Method and apparatus for managing a firewall

US 20060288409A1
Filed: 08/10/2006
Published: 12/21/2006
Est. Priority Date: 01/29/1999
Status: Abandoned Application

First Claim

Patent Images

1. A method for generating a configuration file for at least one firewall in a network, said network including a plurality of interconnected hosts, said method comprising the steps of:

utilizing a model definition language to produce an entity relationship model representing a security policy for said network; and

translating said entity relationship model into said firewall configuration file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are disclosed for managing a firewall. The disclosed firewall manager facilitates the generation of a security policy for a particular network environment, and automatically generates the firewall-specific configuration files from the security policy simultaneously for multiple gateways. The security policy is separated from the vendor-specific rule syntax and semantics and from the actual network topology. Thus, the security administrator can focus on designing an appropriate policy without worrying about firewall rule complexity, rule ordering, and other low-level configuration issues. In addition, the administrator can maintain a consistent policy in the presence of intranet topology changes. The disclosed firewall manager utilizes a model definition language (MDL) and an associated parser to produce an entity relationship model. A model compiler translates the entity-relationship model into the appropriate firewall configuration files. The entity-relationship model provides a framework for representing both the firewall-independent security policy, and the network topology. The security policy is expressed in terms of “roles,” which are used to define network capabilities of sending and receiving services. A role may be assumed by different hosts or host-groups in the network. A visualization and debugging tool is provided to transform the firewall-specific configuration files into a graphical representation of the current policy on the actual topology, allowing the viability of a chosen policy to be evaluated. A role-group may be closed to prevent the inheritance of roles.

Citations

22 Claims

1. A method for generating a configuration file for at least one firewall in a network, said network including a plurality of interconnected hosts, said method comprising the steps of:
- utilizing a model definition language to produce an entity relationship model representing a security policy for said network; and
  
  translating said entity relationship model into said firewall configuration file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein a configuration file is generated for a plurality of firewalls in said network.
  - 3. The method of claim 1, wherein said security policy is expressed in terms of roles that define network capabilities of sending and receiving services.
  - 4. The method of claim 3, wherein said roles are assigned to said hosts.
  - 5. The method of claim 3, wherein a plurality of said roles are combined into role-groups that may be assigned to a host.
  - 6. The method of claim 3, wherein a plurality of said hosts are combined into a host-group that may be assigned a role or a role-group.
  - 7. The method of claim 6, further comprising the step of providing a visual representation of the structure of said hosts in said network.
  - 8. The method of claim 6, further comprising the step of providing a visual representation of a set of rules in said configuration file.
  - 9. The method of claim 6, wherein a vendor-specific compiler translates said entity-relationship model into a vendor-specific firewall configuration file.

10. A method of producing an entity-relationship model representing the security policy for a network, said network including a plurality of hosts, said method comprising the steps of:
- receiving a definition for one or more role entities that further define allowed services and a direction in which a service can be executed;
  
  receiving a model of a topology of said network that partitions said network into one or more zones, connected by means of one or more gateways, each of said gateways having a gateway-interface for each adjacent zone;
  
  receiving an assignment of said hosts to one or more zones; and
  
  generating said entity-relationship model from said received definitions, model and assignments.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10, further comprising the step of assigning said roles to said hosts.
  - 12. The method of claim 10, further comprising the step of defining one or more role-group entities consisting of a set of said role entities.
  - 13. The method of claim 10, further comprising the step of translating said entity relationship model into a firewall configuration file.
  - 14. The method of claim 18, wherein said configuration file is are generated for a plurality of firewalls in said network.
  - 15. The method of claim 10, wherein said security policy is expressed in terms of roles that define network capabilities of sending and receiving services.
  - 16. The method of claim 10, wherein a plurality of said role entities are combined into a role-group that may be assigned to a host.
  - 17. The method of claim 10, wherein a plurality of said hosts are combined into a host-group that may be assigned a role or a role-group entity.
  - 18. The method of claim 10, further comprising the step of providing a visual representation of the structure of said hosts in said network.
  - 19. The method of claim 18, further comprising the step of providing a visual representation of a set of rules in said configuration files.
  - 20. The method of claim 10, wherein a vendor-specific compiler translates said entity-relationship model into vendor-specific firewall configuration files.

21. A firewall manager for generating a configuration file for a firewall in a network, said network including a plurality of interconnected hosts, comprising:
- a parser utilizing a model definition language to produce an entity relationship model representing a security policy for said network; and
  
  a compiler for translating said entity relationship model into said firewall configuration file.

22. A parser for producing an entity-relationship model representing the security policy for a network, said network including a plurality of hosts, said parser comprising:
- a memory for storing computer-readable code; and
  
  a processor operatively coupled to said memory, said processor configured to execute said computer-readable code, said computer-readable code configuring said processor to;
  
  receive a definition for one or more role entities that further define allowed services and a direction in which a service can be executed;
  
  receive a model of a topology of said network by partitioning said network into one or more zones, connected by means of one or more gateways, each of said gateways having a gateway-interface for each adjacent zone;
  
  receive an assignment of said hosts to one or more zones; and
  
  generate said entity-relationship model from said received definitions, model and assignments.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alain Jules Mayer, Avishai Wool, Yair Bartal
Original Assignee
Alain Jules Mayer, Avishai Wool, Yair Bartal
Inventors
Mayer, Alain Jules, Wool, Avishai, Bartal, Yair

Application Number

US11/502,188
Publication Number

US 20060288409A1
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 63/0263   Rule management

Method and apparatus for managing a firewall

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for managing a firewall

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links