Enhanced Personal Firewall for Dynamic Computing Environments

US 20080222715A1
Filed: 03/09/2007
Published: 09/11/2008
Est. Priority Date: 03/09/2007
Status: Active Grant

First Claim

Patent Images

1. An enhanced personal firewall system comprising:

an inter-firewall connection listener configured to bind to a specified communications port, to listen for incoming, outgoing, or both incoming and outgoing firewall trust requests, and upon detection of a connection, to transfer firewall control to an inter-firewall controller; and

an inter-firewall controller configured to perform logical processes for establishing trusted communications through a local firewall and a remote firewall by performing one or both of the processes of;

(a) upon establishing an outgoing connection by an application program protected by a local firewall to a resource protected by a remote firewall, to;

(1) initiate and transmit a handshake identification request from a local firewall to a remote firewall;

(2) responsive to receipt of a handshake response from said remote firewall, to transmit a local firewall public encryption key to said remote firewall;

(3) responsive to receiving a host firewall public encryption key, to generate, sign, and transmit a trusted computer request with identification information to said remote firewall;

(4) upon receipt of a grant of trusted access from said remote firewall, to allow an application program from behind said local firewall to communicate to said remote firewall, otherwise to block said application program from communication with said remote firewall; and

(b) upon establishing an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewall, to;

(1) transmit a firewall identification handshake response to said remote firewall upon receipt of a handshake identification request from said remote firewall;

(2) responsive to receipt of remote firewall public encryption key, transmitting a local firewall public encryption key to said remote firewall;

(3) responsive to receiving a signed trusted computer request from said remote firewall, if said remote firewall has previously requested a trusted access by checking a local public key store, using the signature of said trusted computer request using said received remote firewall public encryption key;

(4) responsive to determining that said remote firewall has been previously authorized to establish trusted access, modifying local firewall rules to allow data communications to and from one or more addresses associated with said remote firewall to be transceived through said local firewall.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enhanced personal firewall system having an inter-firewall connection listener which binds to a specified communications port and listens for inbound and/or outbound connection requests; and an inter-firewall controller which establishes a trusted communications through a local firewall and a remote firewall by exchanging public keys, a signed trusted computer firewall request, and using the keys to determine if a local key storage indicates previous authorization to trusted communications. If not, then a user of the targeted resource is notified and prompted to authorize the access. If so, then the firewall rules protecting the targeted resource are modified, even if temporarily, to allow the requesting firewall to have trusted access.

74 Citations

View as Search Results

18 Claims

1. An enhanced personal firewall system comprising:
- an inter-firewall connection listener configured to bind to a specified communications port, to listen for incoming, outgoing, or both incoming and outgoing firewall trust requests, and upon detection of a connection, to transfer firewall control to an inter-firewall controller; and
  
  an inter-firewall controller configured to perform logical processes for establishing trusted communications through a local firewall and a remote firewall by performing one or both of the processes of;
  
  (a) upon establishing an outgoing connection by an application program protected by a local firewall to a resource protected by a remote firewall, to;
  
  (1) initiate and transmit a handshake identification request from a local firewall to a remote firewall;
  
  (2) responsive to receipt of a handshake response from said remote firewall, to transmit a local firewall public encryption key to said remote firewall;
  
  (3) responsive to receiving a host firewall public encryption key, to generate, sign, and transmit a trusted computer request with identification information to said remote firewall;
  
  (4) upon receipt of a grant of trusted access from said remote firewall, to allow an application program from behind said local firewall to communicate to said remote firewall, otherwise to block said application program from communication with said remote firewall; and
  
  (b) upon establishing an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewall, to;
  
  (1) transmit a firewall identification handshake response to said remote firewall upon receipt of a handshake identification request from said remote firewall;
  
  (2) responsive to receipt of remote firewall public encryption key, transmitting a local firewall public encryption key to said remote firewall;
  
  (3) responsive to receiving a signed trusted computer request from said remote firewall, if said remote firewall has previously requested a trusted access by checking a local public key store, using the signature of said trusted computer request using said received remote firewall public encryption key;
  
  (4) responsive to determining that said remote firewall has been previously authorized to establish trusted access, modifying local firewall rules to allow data communications to and from one or more addresses associated with said remote firewall to be transceived through said local firewall.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system as set forth in claim 1 wherein said step (b)(3) further comprises performing the following steps if said remote firewall has not previously requested a trusted access:
    - i. prompting a user or administrator of said local firewall to obtain authorization for said remote firewall to establish trusted access, said prompting including presentation of some or all of identification information extracted from said received signed trusted computer request;
      
      ii. receiving from said user or administrator a grant or deny selection; and
      
      iii. according to said grant or deny selection, updating said local public key store to reflect authorization or lack of authorization.
  - 3. The system as set forth in claim 1 wherein said identification information in step (a)(3) comprises one or more identifiers selected from the group of a name of a computer protected by said local firewall, a username of a user associated with a computer protected by said local firewall, and an electronic mail address of a user associated with a computer protected by said local firewall.
  - 4. The system as set forth in claim 3 wherein said step (b)(3) further comprises performing the following steps if said remote firewall has not previously requested a trusted access:
    - i. prompting a user or administrator of said local firewall to obtain authorization for said remote firewall to establish trusted access, said prompting including presentation of some or all of identification information extracted from said received signed trusted computer request;
      
      ii. receiving from said user or administrator a grant or deny selection; and
      
      iii. according to said grant or deny selection, updating said local public key store to reflect authorization or lack of authorization.
  - 5. The system as set forth in claim 1 wherein said listener and controller are disposed in a personal firewall product having a network communications stack operable by a host computer, said stack being configured to interrogate outgoing, incoming, or both outgoing and incoming network packets, and to apply firewall rules against said packets to either allow or deny packet access to or from a host computer, to allow an inter-firewall connection listener to bind to a specified port, to accept incoming transmissions from other host firewalls, and to allow said inter-firewall connection listener to bind to a specified communications port.
  - 6. The system as set forth in claim 1 wherein said listener is configured to bind to a Transmission Control Protocol/Internet Protocol port.

7. A method for providing an enhanced personal firewall comprising the steps of:
- binding a listener to a specified communications port;
  
  listening by said listener for incoming, outgoing, or both incoming and outgoing firewall trust requests;
  
  upon detection of a connection, performing logical processes for establishing trusted communications through a local firewall and a remote firewall by performing one or both of the processes of;
  
  (a) upon establishing an outgoing connection by an application program protected by a local firewall to resource protected by a remote firewall;
  
  (1) initiating and transmitting a handshake identification request from a local firewall to a remote firewall;
  
  (2) responsive to receipt of a handshake response from said remote firewall, to transmitting a local firewall public encryption key to said remote firewall;
  
  (3) responsive to receiving a host firewall public encryption key, to generating, signing, and transmitting a trusted computer request with identification information to said remote firewall;
  
  (4) upon receipt of a grant of trusted access from said remote firewall, allowing an application program from behind said local firewall to communicate to said remote firewall, otherwise blocking said application program from communication with said remote firewall; and
  
  (b) upon establishing an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewall;
  
  (1) transmit a firewall identification handshake response to said remote firewall upon receipt of a handshake identification request from said remote firewall;
  
  (2) responsive to receipt of remote firewall public encryption key, transmitting a local firewall public encryption key to said remote firewall;
  
  (3) responsive to receiving a signed trusted computer request from said remote firewall, if said remote firewall has previously requested a trusted access by checking a local public key store, using the signature of said trusted computer request using said received remote firewall public encryption key;
  
  (4) responsive to determining that said remote firewall has been previously authorized to establish trusted access, modifying local firewall rules to allow data communications to and from one or more addresses associated with said remote firewall to be transceived through said local firewall.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method as set forth in claim 7 wherein said step (b)(3) further comprises performing the following steps if said remote firewall has not previously requested a trusted access:
    - i. prompting a user or administrator of said local firewall to obtain authorization for said remote firewall to establish trusted access, said prompting including presentation of some or all of identification information extracted from said received signed trusted computer request;
      
      ii. receiving from said user or administrator a grant or deny selection; and
      
      iii. according to said grant or deny selection, updating said local public key store to reflect authorization or lack of authorization.
  - 9. The system as set forth in claim 7 wherein said identification information in step (a)(3) comprises one or more identifiers selected from the group of a name of a computer protected by said local firewall, a username of a user associated with a computer protected by said local firewall, and an electronic mail address of a user associated with a computer protected by said local firewall.
  - 10. The method as set forth in claim 9 wherein said step (b)(3) further comprises performing the following steps if said remote firewall has not previously requested a trusted access:
    - i. prompting a user or administrator of said local firewall to obtain authorization for said remote firewall to establish trusted access, said prompting including presentation of some or all of identification information extracted from said received signed trusted computer request;
      
      ii. receiving from said user or administrator a grant or deny selection; and
      
      iii. according to said grant or deny selection, updating said local public key store to reflect authorization or lack of authorization.
  - 11. The method as set forth in claim 7 wherein said steps of binding, listening, and establishing trusted communications are performed within logical processes of a personal firewall product having a network communications stack operable by a host computer, said stack being configured to interrogate outgoing, incoming, or both outgoing and incoming network packets, and to apply firewall rules against said packets to either allow or deny packet access to or from a host computer.
  - 12. The method as set forth in claim 7 wherein said step of binding and listening are configured to bind to and listen to a Transmission Control Protocol/Internet Protocol port.

13. An article of manufacture comprising:
- a computer readable medium suitable for storage of computer program code; and
  
  one or more computer program codes stored in or on said computer readable medium configured to cause a processor to perform steps of;
  
  binding a listener to a specified communications port;
  
  listening by said listener for incoming, outgoing, or both incoming and outgoing firewall trust requests;
  
  upon detection of a connection, performing logical processes for establishing trusted communications through a local firewall and a remote firewall by performing one or both of the processes of;
  
  (a) upon establishing an outgoing connection by an application program protected by a local firewall to resource protected by a remote firewall;
  
  (1) initiating and transmitting a handshake identification request from a local firewall to a remote firewall;
  
  (2) responsive to receipt of a handshake response from said remote firewall, to transmitting a local firewall public encryption key to said remote firewall;
  
  (3) responsive to receiving a host firewall public encryption key, to generating, signing, and transmitting a trusted computer request with identification information to said remote firewall;
  
  (4) upon receipt of a grant of trusted access from said remote firewall, allowing an application program from behind said local firewall to communicate to said remote firewall, otherwise blocking said application program from communication with said remote firewall; and
  
  (b) upon establishing an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewall;
  
  (1) transmit a firewall identification handshake response to said remote firewall upon receipt of a handshake identification request from said remote firewall;
  
  (2) responsive to receipt of remote firewall public encryption key, transmitting a local firewall public encryption key to said remote firewall;
  
  (3) responsive to receiving a signed trusted computer request from said remote firewall, if said remote firewall has previously requested a trusted access by checking a local public key store, using the signature of said trusted computer request using said received remote firewall public encryption key;
  
  (4) responsive to determining that said remote firewall has been previously authorized to establish trusted access, modifying local firewall rules to allow data communications to and from one or more addresses associated with said remote firewall to be transceived through said local firewall.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The medium as set forth in claim 13 wherein said software for performing step (b)(3) further comprises software for performing the following steps if said remote firewall has not previously requested a trusted access:
    - i. prompting a user or administrator of said local firewall to obtain authorization for said remote firewall to establish trusted access, said prompting including presentation of some or all of identification information extracted from said received signed trusted computer request;
      
      ii. receiving from said user or administrator a grant or deny selection; and
      
      iii. according to said grant or deny selection, updating said local public key store to reflect authorization or lack of authorization.
  - 15. The medium as set forth in claim 13 wherein said identification information in step (a)(3) comprises one or more identifiers selected from the group of a name of a computer protected by said local firewall, a username of a user associated with a computer protected by said local firewall, and an electronic mail address of a user associated with a computer protected by said local firewall.
  - 16. The medium as set forth in claim 15 wherein said software for performing step (b)(3) further comprises software for performing the following steps if said remote firewall has not previously requested a trusted access:
    - i. prompting a user or administrator of said local firewall to obtain authorization for said remote firewall to establish trusted access, said prompting including presentation of some or all of identification information extracted from said received signed trusted computer request;
      
      ii. receiving from said user or administrator a grant or deny selection; and
      
      iii. according to said grant or deny selection, updating said local public key store to reflect authorization or lack of authorization.
  - 17. The medium as set forth in claim 13 wherein said software for binding, listening, and establishing trusted communications are performed within logical processes of a personal firewall product having a network communications stack operable by a host computer, said stack being configured to interrogate outgoing, incoming, or both outgoing and incoming network packets, and to apply firewall rules against said packets to either allow or deny packet access to or from a host computer.
  - 18. The medium as set forth in claim 13 wherein said software for binding and listening are configured to bind to and listen to a Transmission Control Protocol/Internet Protocol port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hamilton, Rick Allen, Walker, Keith Raymond, O'Connell, Brian, Bansal, Ravi Prakash

Granted Patent

US 8,316,427 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

Enhanced Personal Firewall for Dynamic Computing Environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

74 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced Personal Firewall for Dynamic Computing Environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links