherein the host is an application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chakravarty, Vijaylaxmi

Application Number

US10/334,475
Publication Number

US 20040128545A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

Host controlled dynamic firewall system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Host controlled dynamic firewall system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links