System, method and program product to identify additional firewall rules that may be needed

US 20060174337A1
Filed: 02/03/2005
Published: 08/03/2006
Est. Priority Date: 02/03/2005
Status: Active Grant

First Claim

Patent Images

1. A method for managing a security policy of a firewall, said firewall receiving a message packet addressed to a specified port of a destination IP address and determining that said firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said method comprising the steps of:

testing said port of said destination IP address to determine if said port is open; and

if so, querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, if not, not querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, method and program product for managing a security policy of a firewall. The firewall receives a message packet addressed to a specified port of a destination IP address and determines that the firewall does not have a message flow rule which permits passing of the message packet to the port. The port is tested to determine if the port is open. If so, an administrator is queried whether the firewall should have a message flow rule which permits passing of the message packet to the port. If not, an administrator is not queried whether the firewall should have a message flow rule which permits passing of the message packet to the port. There may be first and second firewalls located between the source IP address and destination IP address. Before the port is tested, a central database is checked to learn if the central database has a record of whether the first firewall should have a message flow rule which permits passing of the message packet to the port. If not, and the port is found to be open, the central database is updated to indicate that both the first and second firewalls should have a message flow rule which permits passing of the message packet to the port. Also, the security policy of the first firewall is updated with a message flow rule which permits passing of the message packet to the port. The second firewall is not updated until it encounters a message packet addressed to the port.

Citations

21 Claims

1. A method for managing a security policy of a firewall, said firewall receiving a message packet addressed to a specified port of a destination IP address and determining that said firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said method comprising the steps of:
- testing said port of said destination IP address to determine if said port is open; and
  
  if so, querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, if not, not querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as set forth in claim 1 further comprising the steps of:
    - receiving a response from said administrator that said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and in response, automatically adding a message flow rule to said security policy of said firewall to permit passing of message packets to said port of said destination IP address if said message packets are addressed to said port of said destination IP address.
  - 3. A method as set forth in claim 1 further comprising the steps of:
    - receiving a response from said administrator that said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and in response, advising said administrator how to add a message flow rule to said security policy of said firewall to permit passing of message packets to said port of said destination IP address if said message packets are addressed to said port of said destination IP address.
  - 4. A method as set forth in claim 1 further comprising the step of:
    - determining if a protocol of said message packet is not acceptable in a network containing said destination IP address before the step of testing said port of said destination IP address.
  - 5. A method as set forth in claim 1 wherein the step of testing said port of said destination IP address to determine if said port is open comprises the step of sending a test message packet to said port and checking for an acknowledgment or other response indicating that said port is open.
  - 6. A method as set forth in claim 5 wherein said firewall is located between a sender of said test message packet and said destination IP address, and said firewall includes a message flow rule which permits message packets to flow from a source IP address of said sender of said test message packet to said destination IP address.

7. A system for managing a security policy of a firewall, said firewall receiving a message packet addressed to a specified port of a destination IP address and determining that said firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said system comprising:
- means for testing said port of said destination IP address to determine if said port is open; and
  
  means, responsive to said port being open, for querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, said system, responsive to said port not being open, by not querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. A system as set forth in claim 7 further comprising:
    - means for receiving a response from said administrator that said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and in response, automatically adding a message flow rule to said security policy of said firewall to permit passing of message packets to said port of said destination IP address.
  - 9. A system as set forth in claim 7 further comprising:
    - means for receiving a response from said administrator that said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and in response, advising said administrator how to add a message flow rule to said security policy of said firewall to permit passing of message packets to said port of said destination IP address.
  - 10. A system as set forth in claim 7 further comprising:
    - means for determining if a protocol of said message packet is not acceptable in a network containing said destination IP address before the step of testing said port of said destination IP address.
  - 11. A system as set forth in claim 7 wherein the means for testing said port of said destination IP address to determine if said port is open comprises means for sending a test message packet to said port and checking for an acknowledgment or other response indicating that said port is open.
  - 12. A system as set forth in claim 11 wherein said firewall is located between a sender of said test message packet and said destination IP address, and said firewall includes a message flow rule which permits message packets to flow from a source IP address of said sender of said test message packet to said destination IP address.

13. A computer program product for managing a security policy of a firewall, said firewall receiving a message packet addressed to a specified port of a destination IP address and determining that said firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said computer program product comprising:
- a computer readable media;
  
  first program instructions to test said port of said destination IP address to determine if said port is open; and
  
  second program instructions, responsive to said port being open, to query an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, said program product, responsive to said port not being open, by not querying an administrator whether said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address; and
  
  wherein said first and second program instructions are embodied on said media.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. A computer program product as set forth in claim 13 further comprising:
    - third program instructions to receive a response from said administrator that said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and in response, automatically add a message flow rule to said security policy of said firewall to permit passing of message packets to said port of said destination IP address; and
      
      wherein said third program instructions are embodied on said media.
  - 15. A computer program product as set forth in claim 13 further comprising:
    - third program instructions to receive a response from said administrator that said firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and in response, advise said administrator how to add a message flow rule to said security policy of said firewall to permit passing of message packets to said port of said destination IP address; and
      
      wherein said third program instructions are embodied on said media.
  - 16. A computer program product as set forth in claim 13 further comprising:
    - third program instructions to determine if a protocol of said message packet is not acceptable in a network containing said destination IP address before the first program instructions test said port of said destination IP address; and
      
      wherein said third program instructions are embodied on said media.
  - 17. A computer program product as set forth in claim 13 wherein the first program instructions determines if said port is open by initiating sending of a test message packet to said port and checking for an acknowledgment or other response indicating that said port is open.
  - 18. A computer program product as set forth in claim 17 wherein said firewall is located between a sender of said test message packet and said destination IP address, and said firewall includes a message flow rule which permits message packets to flow from a source IP address of said sender of said test message packet to said destination IP address.

19. A method for managing a security policy of first and second firewalls located between a source IP address and a destination IP address, said first firewall receiving a message packet addressed to a specified port of said destination IP address and determining that said first firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, said second firewall not having a message flow rule which permits passing of said message packet to said port of said destination IP address, said method comprising the steps of:
- checking a central database to learn that said central database does not have a record of whether said first firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and in response, testing said port of said destination IP address to determine if said port is open; and
  
  if said port is open, updating said central database to indicate that both said first and second firewalls should have a message flow rule which permits passing of said message packet to said port of said destination IP address, and updating said security policy of said first firewall with a message flow rule which permits passing of said message packet to said port of said destination IP address.
- View Dependent Claims (20, 21)
- - 20. A method as set forth in claim 19 further comprising the subsequent step of:
    - upon receipt at said second firewall of a message packet addressed to said specified port of said destination IP address and a determination that said second firewall does not have a message flow rule which permits passing of said message packet to said port of said destination IP address, checking said central database to learn that said second firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address and updating said security policy of said second firewall with a message flow rule which permits passing of said message packet to said port of said destination IP address.
  - 21. A method as set forth in claim 20 wherein in response to said receipt at said second firewall of a message packet addressed to said specified port of said destination IP address and learning from said central database that said second firewall should have a message flow rule which permits passing of said message packet to said port of said destination IP address, there is not a second test of said port to determine if said port is open. IDS:
    - An Intrusion Detection System program tool was also known which notified a user of a destination device when a message packet on a network met certain intrusion signatures which are available to the IDS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Bernoth, Andrew John

Granted Patent

US 10,015,140 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0263 Rule management

System, method and program product to identify additional firewall rules that may be needed

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and program product to identify additional firewall rules that may be needed

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links