METHOD AND SYSEM FOR UTILIZING AN EXPERT SYSTEM TO DETERMINE WHETHER TO ALTER A FIREWALL CONFIGURATION

US 20080172347A1
Filed: 01/15/2007
Published: 07/17/2008
Est. Priority Date: 01/15/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of utilizing an expert system to determine whether to alter a firewall configuration, said method comprising:

receiving, by an expert system of a computing system, message flow data associated with a message packet that is blocked by a firewall based on a message flow not being permitted by one or more message flow rules, said message flow associated with said message flow data, and said message flow data including a source network associated with said message packet, a destination network associated with said message packet and a destination port associated with said message packet;

assigning, to said message flow data by said expert system, a plurality of risk values included in a predefined set of risk values, said assigning including associating each risk value of said plurality of risk values with said source network, said destination network, or said destination port;

determining, by said expert system, a total risk value associated with said message packet, said determining said total risk value including utilizing said plurality of risk values; and

generating, by said expert system, a proposal based on said total risk value, wherein said proposal is selected from the group consisting of a first proposal that a message flow rule that permits said message flow is to be added to said one or more message flow rules and a second proposal that said message flow rule that permits said message flow is not to be added to said one or more message flow rules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for utilizing an expert system to determine whether to alter a firewall configuration. The expert system receives message flow data associated with a message packet blocked by a firewall. The packet is blocked based on an associated message flow not being permitted by a set of rules. The expert system assigns predefined risk values to the message flow data so that each risk value is associated with a source network, destination network or destination port included in the message flow data. The expert system utilizes the assigned risk values to determine a total risk value associated with the message packet. Finally, the expert system generates a proposal based on the total risk value. The proposal is a recommendation for or against adding to the set of rules a message flow rule that permits the message flow.

Citations

20 Claims

1. A computer-implemented method of utilizing an expert system to determine whether to alter a firewall configuration, said method comprising:
- receiving, by an expert system of a computing system, message flow data associated with a message packet that is blocked by a firewall based on a message flow not being permitted by one or more message flow rules, said message flow associated with said message flow data, and said message flow data including a source network associated with said message packet, a destination network associated with said message packet and a destination port associated with said message packet;
  
  assigning, to said message flow data by said expert system, a plurality of risk values included in a predefined set of risk values, said assigning including associating each risk value of said plurality of risk values with said source network, said destination network, or said destination port;
  
  determining, by said expert system, a total risk value associated with said message packet, said determining said total risk value including utilizing said plurality of risk values; and
  
  generating, by said expert system, a proposal based on said total risk value, wherein said proposal is selected from the group consisting of a first proposal that a message flow rule that permits said message flow is to be added to said one or more message flow rules and a second proposal that said message flow rule that permits said message flow is not to be added to said one or more message flow rules.
- View Dependent Claims (2, 3, 4, 5, 6, 20)
- - 2. The method of claim 1, wherein said assigning said plurality of risk values includes:
    - assigning a zone risk value to said source network, said assigning said zone risk value including determining that said source network is included in a zone of a plurality of predefined zones, said determining that said source network is included in said zone including determining that a security control associated with said source network is known or unknown and determining that an external access to said source network is filtered, unfiltered, unknown or absent; and
      
      assigning a source network authorization risk value to said source network, said assigning said source network authorization risk value including determining if said source network is expected to act as a source in a network communication session based on predefined criteria,wherein said utilizing said plurality of risk values includes utilizing said zone risk value and said source network authorization risk value.
  - 3. The method of claim 1, wherein said assigning said plurality of risk values includes:
    - assigning a zone risk value to said destination network, said assigning said zone risk value including determining that said destination network is included in a zone of a plurality of predefined zones, said determining that said destination network is included in said zone including determining that a security control associated with said destination network is known or unknown and determining that an external access to said destination network is filtered, unfiltered, unknown or absent;
      
      assigning a destination network authorization risk value to said destination network, said assigning said destination network authorization risk value including classifying said destination network as being expected to act as a destination in a network communication session or being not expected to act as said destination based on predefined criteria;
      
      assigning a destination port authorization risk value to said destination port, said assigning said destination port authorization risk value including classifying said destination port as authorized or unauthorized;
      
      assigning a destination port weight to said destination port authorization risk value, said destination port weight included in a predefined set of port weights; and
      
      assigning a destination breach impact risk value to said destination network, said assigning said destination breach impact risk value including classifying an impact of a breach of said destination network,wherein said utilizing said plurality of risk values includes utilizing said zone risk value, said destination network authorization risk value, said destination port authorization risk value, said destination port weight and said destination breach impact risk value.
  - 4. The method of claim 1, further comprising:
    - determining, by said expert system, that said source network is included in a first zone of a plurality of predefined zones, said determining that said source network is included in said first zone including determining that a security control associated with said source network is known or unknown and determining that an external access to said source network is filtered, unfiltered, unknown or absent;
      
      determining, by said expert system, that a destination network is included in a second zone of said plurality of predefined zones, said determining that said destination network is included in said second zone including determining that a security control associated with said destination network is known or unknown and determining that an external access to said destination network is filtered, unfiltered, unknown or absent; and
      
      assigning, by said expert system, a communication risk value that classifies a risk associated with a network communication session between said source network and said destination network, said communication risk value associated with said first zone and said second zone.
  - 5. The method of claim 1, wherein said message flow data further includes a source port associated with said message packet, and wherein said assigning said plurality of risk values includes:
    - assigning a source authorization risk value to said source network, said assigning said source authorization risk value including determining that said source network is expected to act as a source in a network communication session or not expected to act as said source based on predefined criteria;
      
      assigning, to said source authorization risk value, a source port weight included in a predefined set of port weights; and
      
      assigning a source breach impact risk value to said source network, said assigning said source breach impact risk value including classifying an impact of a breach of said source network,wherein said utilizing said plurality of risk values includes utilizing said source authorization risk value, said source breach impact risk value and said source port weight.
  - 6. The method of claim 1, wherein said assigning said plurality of risk values comprises:
    - assigning, by said expert system, a source zone risk value to said source network, said assigning said source zone risk value including determining that said source network is included in a first zone of a plurality of predefined zones, said determining that said source network is included in said first zone including determining that a security control associated with said source network is known or unknown and determining that an external access to said source network is filtered, unfiltered, unknown or absent;
      
      assigning, by said expert system, a source network authorization risk value to said source network, said assigning said source network authorization risk value including classifying said source network as expected to act as a source in a network communication session or not expected to act as said source based on predefined criteria;
      
      assigning, by said expert system, a destination zone risk value to said destination network, said assigning said destination zone risk value including determining that said destination network is included in a second zone of a plurality of predefined zones, said determining that said destination network is included in said second zone including determining that a security control associated with said destination network is known or unknown and determining that an external access to said destination network is filtered, unfiltered, unknown or absent;
      
      assigning, by said expert system, a destination network authorization risk value to said destination network, said assigning said destination network authorization risk value including classifying said destination network as expected to act as a destination in a network communication session or not expected to act as said destination based on predefined criteria;
      
      assigning a destination port authorization risk value to said destination port, said assigning said destination port authorization risk value including classifying said destination port as authorized or unauthorized;
      
      assigning, by said expert system, a destination port weight to said destination port authorization risk value, said destination port weight included in a predefined set of port weights;
      
      assigning, by said expert system, a destination breach impact risk value to said destination network, said assigning said destination breach impact risk value including classifying an impact of a breach of said destination network; and
      
      assigning, by said expert system, a communication risk value that classifies a risk associated with a network communication session between said source network and said destination network, said communication risk value associated with said first zone and said second zone,wherein said determining said total risk value further includes evaluating an expression (SZ+SNA+(DZ+DNA)*DBI+DPA*DPW)*CR, andwherein SZ is said source zone risk value, SNA is said source network authorization risk value, DZ is said destination zone risk value, DNA is said destination network authorization risk value, DBI is said destination breach impact risk value, DPA is said destination port authorization risk value, DPW is said destination port weight, and CR is said communication risk value.
  - 20. The process of claim 1, wherein said assigning said plurality of risk values includes:
    - assigning a zone risk value to said source network, said assigning said zone risk value including determining that said source network is included in a zone of a plurality of predefined zones, said determining that said source network is included in said zone including determining that a security control associated with said source network is known or unknown and determining that an external access to said source network is filtered, unfiltered, unknown or absent; and
      
      assigning a source network authorization risk value to said source network, said assigning said source network authorization risk value including determining if said source network is expected to act as a source in a network communication session based on predefined criteria,wherein said utilizing said plurality of risk values includes utilizing said zone risk value and said source network authorization risk value.

7. A computing system comprising a processor and a computer-readable memory unit coupled to said processor, said memory unit containing instructions that when executed by said processor implement a method of using an expert system to determine whether to alter a firewall configuration, said method comprising:
- receiving, by an expert system of a computing system, message flow data associated with a message packet that is blocked by a firewall based on a message flow not being permitted by one or more message flow rules, said message flow associated with said message flow data, and said message flow data including a source network associated with said message packet, a destination network associated with said message packet and a destination port associated with said message packet;
  
  assigning, to said message flow data by said expert system, a plurality of risk values included in a predefined set of risk values, said assigning including associating each risk value of said plurality of risk values with said source network, said destination network, or said destination port;
  
  determining, by said expert system, a total risk value associated with said message packet, said determining said total risk value including utilizing said plurality of risk values; and
  
  generating, by said expert system, a proposal based on said total risk value, wherein said proposal is selected from the group consisting of a first proposal that a message flow rule that permits said message flow is to be added to said one or more message flow rules and a second proposal that said message flow rule that permits said message flow is not to be added to said one or more message flow rules.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein said assigning said plurality of risk values includes:
    - assigning a zone risk value to said source network, said assigning said zone risk value including determining that said source network is included in a zone of a plurality of predefined zones, said determining that said source network is included in said zone including determining that a security control associated with said source network is known or unknown and determining that an external access to said source network is filtered, unfiltered, unknown or absent; and
      
      assigning a source network authorization risk value to said source network, said assigning said source network authorization risk value including determining if said source network is expected to act as a source in a network communication session based on predefined criteria,wherein said utilizing said plurality of risk values includes utilizing said zone risk value and said source network authorization risk value.
  - 9. The system of claim 7, wherein said assigning said plurality of risk values includes:
    - assigning a zone risk value to said destination network, said assigning said zone risk value including determining that said destination network is included in a zone of a plurality of predefined zones, said determining that said destination network is included in said zone including determining that a security control associated with said destination network is known or unknown and determining that an external access to said destination network is filtered, unfiltered, unknown or absent;
      
      assigning a destination network authorization risk value to said destination network, said assigning said destination network authorization risk value including classifying said destination network as being expected to act as a destination in a network communication session or being not expected to act as said destination based on predefined criteria;
      
      assigning a destination port authorization risk value to said destination port, said assigning said destination port authorization risk value including classifying said destination port as authorized or unauthorized;
      
      assigning a destination port weight to said destination port authorization risk value, said destination port weight included in a predefined set of port weights; and
      
      assigning a destination breach impact risk value to said destination network, said assigning said destination breach impact risk value including classifying an impact of a breach of said destination network,wherein said utilizing said plurality of risk values includes utilizing said zone risk value, said destination network authorization risk value, said destination port authorization risk value, said destination port weight and said destination breach impact risk value.
  - 10. The system of claim 7, wherein said method further comprises:
    - determining, by said expert system, that said source network is included in a first zone of a plurality of predefined zones, said determining that said source network is included in said first zone including determining that a security control associated with said source network is known or unknown and determining that an external access to said source network is filtered, unfiltered, unknown or absent;
      
      determining, by said expert system, that a destination network is included in a second zone of said plurality of predefined zones, said determining that said destination network is included in said second zone including determining that a security control associated with said destination network is known or unknown and determining that an external access to said destination network is filtered, unfiltered, unknown or absent; and
      
      assigning, by said expert system, a communication risk value that classifies a risk associated with a network communication session between said source network and said destination network, said communication risk value associated with said first zone and said second zone.
  - 11. The system of claim 7, wherein said message flow data further includes a source port associated with said message packet, and wherein said assigning said plurality of risk values includes:
    - assigning a source authorization risk value to said source network, said assigning said source authorization risk value including determining that said source network is expected to act as a source in a network communication session or not expected to act as said source based on predefined criteria;
      
      assigning, to said source authorization risk value, a source port weight included in a predefined set of port weights; and
      
      assigning a source breach impact risk value to said source network, said assigning said source breach impact risk value including classifying an impact of a breach of said source network,wherein said utilizing said plurality of risk values includes utilizing said source authorization risk value, said source breach impact risk value and said source port weight.
  - 12. The system of claim 7, wherein said assigning said plurality of risk values comprises:
    - assigning, by said expert system, a source zone risk value to said source network, said assigning said source zone risk value including determining that said source network is included in a first zone of a plurality of predefined zones, said determining that said source network is included in said first zone including determining that a security control associated with said source network is known or unknown and determining that an external access to said source network is filtered, unfiltered, unknown or absent;
      
      assigning, by said expert system, a source network authorization risk value to said source network, said assigning said source network authorization risk value including classifying said source network as expected to act as a source in a network communication session or not expected to act as said source based on predefined criteria;
      
      assigning, by said expert system, a destination zone risk value to said destination network, said assigning said destination zone risk value including determining that said destination network is included in a second zone of a plurality of predefined zones, said determining that said destination network is included in said second zone including determining that a security control associated with said destination network is known or unknown and determining that an external access to said destination network is filtered, unfiltered, unknown or absent;
      
      assigning, by said expert system, a destination network authorization risk value to said destination network, said assigning said destination network authorization risk value including classifying said destination network as expected to act as a destination in a network communication session or not expected to act as said destination based on predefined criteria;
      
      assigning a destination port authorization risk value to said destination port, said assigning said destination port authorization risk value including classifying said destination port as authorized or unauthorized;
      
      assigning, by said expert system, a destination port weight to said destination port authorization risk value, said destination port weight included in a predefined set of port weights;
      
      assigning, by said expert system, a destination breach impact risk value to said destination network, said assigning said destination breach impact risk value including classifying an impact of a breach of said destination network; and
      
      assigning, by said expert system, a communication risk value that classifies a risk associated with a network communication session between said source network and said destination network, said communication risk value associated with said first zone and said second zone,wherein said determining said total risk value further includes evaluating an expression (SZ+SNA+(DZ+DNA)*DBI+DPA*DPW)*CR, andwherein SZ is said source zone risk value, SNA is said source network authorization risk value, DZ is said destination zone risk value, DNA is said destination network authorization risk value, DBI is said destination breach impact risk value, DPA is said destination port authorization risk value, DPW is said destination port weight, and CR is said communication risk value.

13. A computer program product comprising a computer-usable medium including computer-usable program code for utilizing an expert system to determine whether to alter a firewall configuration, said computer program product comprising:
- computer-usable code for receiving, by an expert system of a computing system, message flow data associated with a message packet that is blocked by a firewall based on a message flow not being permitted by one or more message flow rules, said message flow associated with said message flow data, and said message flow data including a source network associated with said message packet, a destination network associated with said message packet and a destination port associated with said message packet;
  
  computer-usable code for assigning, to said message flow data by said expert system, a plurality of risk values included in a predefined set of risk values, said computer-usable code for assigning including computer-usable code for associating each risk value of said plurality of risk values with said source network, said destination network, or said destination port;
  
  computer-usable code for determining, by said expert system, a total risk value associated with said message packet, said computer-usable code for determining said total risk value including computer-usable code for utilizing said plurality of risk values; and
  
  computer-usable code for generating, by said expert system, a proposal based on said total risk value, wherein said proposal is selected from the group consisting of a first proposal that a message flow rule that permits said message flow is to be added to said one or more message flow rules and a second proposal that said message flow rule that permits said message flow is not to be added to said one or more message flow rules.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The program product of claim 13, wherein said computer-usable code for assigning said plurality of risk values includes:
    - computer-usable code for assigning a zone risk value to said source network, said computer-usable code for assigning said zone risk value including computer-usable code for determining that said source network is included in a zone of a plurality of predefined zones, said computer-usable code for determining that said source network is included in said zone including computer-usable code for determining that a security control associated with said source network is known or unknown and computer-usable code for determining that an external access to said source network is filtered, unfiltered, unknown or absent; and
      
      computer-usable code for assigning a source network authorization risk value to said source network, said computer-usable code for assigning said source network authorization risk value including computer-usable code for determining if said source network is expected to act as a source in a network communication session based on predefined criteria,wherein said computer-usable code for utilizing said plurality of risk values includes computer-usable code for utilizing said zone risk value and said source network authorization risk value.
  - 15. The program product of claim 13, wherein said computer-usable code for assigning said plurality of risk values includes:
    - computer-usable code for assigning a zone risk value to said destination network, said computer-usable code for assigning said zone risk value including computer-usable code for determining that said destination network is included in a zone of a plurality of predefined zones, said computer-usable code for determining that said destination network is included in said zone including computer-usable code for determining that a security control associated with said destination network is known or unknown and computer-usable code for determining that an external access to said destination network is filtered, unfiltered, unknown or absent;
      
      computer-usable code for assigning a destination network authorization risk value to said destination network, said computer-usable code for assigning said destination network authorization risk value including computer-usable code for classifying said destination network as being expected to act as a destination in a network communication session or being not expected to act as said destination based on predefined criteria;
      
      computer-usable code for assigning a destination port authorization risk value to said destination port, said computer-usable code for assigning said destination port authorization risk value including computer-usable code for classifying said destination port as authorized or unauthorized;
      
      computer-usable code for assigning a destination port weight to said destination port authorization risk value, said destination port weight included in a predefined set of port weights; and
      
      computer-usable code for assigning a destination breach impact risk value to said destination network, said computer-usable code for assigning said destination breach impact risk value including computer-usable code for classifying an impact of a breach of said destination network,wherein said computer-usable code for utilizing said plurality of risk values includes computer-usable code for utilizing said zone risk value, said destination network authorization risk value, said destination port authorization risk value, said destination port weight and said destination breach impact risk value.
  - 16. The program product of claim 13, further comprising:
    - computer-usable code for determining, by said expert system, that said source network is included in a first zone of a plurality of predefined zones, said computer-usable code for determining that said source network is included in said first zone including computer-usable code for determining that a security control associated with said source network is known or unknown and computer-usable code for determining that an external access to said source network is filtered, unfiltered, unknown or absent;
      
      computer-usable code for determining, by said expert system, that a destination network is included in a second zone of said plurality of predefined zones, said computer-usable code for determining that said destination network is included in said second zone including computer-usable code for determining that a security control associated with said destination network is known or unknown and computer-usable code for determining that an external access to said destination network is filtered, unfiltered, unknown or absent; and
      
      computer-usable code for assigning, by said expert system, a communication risk value that classifies a risk associated with a network communication session between said source network and said destination network, said communication risk value associated with said first zone and said second zone.
  - 17. The program product of claim 13, wherein said message flow data further includes a source port associated with said message packet, and wherein said computer-usable code for assigning said plurality of risk values includes:
    - computer-usable code for assigning a source authorization risk value to said source network, said computer-usable code for assigning said source authorization risk value including computer-usable code for determining that said source network is expected to act as a source in a network communication session or not expected to act as said source based on predefined criteria;
      
      computer-usable code for assigning, to said source authorization risk value, a source port weight included in a predefined set of port weights; and
      
      computer-usable code for assigning a source breach impact risk value to said source network, said computer-usable code for assigning said source breach impact risk value including computer-usable code for classifying an impact of a breach of said source network,wherein said computer-usable code for utilizing said plurality of risk values includes computer-usable code for utilizing said source authorization risk value, said source breach impact risk value and said source port weight.
  - 18. The program product of claim 13, wherein said computer-usable code for assigning said plurality of risk values comprises:
    - computer-usable code for assigning, by said expert system, a source zone risk value to said source network, said computer-usable code for assigning said source zone risk value including computer-usable code for determining that said source network is included in a first zone of a plurality of predefined zones, said computer-usable code for determining that said source network is included in said first zone including computer-usable code for determining that a security control associated with said source network is known or unknown and computer-usable code for determining that an external access to said source network is filtered, unfiltered, unknown or absent;
      
      computer-usable code for assigning, by said expert system, a source network authorization risk value to said source network, said computer-usable code for assigning said source network authorization risk value including computer-usable code for classifying said source network as expected to act as a source in a network communication session or not expected to act as said source based on predefined criteria;
      
      computer-usable code for assigning, by said expert system, a destination zone risk value to said destination network, said computer-usable code for assigning said destination zone risk value including computer-usable code for determining that said destination network is included in a second zone of a plurality of predefined zones, said computer-usable code for determining that said destination network is included in said second zone including computer-usable code for determining that a security control associated with said destination network is known or unknown and computer-usable code for determining that an external access to said destination network is filtered, unfiltered, unknown or absent;
      
      computer-usable code for assigning, by said expert system, a destination network authorization risk value to said destination network, said computer-usable code for assigning said destination network authorization risk value including computer-usable code for classifying said destination network as expected to act as a destination in a network communication session or not expected to act as said destination based on predefined criteria;
      
      computer-usable code for assigning a destination port authorization risk value to said destination port, said computer-usable code for assigning said destination port authorization risk value including computer-usable code for classifying said destination port as authorized or unauthorized;
      
      computer-usable code for assigning, by said expert system, a destination port weight to said destination port authorization risk value, said destination port weight included in a predefined set of port weights;
      
      computer-usable code for assigning, by said expert system, a destination breach impact risk value to said destination network, said computer-usable code for assigning said destination breach impact risk value including computer-usable code for classifying an impact of a breach of said destination network; and
      
      computer-usable code for assigning, by said expert system, a communication risk value that classifies a risk associated with a network communication session between said source network and said destination network, said communication risk value associated with said first zone and said second zone,wherein said computer-usable code for determining said total risk value further includes computer-usable code for evaluating an expression (SZ+SNA+(DZ+DNA)*DBI+DPA*DPW)*CR, andwherein SZ is said source zone risk value, SNA is said source network authorization risk value, DZ is said destination zone risk value, DNA is said destination network authorization risk value, DBI is said destination breach impact risk value, DPA is said destination port authorization risk value, DPW is said destination port weight, and CR is said communication risk value.

19. A process for supporting computing infrastructure, said process comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable code in a computing system, wherein the code in combination with the computing system is capable of performing a method of utilizing an expert system to determine whether to alter a firewall configuration, said method comprising:
- receiving, by an expert system of a computing system, message flow data associated with a message packet that is blocked by a firewall based on a message flow not being permitted by one or more message flow rules, said message flow associated with said message flow data, and said message flow data including a source network associated with said message packet, a destination network associated with said message packet and a destination port associated with said message packet;
  
  assigning, to said message flow data by said expert system, a plurality of risk values included in a predefined set of risk values, said assigning including associating each risk value of said plurality of risk values with said source network, said destination network, or said destination port;
  
  determining, by said expert system, a total risk value associated with said message packet, said determining said total risk value including utilizing said plurality of risk values; and
  
  generating, by said expert system, a proposal based on said total risk value, wherein said proposal is selected from the group consisting of a first proposal that a message flow rule that permits said message flow is to be added to said one or more message flow rules and a second proposal that said message flow rule that permits said message flow is not to be added to said one or more message flow rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wrp IP Management, LLC
Original Assignee
International Business Machines Corporation
Inventors
Sandoval, Medardo Roberto, Bernoth, Andrew

Granted Patent

US 7,937,353 B2
Time in Patent Office

Days
Field of Search
US Class Current

706/12
CPC Class Codes

H04L 63/0263 Rule management

METHOD AND SYSEM FOR UTILIZING AN EXPERT SYSTEM TO DETERMINE WHETHER TO ALTER A FIREWALL CONFIGURATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSEM FOR UTILIZING AN EXPERT SYSTEM TO DETERMINE WHETHER TO ALTER A FIREWALL CONFIGURATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links