FIREWALL FOR CONTROLLING CONNECTIONS BETWEEN A CLIENT MACHINE AND A NETWORK

US 20080289028A1
Filed: 05/15/2008
Published: 11/20/2008
Est. Priority Date: 05/15/2007
Status: Active Grant

First Claim

Patent Images

1. A firewall system for controlling connections between a client machine and a network, the firewall system being adapted for location outside the client machine, the firewall system comprising:

at least one processor configured to;

receive incoming and outgoing connections from the network and client machine respectively; and

in response to a connection request, initiate a connection between respective endpoints in the network and client machine, perform a security assessment comprising obtaining from at least one of the network and client machine information indicative of the security state of the endpoint therein, and allow or inhibit the connection in dependence on the result of the security assessment.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall system adapted for location outside the client machine, preferably in the same data processing device as the client machine but outside a virtual machine containing the client machine. Control logic of the firewall system receives incoming and outgoing connections from the network and client machine respectively. In response to a connection request initiating a connection between respective endpoints in the network and client machine, the control logic performs a security assessment comprising obtaining from at least one of the network and client machine information indicative of the security state of the endpoint therein, and allows or inhibits the connection in dependence on the result of the security assessment. The security assessment may be performed in accordance with a security policy of the system, and different security assessments may be performed for different connection requests in accordance with the security policy.

Citations

16 Claims

1. A firewall system for controlling connections between a client machine and a network, the firewall system being adapted for location outside the client machine, the firewall system comprising:
- at least one processor configured to;
  
  receive incoming and outgoing connections from the network and client machine respectively; and
  
  in response to a connection request, initiate a connection between respective endpoints in the network and client machine, perform a security assessment comprising obtaining from at least one of the network and client machine information indicative of the security state of the endpoint therein, and allow or inhibit the connection in dependence on the result of the security assessment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A firewall system according to claim 1, the system being adapted for location in the same data processing device as the client machine but outside a virtual machine of the data processing device which virtual machine contains the client machine.
  - 3. A firewall system according to claim 2, the system being adapted for location in a further virtual machine of the data processing device.
  - 4. A firewall system according to claim 1, wherein the processor is further configured to perform the security assessment for at least selected connection requests in accordance with a security policy defined in memory of the system.
  - 5. A firewall system according to claim 4 wherein the processor is further configured, in response to every connection request, to check the requested connection against a predetermined list of allowable connections specified in the security policy, and to perform the security assessment if the requested connection is not on the list.
  - 6. A firewall system according to claim 4 wherein the processor is further configured to perform different security assessments for different connection requests in accordance with the security policy.
  - 7. A firewall system according to claim 6 wherein, for at least some connection requests, the security assessment performed by the processor comprises obtaining from the client machine information for attesting the security state of the endpoint therein.
  - 8. A firewall system according to claim 6 wherein, for at least some connection requests, the security assessment performed by the processor comprises obtaining from the network information for attesting the security state of the endpoint therein.
  - 9. A firewall system according to claim 6 wherein, for at least some connection requests, the security assessment performed by the processor comprises obtaining from both the network and client machine information indicative of the security state of the respective endpoints therein.
  - 10. A firewall system according to claim 6 wherein:
    - the system is adapted for location in the same data processing device as the client machine but outside a virtual machine of a data processing device which the virtual machine contains the client machine; and
      
      for at least some connection requests, the security assessment performed by the processor comprises obtaining from the client machine report information indicative of running processes on the client machine, comparing the report information with corresponding information obtained, independently of the client machine, from memory of the data processing device to determine if an endpoint of the requested connection is hidden, and if so inhibiting the connection.
  - 11. A firewall system according to claim 6 wherein, for at least some connection requests, the security assessment performed by the processor includes allowing the connection, monitoring traffic on the connection and allowing or inhibiting continuance of the connection in dependence on the result of said monitoring.

12. A computer program comprising a computer-usable medium having embodied therein computer-readable program codes for causing a computer to implement a firewall system for controlling connections between a client machine and a network, the firewall system being adapted for location outside the client machine, the computer-readable program codes configured to:
- receive incoming and outgoing connections from the network and client machine respectively; and
  
  in response to a connection request, initiate a connection between respective endpoints in the network and client machine, perform a security assessment comprising obtaining from at least one of the network and client machine information indicative of the security state of the endpoint therein, and allow or inhibit the connection in dependence on the result of the security assessment.

13. A data processing system comprising a client machine and a firewall system for controlling connections between the client machine and a network, wherein the firewall system is located outside the client machine and comprises control logic adapted for:
- receiving incoming and outgoing connections from the network and client machine respectively; and
  
  in response to a connection request initiating a connection between respective endpoints in the network and client machine, performing a security assessment comprising obtaining from at least one of the network and client machine information indicative of the security state of the endpoint therein, and allowing or inhibiting the connection in dependence on the result of the security assessment.
- View Dependent Claims (14, 15, 16)
- - 14. A data processing system according to claim 13 including a plurality of client machines, wherein the firewall system is located outside all client machines and is adapted for controlling connections between each client machine and the network.
  - 15. A data processing system according to claim 13 comprising a data processing device, wherein the or each client machine is contained in a virtual machine of the data processing device and the firewall system is located in the data processing device outside the virtual machine.
  - 16. A data processing system according to claim 15 wherein the firewall system is located in a further virtual machine of the data processing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Globalfoundries US Incorporated (GlobalFoundries, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Jansen, Bernhard, Tanner, Axel

Granted Patent

US 8,875,272 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

G06F 13/24   using interrupt G06F13/32 t...

G06F 21/305   by remotely controlling dev...

H04L 63/0281   Proxies

H04L 63/1441   Countermeasures against mal...

FIREWALL FOR CONTROLLING CONNECTIONS BETWEEN A CLIENT MACHINE AND A NETWORK

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

FIREWALL FOR CONTROLLING CONNECTIONS BETWEEN A CLIENT MACHINE AND A NETWORK

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links