Method and system for distributing security policies

US 20060129808A1
Filed: 11/19/2004
Published: 06/15/2006
Est. Priority Date: 11/19/2004
Status: Active Grant

First Claim

Patent Images

1. A method in a computer system for distributing rules of security policies to enforcement engines for enforcing the security policies, the method comprising:

providing at the computer system enforcement engines that implement different layers of security enforcement;

receiving and storing at the computer system security policies having rules, each rule having a rule type;

under control of a firewall agent executing on the computer system, retrieving the stored security policies; and

for rules of a retrieved security policy, identifying an enforcement engine to which a rule applies based on the rule type of the rule; and

providing the rule to the identified enforcement engine; and

under control of the enforcement engines, enforcing the rules provided to the enforcement engine by the firewall agent, wherein the firewall agent provides a mechanism for distributing the rules to multiple enforcement engines of the computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for distributing and enforcing security policies is provided. A firewall agent executing at a host computer system that is to be protected receives security policies for the enforcement engines responsible for enforcing the security policies on the host computer system. A security policy has rules that each provide a condition and action to be performed when the condition is satisfied. A rule also has a rule type that is used by the distribution system to identify the security components that are responsible for enforcing the rules. To distribute the security policies that have been received at a host computer system, the firewall agent identifies to which enforcement engine a rule applies based in part on rule type. The firewall agent then distributes the rule to the identified enforcement engine, which then enforces the rule.

Citations

30 Claims

1. A method in a computer system for distributing rules of security policies to enforcement engines for enforcing the security policies, the method comprising:
- providing at the computer system enforcement engines that implement different layers of security enforcement;
  
  receiving and storing at the computer system security policies having rules, each rule having a rule type;
  
  under control of a firewall agent executing on the computer system, retrieving the stored security policies; and
  
  for rules of a retrieved security policy, identifying an enforcement engine to which a rule applies based on the rule type of the rule; and
  
  providing the rule to the identified enforcement engine; and
  
  under control of the enforcement engines, enforcing the rules provided to the enforcement engine by the firewall agent, wherein the firewall agent provides a mechanism for distributing the rules to multiple enforcement engines of the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the security policies are received from policy computer system that distributes the security policies for multiple computer systems.
  - 3. The method of claim 1 wherein the enforcement engines provide a layered firewall.
  - 4. The method of claim 1 wherein the enforcement engines include a behavior blocking security component.
  - 5. The method of claim 1 wherein an enforcement engine includes subcomponents and wherein upon being provided with a rule, the enforcement engine provides the rule to a subcomponent.
  - 6. The method of claim 1 wherein at least one enforcement engine executes in kernel mode and at least one enforcement engine executes in user mode.
  - 7. The method of claim 1 wherein the firewall agent includes a user-mode subcomponent and a kernel-mode subcomponent, and the user-mode subcomponent distributes rules to the kernel-mode subcomponent for providing the rules to enforcement engines that execute in kernel mode.
  - 8. The method of claim 1 wherein a flow manager component intercepts network events at the various layers and invokes an enforcement engine associated with a layer to enforce the rules for that layer.
  - 9. The method of claim 8 wherein a single flow manager component handles network events from multiple layers.
  - 10. The method of claim 8 wherein a flow manager component handles network events from only one layer.
  - 11. The method of claim 1 wherein enforcement engines provide for security at various layers of a network protocol stack.
  - 12. The method of claim 11 wherein layers of different enforcement engines are used for different connections.

13. A computer system architecture for distributing security policies, the architecture comprising:
- a policy server computer system for establishing security policies, the security policies having rules with rule types, and for providing the security policies to host computer systems for enforcement of the security policies at the host computer systems; and
  
  multiple host computer systems that include;
  
  enforcement engines for enforcing a type of security at the host computer system; and
  
  a firewall agent that receives the security policies from the policy server computer system, identifies the enforcement engine to which the rules apply based on rule type and enforcement engine type, and provides the rules to the identified enforcement engines for enforcement of the security policies.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The computer system architecture of claim 13 wherein the enforcement engines are layered so that when one enforcement engine determines that the rules provided to it do not to apply to a network event, another enforcement engine determines whether the rules provided to it apply to the network event.
  - 15. The computer system architecture of claim 14 wherein the layers include a protocol interception hook and an enforcement engine.
  - 16. The computer system architecture of claim 13 wherein the firewall agent distributes rules to enforcement engines executing in user mode.
  - 17. The computer system architecture of claim 13 wherein the firewall agent distributes rules to enforcement engines executing in kernel mode.
  - 18. The computer system architecture of claim 13 wherein the enforcement engines are layered and including a flow manager component that handles network events at each layer and invokes an enforcement engine of the layer to enforce the rules of that layer on the network event.
  - 19. The computer system architecture of claim 18 wherein the flow manager component handles network events for multiple layers.
  - 20. The computer system architecture of claim 18 wherein the flow manager component handles network events for a single layer.

21. A host computer system for distributing rules of security policies to enforcement engines for enforcing the security policies of the host computer system, comprising:
- multiple enforcement engines that implement different layers of firewall security enforcement at the host computer system by receiving and enforcing rules of security policies;
  
  a component that receives at the host computer system security policies having rules, each rule having a rule type; and
  
  a component that identifies enforcement engines to which a rule applies based on the rule type of the rule and that provides the rule to the identified security component;
  
  wherein a mechanism is provided for distributing the rules to the layered enforcement engines of the host computer system.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The computer system of claim 21 wherein the security policies are received from a policy computer system that distributes the security policies for multiple host computer systems.
  - 23. The computer system of claim 21 wherein the enforcement engine includes a behavior blocking security component.
  - 24. The computer system of claim 21 wherein an enforcement engine includes subcomponents and wherein upon being provided with a rule, the enforcement engine provides the rule to a subcomponent.
  - 25. The computer system of claim 21 wherein at least one enforcement engine executes in kernel mode and at least one enforcement engine executes in user mode.
  - 26. The computer system of claim 21 wherein the component that provides the rules to the enforcement engines includes a user-mode subcomponent and a kernel-mode subcomponent, and the user-mode subcomponent distributes rules to the kernel-mode subcomponent for providing the rules to enforcement engine that execute in kernel mode.
  - 27. The computer system of claim 21 including a flow manager component that intercepts network events at the various layers and invokes an enforcement engine associated with a layer to enforce the rules for that layer.
  - 28. The computer system of claim 27 wherein a single flow manager component handles network events from multiple layers.
  - 29. The computer system of claim 27 wherein a flow manager component handles network events from only one layer.

30. A computer-readable medium containing instructions for controlling a host computer system to distribute security policies to enforcement engines for enforcing the security policies, by a method comprising:
- receiving and storing at the host computer system security policies having rules, each rule having a rule type;
  
  under control of a firewall agent executing on the host computer system, retrieving the stored security policies; and
  
  for rules of a retrieved security policy, identifying an enforcement engine to which a rule applies based on the rule type of the rule; and
  
  providing the rule to the identified enforcement engine; and
  
  under control of the enforcement engines, enforcing the rules provided to the enforcement engines by the distribution component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Lin, Yun, Sheth, Sachin C., Ivanov, Maxim A., Nagampalli, Narasimha Rao S. S., Youngblut, Eric E., Koti, Shirish R., Paleologu, Emanuel

Granted Patent

US 7,509,493 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Method and system for distributing security policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for distributing security policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links