HIERARCHICAL FIREWALLS

US 20090249472A1
Filed: 01/05/2009
Published: 10/01/2009
Est. Priority Date: 03/27/2008
Status: Active Grant

First Claim

Patent Images

1. A method of implementing a firewall, the method comprising:

a) receiving a layer of policies from each of a plurality of entities with different levels of authority; and

b) evaluating received packets based on the received layers of policies, wherein a layer of policies of a higher level of authority can accept a received packet, block the received packet, or delegate a decision of whether to accept or block the received packet to a layer of policies of a lower level of authority.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of implementing a firewall that receives a layer of policies from each of multiple entities with different levels of authority. The method evaluates received packets based on the received layers of policies. A layer of policies of a higher level of authority can accept a received packet, block the received packet, or delegate a decision of whether to accept or block the received packet to a layer of policies of a lower level of authority.

Citations

24 Claims

1. A method of implementing a firewall, the method comprising:
- a) receiving a layer of policies from each of a plurality of entities with different levels of authority; and
  
  b) evaluating received packets based on the received layers of policies, wherein a layer of policies of a higher level of authority can accept a received packet, block the received packet, or delegate a decision of whether to accept or block the received packet to a layer of policies of a lower level of authority.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein policies of a first layer of policies are for determining whether to allow the packet through the firewall, block the packet, or delegate the decision of whether to allow or block the packet to a second layer of policies.
  - 3. The method of claim 2, wherein policies of the second layer of policies are for determining whether to allow the packet through the firewall or block the packet.
  - 4. The method of claim 1, wherein a plurality of the layers of policies are for determining whether to allow the received packet through the firewall, block the packet, or delegate the decision of whether to allow or block the packet to a next layer of policies.
  - 5. The method of claim 4, wherein the policies of a layer of policies of a lowest level of authority are for determining whether to allow the packet through the firewall or block the packet, but the policies of the layer of policies of the lowest level of authority are not for determining whether to delegate the decision of whether to allow or block the packet to a next layer of policies.
  - 6. The method of claim 1, wherein the firewall is implemented to protect virtual machines on a host node of a hosting system.
  - 7. The method of claim 6, wherein the firewall is implemented to pass packets from outside the host node to a plurality of virtual machines on the host node.
  - 8. The method of claim 6, wherein each virtual machine is associated with multiple layers of policies that apply to that virtual machine.
  - 9. The method of claim 1, wherein the plurality of entities comprise a system administrator and a virtual machine administrator.
  - 10. The method of claim 1, wherein the plurality of entities comprises a user of the virtual machine.

11. A method comprising:
- a) providing a firewall coordinator for coordinating firewall policies for each of a plurality of virtual machines running on a plurality of host nodes, wherein the firewall coordinator comprises a policy manager for accepting policies for a particular virtual machine from a plurality of users with multiple authority levels; and
  
  b) providing a plurality of firewalls implemented on the plurality of host nodes, wherein the firewalls are for implementing the firewall policies of the users, wherein implementing the policies comprises implementing policies of a user of a higher authority level that contradict policies of a user with a lower authority level.

12. A security system for controlling passage of data packets to and from a plurality of virtual machines on a plurality of host nodes, the security system comprising:
- a) a firewall coordinator for coordinating firewall policies for each of the plurality of virtual machines running on a plurality of host nodes, wherein the firewall coordinator comprises a policy manager for accepting policies for a particular virtual machine from a plurality of users with different authority levels; and
  
  b) a plurality of firewalls implemented on the plurality of host nodes, wherein the firewalls are for implementing the firewall policies, wherein implementing the policies comprises implementing policies of a user of a higher authority level that contradict policies of a user of a lower authority level.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The firewall system of claim 12, wherein the firewall coordinator is further for sending updated policies to said firewalls.
  - 14. The firewall system of claim 12, wherein the firewall system is for blocking a packet sent to a particular virtual machine when a first policy of the user of the higher authority level comprises a policy to block the packet and a second policy of the user of the lower authority level comprises a policy to allow the packet.
  - 15. The firewall system of claim 12, wherein the firewall system is for allowing a packet sent to a particular virtual machine when a first policy of the user of the higher authority level comprises a policy to allow the packet and a second policy of the user of the lower authority level comprises a policy to block the packet.
  - 16. The firewall system of claim 12, wherein the firewall system is for allowing a packet sent to a particular virtual machine when a first policy of the user of the higher authority level comprises a policy to delegate the decision of whether to allow the packet to a set of policies of the user of the lower authority level and a second policy of the user of the lower authority level comprises a policy to allow the packet.
  - 17. The firewall system of claim 12, wherein the firewall system is for blocking a packet sent to a particular virtual machine when a first policy of the user of the higher authority level comprises a policy to delegate the decision of whether to allow the packet to a set of policies of the user of the lower authority level and a second policy of the user of the lower authority level comprises a policy to block the packet.
  - 18. The firewall system of claim 17, wherein the packet has a particular source IP address, the first policy comprises a policy that delegates decisions of whether to allow packets from the particular source IP address and the second policy comprises a policy to block packets from the particular source IP address.
  - 19. The firewall system of claim 17, wherein the packet has a particular destination port address, the first policy comprises a policy that delegates decisions of whether to allow packets to the particular destination port address and the second policy comprises a policy to block packets from the particular destination port address.

20. A computer readable storage medium storing a computer program which when executed by at least one processor implements a firewall, the computer program comprising:
- a) a set of instruction for receiving a multiple layer set of policies, wherein each of at least two of the multiple layers were set by entities with different levels of authority; and
  
  b) a set of instruction for evaluating received packets based on the received multiple layer set of policies, wherein a layer of policies of a higher level of authority can accept a received packet, block the received packet, or delegate a decision of whether to accept or block the received packet to a layer of policies of a lower level of authority.
- View Dependent Claims (21, 22, 23)
- - 21. The computer readable storage medium of claim 20, wherein policies of a first layer of policies are for determining whether to allow the packet through the firewall, block the packet, or delegate the decision of whether to allow or block the packet to a second layer of policies.
  - 22. The computer readable storage medium of claim 21, wherein policies of the second layer of policies are for determining whether to allow the packet through the firewall or block the packet.
  - 23. The computer readable storage medium of claim 20, wherein a plurality of the layers of policies are for determining whether to allow the packet through the firewall, block the packet, or delegate the decision of whether to allow or block the packet to a next layer of policies.

24. For a system that applies a set of policies with different hierarchical levels to determine whether to allow a packet to pass a firewall, a method comprising:
- a) receiving a first packet and determining at a first hierarchical level to allow the first packet to pass the firewall;
  
  b) receiving a second packet and determining at the first hierarchical level to block the first packet;
  
  c) receiving a third packet, determining at the first hierarchical level to delegate the determination of whether to allow the third packet to pass to a second hierarchical level; and
  
  d) determining at the second hierarchical level to allow the third packet to pass the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Litvin, Moshe, Benjamini, Gilad

Granted Patent

US 8,336,094 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 63/0263 Rule management

HIERARCHICAL FIREWALLS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

HIERARCHICAL FIREWALLS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links