Determining firewall rules for reverse firewalls

US 20060190998A1
Filed: 11/30/2005
Published: 08/24/2006
Est. Priority Date: 02/17/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for securing a network using a reverse firewall, the reverse firewall accessing a profile of a host in the network, the method comprising the steps of:

at the reverse firewall, receiving a network communication from a host in the network;

if parameters of the network communication from the host are in the profile of the host, allowing the network communication from the host; and

if parameters of the network communication from the host are not in the profile of the host, enforcing a throttling discipline on the network communication to determine whether to allow or to block the network communication from the host.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A reverse firewall for removing undesirable traffic from a computing network, such as a virtual private network (VPN), is disclosed. The reverse firewall uses firewall rules that may be determined and maintained within the enterprise network to control communication sent between computers in the computing network. The reverse firewall rules may be used to identify the communications between computers in the network that are undesirable and/or intrusive. For example, a computer in a network that is infected with a worm or that is surreptitiously hosting a denial-of-service attack may be identified by the reverse firewall and quarantined. The reverse firewall may be implemented in hardware and/or software.

Citations

20 Claims

1. A method for securing a network using a reverse firewall, the reverse firewall accessing a profile of a host in the network, the method comprising the steps of:
- at the reverse firewall, receiving a network communication from a host in the network;
  
  if parameters of the network communication from the host are in the profile of the host, allowing the network communication from the host; and
  
  if parameters of the network communication from the host are not in the profile of the host, enforcing a throttling discipline on the network communication to determine whether to allow or to block the network communication from the host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, the reverse firewall further comprising an out-of-profile counter for each host in the network, the method further comprising the steps of:
    - updating the out-of-profile counter for the host, if the parameters of the network communication from the host are not in the profile of the host.
  - 3. The method of claim 2, wherein the throttling discipline is a n-r-relaxed discipline.
  - 4. The method of claim 2, wherein the throttling discipline is a n-r-strict discipline.
  - 5. The method of claim 2, wherein the throttling discipline is a n-r-open discipline for controlling out-of-profile network communication from the host.
  - 6. The method of claim 4, the value of n being zero, and all network communication from the host being blocked when an out-of-profile network communication is attempted by the host.
  - 7. The method of claim 1, the parameters of the network communication from the host being in the profile of the host if the destination address, destination port, and protocol of the network communication are present in the profile of the host.
  - 8. The method of claim 1, the parameters of the network communication from the host being in the profile of the host if the destination address and the destination port of the network communication are present in the profile of the host.
  - 9. The method of claim 1, the parameters of the network communication from the host being in the profile of the host if the destination address of the network communication is present in the profile of the host.

10. A method for determining a communications management policy for a reverse firewall in a network, the method comprising the steps of:
- generating a profile for a host in the network; and
  
  setting a throttling discipline for out-of-profile network communication from the host.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, the step of generating a profile of a host including generating an initial set of rules corresponding to network communication originating from the host, and at least some of the initial set of rules are based on an analysis of network communication between a plurality of hosts in the network during a learning period.
  - 12. The method of claim 11, the profile of the host comprising PCSPP rules.
  - 13. The method of claim 11, the profile of the host comprising PCSP rules.
  - 14. The method of claim 11, the profile of the host comprising PSP rules.
  - 15. The method of claim 10, further comprising the step of:
    - updating the profile of the host in the network, the profile being stored in the reverse firewall.
  - 16. The method of claim 15, the step of updating the profile of the host including automatically updating the set of rules to accommodate for known undesirable network communication.
  - 17. The method of claim 16, the known undesirable network communication comprising at least one of:
    - tcp communication between two hosts in the network that consists of less than three packets in each direction;
      
      udp communication between two hosts in the network that consists of less than two packets in either direction; and
      
      no icmp data communication.

18. A network device for controlling a network communication sent from a host in a network, the network device configured to enforce a profile of the host and a throttling discipline, the device comprising:
- a memory unit storing a set of rules corresponding to the profile of the host in the network, the network device accessing the memory unit to identify the set of rules corresponding to the profile of the host in the network; and
  
  an out-of-profile counter for use by the network device to enforce the throttling discipline.
- View Dependent Claims (19, 20)
- - 19. The device of claim 18, the network device comprising a programmable router configured as a reverse firewall, the host in the network being connected to the network device.
  - 20. The device of claim 18 coupled to an out-of-profile-counter, the out-of-profile counter being provided for each host in the network, the profile being stored in the memory unit, and the out-of-profile counter comprising a number and a timer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Leighton, William J. III, Aiello, William A., Spatscheck, Oliver, Sen, Subhabrata, Van der Merwe, Jacobus E., Kalmanek, Charles Robert Jr., McDaniel, Patrick

Application Number

US11/290,976
Publication Number

US 20060190998A1
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 43/16   Threshold monitoring

H04L 63/0236   Filtering by address, proto...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04W 28/00   Network traffic management;...

Determining firewall rules for reverse firewalls

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Determining firewall rules for reverse firewalls

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links