Method and apparatus for graphical presentation of firewall security policy

US 20060041936A1
Filed: 08/19/2004
Published: 02/23/2006
Est. Priority Date: 08/19/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for reporting a data flow in a firewall, said method comprising:

generating and displaying a graphical representation of said firewall and a network coupled to said firewall;

displaying a number of an inbound port of said network; and

displaying an arrow adjacent to said port number pointing toward said network indicating that a communication is permitted to said port.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A graphical representation of the firewall and a network coupled to the firewall is generated and displayed. A number of an inbound port of the network is displayed. An arrow adjacent to the port number pointing toward the network is displayed to indicate that a communication is permitted to the port. The port number and the arrow are located between an icon for the network and an icon for the firewall. A port number of a destination of a communication originating from the network is displayed. Also, another arrow adjacent to the destination port number pointing toward the firewall is displayed to indicate that a communication is permitted to the destination port number. The destination port number and the other arrow are located between an icon for the network and an icon for the firewall. A table including definitions of a plurality of rules is generated and displayed. Each of the definitions includes entries for a source IP address and destination IP address of a permitted but vulnerable data flow. The source IP address and destination IP address entries are color coded to indicate security levels of respective source and destination networks. Another table includes definitions of a misconfigured data flow, and entries for a source IP address and destination IP address of the misconfigured data flow. The source IP address and destination IP address are color coded to indicate security levels of respective source network and destination network.

Citations

29 Claims

1. A method for reporting a data flow in a firewall, said method comprising:
- generating and displaying a graphical representation of said firewall and a network coupled to said firewall;
  
  displaying a number of an inbound port of said network; and
  
  displaying an arrow adjacent to said port number pointing toward said network indicating that a communication is permitted to said port.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method as set forth in claim 1 wherein said port number and said arrow are located between an icon for said network and an icon for said firewall.
  - 3. A method as set forth in claim 1 further comprising:
    - displaying a port number of a destination of a communication originating from said network; and
      
      displaying another arrow adjacent to the destination port number pointing toward said firewall indicating that a communication is permitted to said destination port number.
  - 4. A method as set forth in claim 3 wherein said destination port number and said other arrow are located between an icon for said network and an icon for said firewall.
  - 5. A method as set forth in claim 1 further comprising displaying on or adjacent to said firewall a number of vulnerability and/or misconfiguration problems with said firewall.

6. A system for reporting a data flow in a firewall, said system comprising:
- means for displaying a graphical representation of said firewall and a network coupled to said firewall;
  
  means for displaying a number of an inbound port of said network; and
  
  means for displaying an arrow adjacent to said port number pointing toward said network indicating that a communication is permitted to said port.
- View Dependent Claims (7, 8, 9, 10)
- - 7. A system as set forth in claim 6 wherein said port number and said arrow are located between an icon for said network and an icon for said firewall.
  - 8. A system as set forth in claim 6 further comprising:
    - means for displaying a port number of a destination of a communication originating from said network; and
      
      means for displaying another arrow adjacent to the destination port number pointing toward said firewall indicating that a communication is permitted to said destination port number.
  - 9. A system as set forth in claim 8 wherein said destination port number and said other arrow are located between an icon for said network and an icon for said firewall.
  - 10. A system as set forth in claim 6 further comprising means for displaying on or adjacent to said firewall a number of vulnerability and/or misconfiguration problems with said firewall.

11. A computer program product for reporting a data flow in a firewall, said computer program product comprising:
- a computer readable medium;
  
  first program instructions to display a graphical representation of said firewall and a network coupled to said firewall;
  
  second program instructions to display a number of an inbound port of said network; and
  
  third program instructions to display an arrow adjacent to said port number pointing toward said network indicating that a communication is permitted to said port; and
  
  wherein said first, second and third program instructions are recorded on said medium.
- View Dependent Claims (12, 13, 14)
- - 12. A computer program product as set forth in claim 11 wherein said port number and said arrow are located between an icon for said network and an icon for said firewall.
  - 13. A computer program product as set forth in claim 11 further comprising:
    - fourth program instructions to display a port number of a destination of a communication originating from said network; and
      
      fifth program instructions to display another arrow adjacent to the destination port number pointing toward said firewall indicating that a communication is permitted to said destination port number; and
      
      wherein said fourth and fifth program instructions are recorded on said medium.
  - 14. A computer program product as set forth in claim 13 wherein said destination port number and said other arrow are located between an icon for said network and an icon for said firewall.

15. A computer program product as set forth in claim 111 further comprising fourth program instructions to display on or adjacent to said firewall a number of vulnerability and/or misconfiguration problems with said firewall;
- and wherein said fourth program instructions are recorded on said medium.

16. A method for reporting data flow vulnerabilities in a firewall, said method comprising:
- generating and displaying a table including definitions of a plurality of rules, each of said definitions including an entry for a source IP address of a permitted but vulnerable data flow, an entry for a destination IP address of the permitted but vulnerable data flow, and an entry for a protocol or destination port of said permitted but vulnerable data flow; and
  
  wherein the generating and displaying includes;
  
  color coding said source IP address entry in said table to indicate a security level of a source network containing said source IP address; and
  
  color coding said destination IP address entry in said displayed table to indicate a security level of a destination network containing said destination IP address.
- View Dependent Claims (17, 18, 19)
- - 17. A method as set forth in claim 16 wherein said definition for each of said rules includes both said entry for said protocol and said entry for said destination port.
  - 18. A method as set forth in claim 16 wherein the generating and displaying further comprises:
    - color coding said entry for said protocol and/or said entry for said destination port to indicate a severity of said vulnerability.
  - 19. A method as set forth in claim 16 wherein said table also includes other definitions of another plurality of rules, each of said other definitions including an entry for a source IP address of a vulnerable, denied data flow, an entry for a destination address of the vulnerable, denied data flow, and an entry for a protocol or destination port of said vulnerable, denied data flow, and further comprising:
    - color coding said source IP address entry in said table to indicate a security level of a source network containing said source IP address of said vulnerable, denied data flow; and
      
      color coding said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address of said vulnerable, denied data flow.

20. A computer program product for reporting data flow vulnerabilities in a firewall, said computer program product comprising:
- a computer readable medium;
  
  first program instructions to generate and display a table including definitions of a plurality of rules, each of said definitions including an entry for a source IP address of a permitted but vulnerable data flow, an entry for a destination IP address of the permitted but vulnerable data flow, and an entry for a protocol or destination port of said permitted but vulnerable data flow; and
  
  wherein said first program instructions include;
  
  second program instructions to color code said source IP address entry in said table to indicate a security level of a source network containing said source IP address; and
  
  third program instructions to color code said destination IP address entry in said displayed table to indicate a security level of a destination network containing said destination IP address; and
  
  wherein said first, second and third program instructions are recorded on said medium.

21. A method for reporting data flow misconfigurations in a firewall, said method comprising:
- generating and displaying a table including definitions of a plurality of rules, each of said definitions including an entry for a source IP address of a permitted but misconfigured data flow, an entry for a destination IP address of the permitted but misconfigured data flow, and an entry for a protocol or destination port of said permitted but misconfigured data flow, wherein the generating and displaying includes;
  
  color coding said source IP address entry in said table to indicate a security level of a source network containing said source IP address; and
  
  color coding said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address.
- View Dependent Claims (22, 23, 24)
- - 22. A method as set forth in claim 21 wherein said definition for each of said rules includes both said entry for said protocol and said entry for said destination port.
  - 23. A method as set forth in claim 22 wherein the generating and displaying further comprises color coding said entry for said protocol or said entry for said port to indicate a severity of said misconfiguration.
  - 24. A method as set forth in claim 21 wherein said table also includes other definitions of another plurality of rules, each of said other definitions including an entry for a source IP address of a misconfigured, denied data flow, an entry for a destination address of the misconfigured, denied data flow, and an entry for a protocol or destination port of said misconfigured, denied data flow, and the generating and displaying further comprises:
    - color coding said source IP address entry in said table to indicate a security level of a source network containing said source IP address of said misconfigured, denied data flow; and
      
      color coding said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address of said misconfigured, denied data flow.

25. A computer program product for reporting data flow misconfigurations in a firewall, said computer program product comprising:
- a computer readable medium;
  
  first program instructions to generate and display a table including definitions of a plurality of rules, each of said definitions including an entry for a source IP address of a permitted but misconfigured data flow, an entry for a destination IP address of the permitted but misconfigured data flow, and an entry for a protocol or destination port of said permitted but misconfigured data flow, wherein said first program instructions include;
  
  second program instructions to color code said source IP address entry in said table to indicate a security level of a source network containing said source IP address; and
  
  third program instructions to color code said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address; and
  
  wherein said first, second and third program instructions are recorded on said medium.
- View Dependent Claims (26, 27, 28)
- - 26. A computer program product as set forth in claim 25 wherein said definition for each of said rules includes both said entry for said protocol and said entry for said destination port.
  - 27. A computer program product as set forth in claim 26 wherein the first program instructions further include fourth program instructions to color code said entry for said protocol or said entry for said port to indicate a severity of said misconfiguration;
    - and wherein said fourth program instructions are recorded on said medium.
  - 28. A computer program product as set forth in claim 25 wherein said table also includes other definitions of another plurality of rules, each of said other definitions including an entry for a source IP address of a misconfigured, denied data flow, an entry for a destination address of the misconfigured, denied data flow, and an entry for a protocol or destination port of said misconfigured, denied data flow, and the first program instructions further comprise:
    - fifth program instructions to color code said source IP address entry in said table to indicate a security level of a source network containing said source IP address of said misconfigured, denied data flow; and
      
      sixth program instructions to color code said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address of said misconfigured, denied data flow; and
      
      wherein said fifth and sixth program instructions are recorded on said medium.

29. A method for reporting improper settings in a firewall, said method comprising:
- generating and displaying a table including descriptions and security-risk severity ratings of a respective plurality of settings of said firewall, wherein some or all of said settings are improper, and wherein the generating and displaying includes;
  
  color coding the security-risk ratings or descriptions of the improper settings to indicate respective security-risk severities of said improper settings.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Anderson, Brooke Madsen, Wilczek, Mira E., Karnes, Mary, Bunn, William C., Lieberman, Sarah M.

Application Number

US10/922,500
Publication Number

US 20060041936A1
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/1433   Vulnerability analysis

H04L 67/75   Indicating network or usage...

Method and apparatus for graphical presentation of firewall security policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for graphical presentation of firewall security policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links