SECURITY MANAGEMENT SYSTEM FOR MONITORING FIREWALL OPERATION

US 20090205039A1
Filed: 04/23/2009
Published: 08/13/2009
Est. Priority Date: 10/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method of testing a firewall comprising:

transmitting, session termination signals used to terminate established communications sessions;

monitoring to determine port closing delays, said port closing delays being a delay in time between the time a session termination signal is transmitted and the time a port in said firewall is closed in response to the transmitted session terminal signal;

transmitting session termination signals at an increased rate through said firewall to cause the closing of ports in said firewall; and

measuring the effect of said increased rate of session termination signals on closing delay times associated with closing ports in response to transmitted session termination signals.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall.

93 Citations

View as Search Results

21 Claims

1. A method of testing a firewall comprising:
- transmitting, session termination signals used to terminate established communications sessions;
  
  monitoring to determine port closing delays, said port closing delays being a delay in time between the time a session termination signal is transmitted and the time a port in said firewall is closed in response to the transmitted session terminal signal;
  
  transmitting session termination signals at an increased rate through said firewall to cause the closing of ports in said firewall; and
  
  measuring the effect of said increased rate of session termination signals on closing delay times associated with closing ports in response to transmitted session termination signals.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising:
    - generating a report indicating the effect of an increasing rate of session termination signals on port closing delays.
  - 3. The method of claim 1, wherein said transmitting session termination signals at an increased rate includes transmitting more termination signals at a given time than are transmitted during said step of transmitting, session termination signals used to terminate established communications sessions.

4. A method of testing a firewall, comprising:
- transmitting a signal, said signal being one of;
  
  a session initiation signal to initiate a communications session through said firewall and a session termination signal used to terminate an established communications session; and
  
  monitoring to determine from the time of the transmission of said signal one of;
  
  i) a port opening delay which occurs between a time of transmitting said signal, when said signal is a session initiation signal, and opening a port in said firewall for a communications session that is being initiated by said signal, and ii) a port closing delay which occurs between a time of transmitting said signal, when said signal is a session termination signal, and closing a port in said firewall as part of terminating an established communications session in response to said transmitted signal.
- View Dependent Claims (5)
- - 5. The method according to claim 4, wherein said at least one of a port opening delay and a port closing delay is a port closing delay.

6. A method of testing a network firewall comprising:
- transmitting a session signal to terminate an ongoing communications session being conducted through at least one port of said firewall; and
  
  measuring a port closing delay time associated with the closing of said at least one port following the transmission of said signal to terminate said communications session.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein said port closing delay is a time period which occurs between the time a signal used to cause the closing of the port is detected and said port ceases to allow communications signals to pass through from the first side of said firewall to the second side of said firewall.
  - 8. The method according to claim 7, further comprising the steps of:
    - transmitting test signals at said port prior to the closing of said port; and
      
      monitoring the port to determine when said test signals cease passing through said port.
  - 9. The method of claim 6, wherein said session signal is at least one of SIP and H.323 compliant signals.

10. A method of testing a network firewall, comprising:
- transmitting a session signal to initiate a communications session to be conducted through said firewall;
  
  transmitting test signals to at least one port on a first side of said firewall;
  
  determining a time when said test signals first pass through said at least one port, said at least one port being opened in response to said signal to initiate a communications session; and
  
  determining a port opening delay which occurs in regard to opening a port in said firewall for said communications session from said determined time.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10, wherein said port opening delay is a time period which occurs between a time a signal used to cause the port for said communications session to open is detected and said port allows a signal to pass through from the first side of said firewall to the second side of said firewall.
  - 12. The method according to claim 11, further comprising the step of:
    - transmitting another session signal to terminate said communications session; and
      
      monitoring a port closing delay time corresponding to a port closing delay which occurs in regard to closing the port in said firewall that was opened for said communications session.
  - 13. The method of claim 12, wherein said port closing delay is a time period which occurs between the time a signal used to cause the closing of the port is detected and said port ceases to allow communications signals to pass through from the first side of said firewall to the second side of said firewall.

14. A firewall test apparatus, comprising:
- a session signaling module for generating session signals used to initiate a communications session to be conducted through a firewall to be tested and to terminate a communications session after it has been initiated;
  
  a scanning probe generation module for generating probe signals to be directed at firewall ports;
  
  a timing synchronization module for synchronizing operation of said firewall test apparatus to at least one of an external clock source and another firewall test apparatus; and
  
  an analysis module for determining at least a port closing delay from a session signal time and a time probe signals are detected to stop passing through a port in said firewall corresponding to an initiated communications session.
- View Dependent Claims (15)
- - 15. The firewall test apparatus of claim 14, wherein said analysis module further includes means for determining at least a port opening delay from a session signal time associated with a session signal used to initiate a communications session and a time probe signals are detected to start passing through a port in said firewall corresponding to the initiated communications session.

16. A firewall test system for testing a firewall, comprising;
- a test signal generator for generating communications session initiation signals and probe signals directed at a first side of said firewall; and
  
  a test signal analyzer for detecting probe signals passing through said first side of said firewall to said second side of said firewall and for determining port closing delays as measured from the time the test signal analyzer detects a signal used to close a port in said firewall and said analyzer ceases to detect test signals passing through said firewall.
- View Dependent Claims (17, 18)
- - 17. The firewall test system of claim 16, wherein said test signal generator further includes:
    - means for establishing a communications session through said firewall using session initiation signals prior to transmitting at least some of said probe signals.
  - 18. The firewall test system of claim 17,wherein said test signal generator includes means for synchronizing test signal generation to an outside clock source;
    - andwherein said signal analyzer includes means for synchronizing device operation with said outside clock source.

19. A method of testing a firewall, comprising the steps of:
- transmitting session termination signals used to control termination of communications sessions through said firewall at an increasing rate; and
  
  measuring the effect of the increasing rate of session termination signals on port closing delays associated with the termination of communications sessions through said firewall.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, further comprising;
    - determining the session signal rate which results in a maximum acceptable port closing delay being exceeded.
  - 21. The method of claim 20, wherein said transmitted session signals are at least one of SIP signals and H.323 signals.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Verizon Services Corporation (Verizon Communications Inc.)
Inventors
Harvey, Edward P., Sylvester, James E., Ormazabal, Gaston S.

Granted Patent

US 8,046,828 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/22   comprising specially adapte...

H04L 43/06   Generation of reports

H04L 43/0852   Delays

H04L 43/0894   Packet rate

H04L 43/12   Network monitoring probes

H04L 43/50   Testing arrangements

H04L 63/02   for separating internal fro...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1433   Vulnerability analysis

SECURITY MANAGEMENT SYSTEM FOR MONITORING FIREWALL OPERATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

SECURITY MANAGEMENT SYSTEM FOR MONITORING FIREWALL OPERATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others