Automated generation of configuration elements of an information technology system

US 20060130133A1
Filed: 05/03/2005
Published: 06/15/2006
Est. Priority Date: 12/14/2004
Status: Active Grant

First Claim

Patent Images

1. A firewall rule generation method for an Information Technology (IT) system, said method implemented by software stored on a computer readable medium and executed on a processor of a computer system, said method comprising:

providing a list L_Xof I computers X_i(i=1, 2, . . . I), said I being at least 1;

providing a list L_Sof J software components S_ij(j=1, 2, . . . , J) installed on computer X_i, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;

providing a list L_Pof M ports P_ijm(m=1, 2, . . . , M) on which software component S_ijis listening, said M being a function of i and j and M is at least 1;

providing a list L_Yof N clients Y_ijmn(n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;

computer X_iand client Y_ijmnconfigured to have data transmitted therebetween; and

for data transmission between each computer X_i(i=1, 2, . . . I) on the list L_Xand each associated client Y_ijmn(n=1, 2, . . . , N;

m=1, 2, . . . , M;

j=1, 2, . . . , J) on the list L_Y;

generating at least one firewall rule allowing said data transmission between X_iand Y_ijmnif an Internet Protocol (IP) address (IPAddrX_i) of computer X_iand an IP address (IPAddrY_ijmn) of client Y_ijmnare not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from X_ito Y_ijmnthe source component of said each firewall rule comprises IPAddrX_iand the destination component of said each firewall rule comprises IPaddrY_ijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Y_ijmnto X_ithe source component of said each firewall rule comprises IPAddrY_ijmnand the destination component of said each firewall rule comprises IPAddrX_i.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall rule generation method, a load balancing rule generation method, and a wrapper generation method, for an Information Technology (IT) system, associated computer program products, and an associated processes for integrating computing infrastructure. The firewall rule generation method generates firewall rules allowing data transmission between a computer and a client, and subsequently assigns the firewall rules to firewalls of the IT system. The load balancing rule generation method assigns a load balancing mechanism to a load balanced group to which execution of an application is assigned, wherein the load balanced group has servers therein. For a client and computer having a communication protocol therebetween that is not allowed by a security policy, the wrapper generation method generates a communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between the client and the computer such that the TCP connection is allowed by the security policy.

Citations

34 Claims

1. A firewall rule generation method for an Information Technology (IT) system, said method implemented by software stored on a computer readable medium and executed on a processor of a computer system, said method comprising:
- providing a list L_Xof I computers X_i(i=1, 2, . . . I), said I being at least 1;
  
  providing a list L_Sof J software components S_ij(j=1, 2, . . . , J) installed on computer X_i, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
  
  providing a list L_Pof M ports P_ijm(m=1, 2, . . . , M) on which software component S_ijis listening, said M being a function of i and j and M is at least 1;
  
  providing a list L_Yof N clients Y_ijmn(n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
  
  computer X_iand client Y_ijmnconfigured to have data transmitted therebetween; and
  
  for data transmission between each computer X_i(i=1, 2, . . . I) on the list L_Xand each associated client Y_ijmn(n=1, 2, . . . , N;
  
  m=1, 2, . . . , M;
  
  j=1, 2, . . . , J) on the list L_Y;
  
  generating at least one firewall rule allowing said data transmission between X_iand Y_ijmnif an Internet Protocol (IP) address (IPAddrX_i) of computer X_iand an IP address (IPAddrY_ijmn) of client Y_ijmnare not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from X_ito Y_ijmnthe source component of said each firewall rule comprises IPAddrX_iand the destination component of said each firewall rule comprises IPaddrY_ijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Y_ijmnto X_ithe source component of said each firewall rule comprises IPAddrY_ijmnand the destination component of said each firewall rule comprises IPAddrX_i.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein for a selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis Transmission Control Protocol (TCP), and wherein the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a firewall rule allowing data transmission from Y_ijmnto X_i.
  - 3. The method of claim 1, wherein for a selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis User Datagram Protocol (UDP) for symmetric communication between X_iand Y_ijmn, and wherein the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a first firewall rule allowing data transmission from Y_ijmnto X_iand a second firewall rule allowing data transmission from X_ito Y_ijmn.
  - 4. The method of claim 1, wherein for a selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis User Datagram Protocol (UDP) for asymmetric communication between X_iand Y_ijmn, and wherein the at least one firewall rule allowing said data transmission between X_iand Y_ijmn, comprises a first firewall rule allowing data transmission from Y_ijmnto X_iand a second firewall rule denying data transmission from X_ito Y_ijmn.
  - 5. The method of claim 1, wherein for a selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis User Datagram Protocol (UDP) for asymmetric communication between X_iand Y_ijmn, and wherein the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a first firewall rule denying data transmission from Y_ijmnto X_iand a second firewall rule allowing data transmission from X_ito Y_ijmn.
  - 6. The method of claim 1, wherein for a first selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis Transmission Control Protocol (TCP), and wherein the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a firewall rule allowing data transmission from Y_ijmnto X_i;
    - and wherein for a second selected value of i, j, m, and n that differs from the first selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis User Datagram Protocol (UDP) for symmetric or asymmetric communication between X_iand Y_ijmn.
  - 7. The method of claim 1, wherein for a first selected value of i, j, m, and n, the at least one firewall rule allowing said data transmission between X_iand Y_ij, comprises a first firewall rule allowing data transmission from Z_{1 to Z}₂such that Z₁and Z₂represent Y_ijmnand X_i, respectively;
    - and wherein for a second selected value of i, j, m, and n, the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a second firewall rule allowing data transmission from Z₂to Z₃such that Z₂and Z₃represent Y_ijmnand X_i, respectively.
  - 8. The method of claim 1, wherein for a selected value of i, j, m, and n, the method further comprises prior to said generating the at least one firewall rule:
    - generating a default firewall rule allowing said data transmission between X_iand Y_ijmn, and wherein the generated at least one firewall rule overrides the default firewall rule for the selected value of i, j, m, and n.
  - 9. The method of claim 1, wherein for a selected value of i, j, m, and n, computer X_iand client Y_ijmnare each comprised by a same IT structure primitive composition.
  - 10. The method of claim 1, said method further comprising:
    - generating the list L_Xfrom processing an IT structure primitive composition that includes therein the computers X_i(i=1, 2, . . . I); and
      
      generating the list L_Sfrom processing installation IT relationships which are linked to the IT structure primitive composition.
  - 11. The method of claim 1, said method further comprising:
    - providing a list L_Fof R firewalls such that for each generated firewall rule, no more than one firewall of the R firewalls may be placed between a source client and a destination computer whose respective IP addresses are comprised by the source and destination components of said each firewall rule; and
      
      assigning each generated firewall rule to a firewall r of the R firewalls such that the IP addresses comprised by the source and destination components of said each firewall rule and an IP address of the firewall r are not on a common subnet.

12. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code comprising an algorithm adapted to implement a firewall rule generation method for an Information Technology (IT) system, said method comprising:
- providing a list L_Xof I computers X_i(i=1, 2, . . . I), said I being at least 1;
  
  providing a list L_Sof J software components S_ij(j=1, 2, . . . , J) installed on computer X_i, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
  
  providing a list L_Pof M ports P_ijm(m=1, 2, . . . , M) on which software component S_ijis listening, said M being a function of i and j and M is at least 1;
  
  providing a list L_Yof N clients Y_ijmn(n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
  
  computer X_iand client Y_ijmnconfigured to have data transmitted therebetween; and
  
  for data transmission between each computer X_i(i=1, 2, . . . I) on the list L_Xand each associated client Y_ijmn(n=1, 2, . . . , N;
  
  m=1, 2, . . . , M;
  
  j=1, 2, . . . , J) on the list L_Y;
  
  generating at least one firewall rule allowing said data transmission between X_iand Y_ijmnif an Internet Protocol (IP) address (IPAddrX_i) of computer X_iand an IP address (IPAddrY_ijmn) of client Y_ijmnare not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from X_ito Y_ijmnthe source component of said each firewall rule comprises IPAddrX_iand the destination component of said each firewall rule comprises IPaddrY_ijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Y_ijmnto X_ithe source component of said each firewall rule comprises IPAddrY_ijmnand the destination component of said each firewall rule comprises IPAddrX_i.

13. A process for integrating computing infrastructure, said process comprising integrating computer-readable code into a computing system, wherein the code in combination with the computing system is capable of performing a firewall rule generation method for an Information Technology (IT) system, said method comprising:
- providing a list L_Xof I computers X_i(i=1, 2, . . . I) said I being at least 1;
  
  providing a list L_Sof J software components S_ij(j=1, 2, . . . , J) installed on computer X_i, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
  
  providing a list L_Pof M ports P_ijm(m=1, 2, . . . , M) on which software component S_ijis listening, said M being a function of i and j and M is at least 1;
  
  providing a list L_Yof N clients Y_ijmn(n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
  
  computer X_iand client Y_ijmnconfigured to have data transmitted therebetween; and
  
  for data transmission between each computer X_i(i=1, 2, . . . I) on the list L_Xand each associated client Y_ijmn(n=1, 2, . . . , N;
  
  m=1, 2, . . . , M;
  
  j=1, 2, . . . , J) on the list L_Y;
  
  generating at least one firewall rule allowing said data transmission between X_iand Y_ijmnif an Internet Protocol (IP) address (IPAddrX_i) of computer X_iand an IP address (IPAddrY_ijmn) of client Y_ijmnare not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from X_ito Y_ijmnthe source component of said each firewall rule comprises IPAddrX_iand the destination component of said each firewall rule comprises IPaddrY_ijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Y_ijmnto X_ithe source component of said each firewall rule comprises IPAddrY_ijmnand the destination component of said each firewall rule comprises IPAddrX_i.

14. A load balancing rule generation method for an Information Technology (IT) system, said method implemented by a load balancer stored on a computer readable medium and executed on a processor of a computer system, said method comprising:
- selecting at least one load balanced group, each load balanced group of the at least one load balanced group comprising a plurality of servers; and
  
  for each load balanced group of the at least one load balanced group to which execution of an application is assigned;
  
  providing N load balancing mechanisms, said N at least 2, each load balancing mechanism adapted to assign said execution of the application to a server within said each load balanced group;
  
  assigning N ranges of server load such that the N ranges of server load respectively correspond to the N load balancing mechanisms on a one-to-one basis;
  
  determining a range of server load of the N ranges of server load such that an expected server load for the application is within a scope of the range of server load; and
  
  selecting the load balancing mechanism that corresponds to the determined range of server load.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The method of claim 14, wherein said selecting the at least one load balanced group comprises selecting each said load balanced group of the at least one load balanced group as consisting of servers located on a same subnet of the IT system and adapted to execute instances of a same software program.
  - 16. The method of claim 14, wherein said selecting the at least one load balanced group comprises selecting computers from a displayed list of computers on a Graphical User Interface (GUI) for each load balanced group of the at least one load balanced group.
  - 17. The method of claim 14, said method further comprising providing session persistence only if the application is session based, said session persistence being characterized by the load balancer sending all requests pertaining to a same session to a same server for a duration of the same session.
  - 18. The method of claim 17, wherein the application is not session based, and wherein said session persistence is not provided.
  - 19. The method of claim 17, wherein the application is session based, and wherein said session persistence is provided after having been selected from the group consisting of source IP/port-based session persistence, cookie-based session persistence, and URL-based session persistence.
  - 20. The method of claim 14, wherein N is at least 2, wherein a first range of the N ranges of server load is unknown, and at least one additional range of the N ranges of server load is expressed as a percent range.
  - 21. The method of claim 14, wherein N is at least 3, wherein a first, second and third load balancing mechanism of the N load balancing mechanisms are Fastest response, Round robin, and Least load, and wherein a corresponding first, second and third range of the N ranges of server load is unknown, a first percent range, and a second percent range that is above the first percentage rang, respectively.
  - 22. The method of claim 21, wherein the first percent range is 30 to 50 percent, and wherein the second percent range is above 50 percent to 100 percent.
  - 23. The method of claim 14, said method further comprising outputting on a tangible medium an identification of:
    - the selected at least one load balanced group; and
      
      the selected load balancing mechanism pertaining to the assigned execution of said application for each load balanced group.
  - 24. The method of claim 14, wherein the plurality of servers in the at least one load balanced group are comprised by a same IT structure primitive composition.

25. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code comprising a load balancer adapted to implement a load balancing rule generation method for an Information Technology (IT) system, said method comprising:
- selecting at least one load balanced group, each load balanced group of the at least one load balanced group comprising a plurality of servers; and
  
  for each load balanced group of the at least one load balanced group to which execution of an application is to be assigned;
  
  providing N load balancing mechanisms, said N at least 2, each load balancing mechanism adapted to assign said execution of the application to a server within said each load balanced group;
  
  assigning N ranges of server load such that the N ranges of server load respectively correspond to the N load balancing mechanisms on a one-to-one basis;
  
  determining a range of server load of the N ranges of server load such that an expected server load for the application is within a scope of the range of server load; and
  
  selecting the load balancing mechanism that corresponds to the determined range of server load.

26. A process for integrating computing infrastructure, said process comprising integrating computer-readable code into a computing system, wherein the code in combination with the computing system is capable of performing a method for an Information Technology (IT) system, said method implemented by a load balancer stored on a computer readable medium and executed on a processor of the computing system, said method comprising:
- selecting at least one load balanced group, each load balanced group of the at least one load balanced group comprising a plurality of servers; and
  
  for each load balanced group of the at least one load balanced group to which execution of an application is to be assigned;
  
  providing N load balancing mechanisms, said N at least 2, each load balancing mechanism adapted to assign said execution of the application to a server within said each load balanced group;
  
  assigning N ranges of server load such that the N ranges of server load respectively correspond to the N load balancing mechanisms on a one-to-one basis;
  
  determining a range of server load of the N ranges of server load such that an expected server load for the application is within a scope of the range of server load; and
  
  selecting the load balancing mechanism that corresponds to the determined range of server load.

27. A wrapper generation method for an Information Technology (IT) system, said method implemented by software stored on a computer readable medium and executed on a processor of a computer system, said method comprising:
- providing a list of computers, a list of software components installed on each computer, a list of clients using each application installed on each computer, and a list of application level protocols used by each software component installed on each computer;
  
  for each computer on the list of computers, for each software component installed on said each computer, for each client of said each software application such that said each client is separated by a firewall from said each computer, and for each application level protocol used by said each software component;
  
  assigning a value of a transport protocol used by said each application level protocol used by said each software component, said value of the transport protocol being Transmission Control Protocol (TCP) or User Datagram Protocol (UDP);
  
  assigning a list of ports used by said each application level protocol of said each software component; and
  
  if any port of the list of ports is not allowed by a security policy, then generating a communication protocol wrapper that opens a TCP connection between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer, said TCP connection being allowed by the security policy, said wrapper using the TCP connection for facilitating all data transmissions between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The method of claim 27, wherein for a first computer on the list of computers, for a first software component installed on the first computer, and for a first application level protocol used by the first software component:
    - a first port of the list of ports used by the first application level protocol is not allowed by the security policy and the method further comprises generating a first communication protocol wrapper that opens a TCP connection between the first client and the first computer.
  - 29. The method of claim 28, wherein the value of the transport protocol used by the first application level protocol is UDP.
  - 30. The method of claim 28, wherein the value of the transport protocol used by the first application level protocol is TCP.
  - 31. The method of claim 28, wherein the first communication protocol wrapper exists on the first computer.
  - 32. The method of claim 28, wherein the computers on the list of computers is selected from computers in a same IT structure primitive composition.

33. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code comprising an algorithm adapted to implement a wrapper generation method for an Information Technology (IT) system, said method comprising:
- providing a list of computers, a list of software components installed on each computer, a list of clients using each application installed on each computer, and a list of application level protocols used by each software component installed on each computer;
  
  for each computer on the list of computers, for each software component installed on said each computer, for each client of said each software application such that said each client is separated by a firewall from said each computer, and for each application level protocol used by said each software component;
  
  assigning a value of a transport protocol used by said each application level protocol used by said each software component, said value of the transport protocol being Transmission Control Protocol (TCP) or User Datagram Protocol (UDP);
  
  assigning a list of ports used by said each application level protocol of said each software component; and
  
  if any port of the list of ports is not allowed by a security policy, then generating a communication protocol wrapper that opens a TCP connection between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer, said TCP connection being allowed by the security policy, said wrapper using the TCP connection for facilitating all data transmissions between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer.

34. A process for integrating computing infrastructure, said process comprising integrating computer-readable code into a computing system, wherein the code in combination with the computing system is capable of performing a wrapper generation method for an Information Technology (IT) system, said method comprising:
- providing a list of computers, a list of software components installed on each computer, a list of clients using each application installed on each computer, and a list of application level protocols used by each software component installed on each computer;
  
  for each computer on the list of computers, for each software component installed on said each computer, for each client of said each software application such that said each client is separated by a firewall from said each computer, and for each application level protocol used by said each software component;
  
  assigning a value of a transport protocol used by said each application level protocol used by said each software component, said value of the transport protocol being Transmission Control Protocol (TCP) or User Datagram Protocol (UDP);
  
  assigning a list of ports used by said each application level protocol of said each software component; and
  
  if any port of the list of ports is not allowed by a security policy, then generating a communication protocol wrapper that opens a TCP connection between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer, said TCP connection being allowed by the security policy, said wrapper using the TCP connection for facilitating all data transmissions between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Andreev, Dmitry, Grunin, Galina, Vilshansky, Gregory, Greenstein, Paul G.

Granted Patent

US 8,028,334 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0263 Rule management

H04L 67/12 specially adapted for propr...

Automated generation of configuration elements of an information technology system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Automated generation of configuration elements of an information technology system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links