System, method and program product to identify additional firewall rules that may be needed
First Claim
1. A method for managing a security policy of a firewall, said firewall receiving a message packet addressed to a specified port of a destination IP address and determining that said firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said method comprising the steps of:
- testing said port of said destination IP address to determine if said port is open; and
if so, querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, if not, not querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address.
2 Assignments
0 Petitions
Accused Products
Abstract
System, method and program product for managing a security policy of a firewall. The firewall receives a message packet addressed to a specified port of a destination IP address and determines that the firewall does not have a message flow rule which permits passing of the message packet to the port. The port is tested to determine if the port is open. If so, an administrator is queried whether the firewall should have a message flow rule which permits passing of the message packet to the port. If not, an administrator is not queried whether the firewall should have a message flow rule which permits passing of the message packet to the port. There may be first and second firewalls located between the source IP address and destination IP address. Before the port is tested, a central database is checked to learn if the central database has a record of whether the first firewall should have a message flow rule which permits passing of the message packet to the port. If not, and the port is found to be open, the central database is updated to indicate that both the first and second firewalls should have a message flow rule which permits passing of the message packet to the port. Also, the security policy of the first firewall is updated with a message flow rule which permits passing of the message packet to the port. The second firewall is not updated until it encounters a message packet addressed to the port.
-
Citations
21 Claims
-
1. A method for managing a security policy of a firewall, said firewall receiving a message packet addressed to a specified port of a destination IP address and determining that said firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said method comprising the steps of:
testing said port of said destination IP address to determine if said port is open; and
if so, querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, if not, not querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A system for managing a security policy of a firewall, said firewall receiving a message packet addressed to a specified port of a destination IP address and determining that said firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said system comprising:
-
means for testing said port of said destination IP address to determine if said port is open; and
means, responsive to said port being open, for querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, said system, responsive to said port not being open, by not querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product for managing a security policy of a firewall, said firewall receiving a message packet addressed to a specified port of a destination IP address and determining that said firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said computer program product comprising:
-
a computer readable media;
first program instructions to test said port of said destination IP address to determine if said port is open; and
second program instructions, responsive to said port being open, to query an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, said program product, responsive to said port not being open, by not querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address; and
whereinsaid first and second program instructions are embodied on said media. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method for managing a security policy of first and second firewalls located between a source IP address and a destination IP address, said first firewall receiving a message packet addressed to a specified port of said destination IP address and determining that said first firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said second firewall not having a message flow rule which permits passing of said message packet to said port of said destination IP address, said method comprising the steps of:
-
checking a central database to learn that said central database does not have a record of whether said first firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and in response, testing said port of said destination IP address to determine if said port is open; and
if said port is open, updating said central database to indicate that both said first and second firewalls should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and updating said security policy of said first firewall with a message flow rule which permits passing of said message packet to said port of said destination IP address. - View Dependent Claims (20, 21)
-
Specification