Methods, network services, and computer program products for dynamically assigning users to firewall policy groups

US 20080115190A1
Filed: 11/13/2006
Published: 05/15/2008
Est. Priority Date: 11/13/2006
Status: Active Grant

First Claim

Patent Images

1. A method of dynamically assigning a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block or allow communications through firewalls on the computer network, wherein the firewall policy groups are arranged in a hierarchical structure having a plurality of levels, and wherein the levels are arranged such that rules within the firewall policy groups are different at each level, the method comprising:

assigning a user to a first firewall policy group in the hierarchical structure;

monitoring user activity on the computer network; and

assigning the user to a second, different firewall policy group automatically if monitored user activity indicates that a change in detail level of rules is necessary.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, network services, and computer program products that dynamically assign computer network users to firewall policy groups are provided. A user is assigned to a first firewall policy group, and user activity on the computer network is monitored. The user is assigned to a second, different firewall policy group automatically if monitored user activity indicates that a change in detail level of rules is necessary. Each firewall policy group has rules that control whether to block or allow communications through firewalls on the computer network. The firewall policy groups are arranged in a hierarchical structure having a plurality of levels that are arranged such that rules within the firewall policy groups are different at each level. A user may be assigned to a different firewall policy group that is below, above, or at the same level as the initial firewall policy group.

95 Citations

View as Search Results

20 Claims

1. A method of dynamically assigning a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block or allow communications through firewalls on the computer network, wherein the firewall policy groups are arranged in a hierarchical structure having a plurality of levels, and wherein the levels are arranged such that rules within the firewall policy groups are different at each level, the method comprising:
- assigning a user to a first firewall policy group in the hierarchical structure;
  
  monitoring user activity on the computer network; and
  
  assigning the user to a second, different firewall policy group automatically if monitored user activity indicates that a change in detail level of rules is necessary.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 20)
- - 2. The method of claim 1, wherein the second firewall policy group is at a level below the first firewall policy group level.
  - 3. The method of claim 1, wherein the second firewall policy group is at a level above the first firewall policy group level.
  - 4. The method of claim 1, further comprising notifying the user when the user is assigned to the second firewall policy group.
  - 5. The method of claim 1, further comprising assigning the user to a firewall policy group at a level above a level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network.
  - 6. The method of claim 5, further comprising requesting user input regarding user activity prior to assigning the user to a firewall policy group at a level above a level of the first firewall policy group.
  - 7. The method of claim 5, further comprising notifying the user when the user is assigned to a different firewall policy group.
  - 8. The method of claim 1, wherein monitoring user activity on the computer network comprises monitoring one or more of the following:
    - user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices.
  - 9. The method of claim 1, wherein monitoring user activity on the computer network comprises determining what detail level is required by user activity.
  - 10. The method of claim 1, further comprising:
    - detecting an attempt by a software application executing on a user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and
      
      assigning the user to a different firewall policy group that allows the communication through the firewall.
  - 11. The method of claim 1, further comprising displaying the hierarchical tree structure to the user in response to a user request therefor.
  - 20. A computer program product that dynamically assigns a computer network user to one of a plurality of firewall policy groups, comprising:
    - a computer readable storage medium having computer readable program code embodied therein, the computer readable program code being configured to carry out the method of claim 1.

12. A network service that dynamically assigns a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block or allow communications through firewalls on the computer network, wherein the firewall policy groups are arranged in a hierarchical structure having a plurality of levels, and wherein the levels are arranged such that rules within the firewall policy groups are different at each level, comprising:
- means for assigning a user to a first firewall policy group in the hierarchical structure;
  
  means for monitoring user activity on the computer network; and
  
  means for assigning the user to a second, different firewall policy group automatically if monitored user activity indicates that a change in detail level of rules is necessary, wherein the second firewall policy group is at a level below or above the first firewall policy group level.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The network service of claim 12, further comprising means for notifying the user when the user is assigned to the second firewall policy group.
  - 14. The network service of claim 12, further comprising means for assigning the user to a firewall policy group at a level above a level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network.
  - 15. The network service of claim 14, further comprising means for requesting user input regarding user activity prior to assigning the user to a firewall policy group at a level above a level of the first firewall policy group.
  - 16. The network service of claim 12, wherein the means for monitoring user activity on the computer network comprises means for monitoring one or more of the following:
    - user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices.
  - 17. The network service of claim 12, wherein the means for monitoring user activity on the computer network comprises means for determining what detail level is required by user activity.
  - 18. The network service of claim 12, further comprising:
    - means for detecting an attempt by a software application executing on a user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and
      
      means for assigning the user to a different firewall policy group that allows the communication through the firewall.
  - 19. The network service of claim 12, further comprising means for displaying the hierarchical tree structure to the user in response to a user request therefor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bellsouth Intellectual Property Corporation (AT&T, Inc.)
Original Assignee
Bellsouth Intellectual Property Corporation (AT&T, Inc.)
Inventors
Aaron, Jeffrey

Granted Patent

US 7,954,143 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

Methods, network services, and computer program products for dynamically assigning users to firewall policy groups

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

95 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Methods, network services, and computer program products for dynamically assigning users to firewall policy groups

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others