Automated generation of configuration elements of an information technology system
First Claim
1. A firewall rule generation method for an Information Technology (IT) system, said method implemented by software stored on a computer readable medium and executed on a processor of a computer system, said method comprising:
- providing a list LX of I computers Xi (i=1, 2, . . . I), said I being at least 1;
providing a list LS of J software components Sij (j=1, 2, . . . , J) installed on computer Xi, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
providing a list LP of M ports Pijm (m=1, 2, . . . , M) on which software component Sij is listening, said M being a function of i and j and M is at least 1;
providing a list LY of N clients Yijmn (n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
computer Xi and client Yijmn configured to have data transmitted therebetween; and
for data transmission between each computer Xi (i=1, 2, . . . I) on the list LX and each associated client Yijmn (n=1, 2, . . . , N;
m=1, 2, . . . , M;
j=1, 2, . . . , J) on the list LY;
generating at least one firewall rule allowing said data transmission between Xi and Yijmn if an Internet Protocol (IP) address (IPAddrXi) of computer Xi and an IP address (IPAddrYijmn) of client Yijmn are not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from Xi to Yijmn the source component of said each firewall rule comprises IPAddrXi and the destination component of said each firewall rule comprises IPaddrYijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Yijmn to Xi the source component of said each firewall rule comprises IPAddrYijmn and the destination component of said each firewall rule comprises IPAddrXi.
2 Assignments
0 Petitions
Accused Products
Abstract
A firewall rule generation method, a load balancing rule generation method, and a wrapper generation method, for an Information Technology (IT) system, associated computer program products, and an associated processes for integrating computing infrastructure. The firewall rule generation method generates firewall rules allowing data transmission between a computer and a client, and subsequently assigns the firewall rules to firewalls of the IT system. The load balancing rule generation method assigns a load balancing mechanism to a load balanced group to which execution of an application is assigned, wherein the load balanced group has servers therein. For a client and computer having a communication protocol therebetween that is not allowed by a security policy, the wrapper generation method generates a communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between the client and the computer such that the TCP connection is allowed by the security policy.
-
Citations
34 Claims
-
1. A firewall rule generation method for an Information Technology (IT) system, said method implemented by software stored on a computer readable medium and executed on a processor of a computer system, said method comprising:
-
providing a list LX of I computers Xi (i=1, 2, . . . I), said I being at least 1;
providing a list LS of J software components Sij (j=1, 2, . . . , J) installed on computer Xi, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
providing a list LP of M ports Pijm (m=1, 2, . . . , M) on which software component Sij is listening, said M being a function of i and j and M is at least 1;
providing a list LY of N clients Yijmn (n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
computer Xi and client Yijmn configured to have data transmitted therebetween; and
for data transmission between each computer Xi (i=1, 2, . . . I) on the list LX and each associated client Yijmn (n=1, 2, . . . , N;
m=1, 2, . . . , M;
j=1, 2, . . . , J) on the list LY;
generating at least one firewall rule allowing said data transmission between Xi and Yijmn if an Internet Protocol (IP) address (IPAddrXi) of computer Xi and an IP address (IPAddrYijmn) of client Yijmn are not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from Xi to Yijmn the source component of said each firewall rule comprises IPAddrXi and the destination component of said each firewall rule comprises IPaddrYijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Yijmn to Xi the source component of said each firewall rule comprises IPAddrYijmn and the destination component of said each firewall rule comprises IPAddrXi. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code comprising an algorithm adapted to implement a firewall rule generation method for an Information Technology (IT) system, said method comprising:
-
providing a list LX of I computers Xi (i=1, 2, . . . I), said I being at least 1;
providing a list LS of J software components Sij (j=1, 2, . . . , J) installed on computer Xi, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
providing a list LP of M ports Pijm (m=1, 2, . . . , M) on which software component Sij is listening, said M being a function of i and j and M is at least 1;
providing a list LY of N clients Yijmn (n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
computer Xi and client Yijmn configured to have data transmitted therebetween; and
for data transmission between each computer Xi (i=1, 2, . . . I) on the list LX and each associated client Yijmn (n=1, 2, . . . , N;
m=1, 2, . . . , M;
j=1, 2, . . . , J) on the list LY;
generating at least one firewall rule allowing said data transmission between Xi and Yijmn if an Internet Protocol (IP) address (IPAddrXi) of computer Xi and an IP address (IPAddrYijmn) of client Yijmn are not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from Xi to Yijmn the source component of said each firewall rule comprises IPAddrXi and the destination component of said each firewall rule comprises IPaddrYijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Yijmn to Xi the source component of said each firewall rule comprises IPAddrYijmn and the destination component of said each firewall rule comprises IPAddrXi.
-
-
13. A process for integrating computing infrastructure, said process comprising integrating computer-readable code into a computing system, wherein the code in combination with the computing system is capable of performing a firewall rule generation method for an Information Technology (IT) system, said method comprising:
-
providing a list LX of I computers Xi (i=1, 2, . . . I) said I being at least 1;
providing a list LS of J software components Sij (j=1, 2, . . . , J) installed on computer Xi, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
providing a list LP of M ports Pijm (m=1, 2, . . . , M) on which software component Sij is listening, said M being a function of i and j and M is at least 1;
providing a list LY of N clients Yijmn (n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
computer Xi and client Yijmn configured to have data transmitted therebetween; and
for data transmission between each computer Xi (i=1, 2, . . . I) on the list LX and each associated client Yijmn (n=1, 2, . . . , N;
m=1, 2, . . . , M;
j=1, 2, . . . , J) on the list LY;
generating at least one firewall rule allowing said data transmission between Xi and Yijmn if an Internet Protocol (IP) address (IPAddrXi) of computer Xi and an IP address (IPAddrYijmn) of client Yijmn are not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from Xi to Yijmn the source component of said each firewall rule comprises IPAddrXi and the destination component of said each firewall rule comprises IPaddrYijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Yijmn to Xi the source component of said each firewall rule comprises IPAddrYijmn and the destination component of said each firewall rule comprises IPAddrXi.
-
-
14. A load balancing rule generation method for an Information Technology (IT) system, said method implemented by a load balancer stored on a computer readable medium and executed on a processor of a computer system, said method comprising:
-
selecting at least one load balanced group, each load balanced group of the at least one load balanced group comprising a plurality of servers; and
for each load balanced group of the at least one load balanced group to which execution of an application is assigned;
providing N load balancing mechanisms, said N at least 2, each load balancing mechanism adapted to assign said execution of the application to a server within said each load balanced group;
assigning N ranges of server load such that the N ranges of server load respectively correspond to the N load balancing mechanisms on a one-to-one basis;
determining a range of server load of the N ranges of server load such that an expected server load for the application is within a scope of the range of server load; and
selecting the load balancing mechanism that corresponds to the determined range of server load. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code comprising a load balancer adapted to implement a load balancing rule generation method for an Information Technology (IT) system, said method comprising:
-
selecting at least one load balanced group, each load balanced group of the at least one load balanced group comprising a plurality of servers; and
for each load balanced group of the at least one load balanced group to which execution of an application is to be assigned;
providing N load balancing mechanisms, said N at least 2, each load balancing mechanism adapted to assign said execution of the application to a server within said each load balanced group;
assigning N ranges of server load such that the N ranges of server load respectively correspond to the N load balancing mechanisms on a one-to-one basis;
determining a range of server load of the N ranges of server load such that an expected server load for the application is within a scope of the range of server load; and
selecting the load balancing mechanism that corresponds to the determined range of server load.
-
-
26. A process for integrating computing infrastructure, said process comprising integrating computer-readable code into a computing system, wherein the code in combination with the computing system is capable of performing a method for an Information Technology (IT) system, said method implemented by a load balancer stored on a computer readable medium and executed on a processor of the computing system, said method comprising:
-
selecting at least one load balanced group, each load balanced group of the at least one load balanced group comprising a plurality of servers; and
for each load balanced group of the at least one load balanced group to which execution of an application is to be assigned;
providing N load balancing mechanisms, said N at least 2, each load balancing mechanism adapted to assign said execution of the application to a server within said each load balanced group;
assigning N ranges of server load such that the N ranges of server load respectively correspond to the N load balancing mechanisms on a one-to-one basis;
determining a range of server load of the N ranges of server load such that an expected server load for the application is within a scope of the range of server load; and
selecting the load balancing mechanism that corresponds to the determined range of server load.
-
-
27. A wrapper generation method for an Information Technology (IT) system, said method implemented by software stored on a computer readable medium and executed on a processor of a computer system, said method comprising:
-
providing a list of computers, a list of software components installed on each computer, a list of clients using each application installed on each computer, and a list of application level protocols used by each software component installed on each computer;
for each computer on the list of computers, for each software component installed on said each computer, for each client of said each software application such that said each client is separated by a firewall from said each computer, and for each application level protocol used by said each software component;
assigning a value of a transport protocol used by said each application level protocol used by said each software component, said value of the transport protocol being Transmission Control Protocol (TCP) or User Datagram Protocol (UDP);
assigning a list of ports used by said each application level protocol of said each software component; and
if any port of the list of ports is not allowed by a security policy, then generating a communication protocol wrapper that opens a TCP connection between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer, said TCP connection being allowed by the security policy, said wrapper using the TCP connection for facilitating all data transmissions between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer. - View Dependent Claims (28, 29, 30, 31, 32)
-
-
33. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code comprising an algorithm adapted to implement a wrapper generation method for an Information Technology (IT) system, said method comprising:
-
providing a list of computers, a list of software components installed on each computer, a list of clients using each application installed on each computer, and a list of application level protocols used by each software component installed on each computer;
for each computer on the list of computers, for each software component installed on said each computer, for each client of said each software application such that said each client is separated by a firewall from said each computer, and for each application level protocol used by said each software component;
assigning a value of a transport protocol used by said each application level protocol used by said each software component, said value of the transport protocol being Transmission Control Protocol (TCP) or User Datagram Protocol (UDP);
assigning a list of ports used by said each application level protocol of said each software component; and
if any port of the list of ports is not allowed by a security policy, then generating a communication protocol wrapper that opens a TCP connection between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer, said TCP connection being allowed by the security policy, said wrapper using the TCP connection for facilitating all data transmissions between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer.
-
-
34. A process for integrating computing infrastructure, said process comprising integrating computer-readable code into a computing system, wherein the code in combination with the computing system is capable of performing a wrapper generation method for an Information Technology (IT) system, said method comprising:
-
providing a list of computers, a list of software components installed on each computer, a list of clients using each application installed on each computer, and a list of application level protocols used by each software component installed on each computer;
for each computer on the list of computers, for each software component installed on said each computer, for each client of said each software application such that said each client is separated by a firewall from said each computer, and for each application level protocol used by said each software component;
assigning a value of a transport protocol used by said each application level protocol used by said each software component, said value of the transport protocol being Transmission Control Protocol (TCP) or User Datagram Protocol (UDP);
assigning a list of ports used by said each application level protocol of said each software component; and
if any port of the list of ports is not allowed by a security policy, then generating a communication protocol wrapper that opens a TCP connection between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer, said TCP connection being allowed by the security policy, said wrapper using the TCP connection for facilitating all data transmissions between said each client and said each computer having said any port not allowed by the security policy wherein said any port is used by said each application level protocol of said each software component installed on said each computer.
-
Specification