METHOD OF CONFIGURING A SECURITY GATEWAY AND SYSTEM THEREOF

US 20100011433A1
Filed: 07/14/2008
Published: 01/14/2010
Est. Priority Date: 07/14/2008
Status: Active Grant

First Claim

Patent Images

1. A method of automated configuration of a security gateway, the method comprising:

a) setting-up an initial rule-set;

b) obtaining log records of communication events corresponding to the initial rule-set so as to obtain a sufficient amount of log records;

c) transforming the obtained log records into respective rules, wherein source, destination and service fields in each rule correspond to source, destination and service values in respective obtained log record, and the action in all rules is defined as “

Accept”

, thus giving rise to a transformation-based rule-set; and

d) processing the transformation-based rule-set so as to generate an operable rule-set.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a rule-set generator and a method of automated configuration of a security gateway. The method comprises setting-up an initial rule-set; obtaining log records of communication events corresponding to the initial rule-set so as to obtain a sufficient amount of log records; transforming the obtained log records into respective rules, wherein source, destination and service fields in each rule correspond to source, destination and service values in respective obtained log record, and the action in all rules is defined as “Accept”, thus giving rise to a transformation-based rule-set; and processing the transformation-based rule-set so as to generate an operable rule-set by processing the transformation-based rule-set.

Citations

27 Claims

1. A method of automated configuration of a security gateway, the method comprising:
- a) setting-up an initial rule-set;
  
  b) obtaining log records of communication events corresponding to the initial rule-set so as to obtain a sufficient amount of log records;
  
  c) transforming the obtained log records into respective rules, wherein source, destination and service fields in each rule correspond to source, destination and service values in respective obtained log record, and the action in all rules is defined as “
  
  Accept”
  
  , thus giving rise to a transformation-based rule-set; and
  
  d) processing the transformation-based rule-set so as to generate an operable rule-set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 26, 27)
- - 2. The method of claim 1 wherein the initial rule-set is related to all traffic to be controlled by the security gateway and comprises only one rule, this rule permitting any traffic between any data network resources.
  - 3. The method of claim 1 wherein the initial rule-set is related to a part of the traffic to be controlled by the security gateway.
  - 4. The method of claim 1 wherein the initial rule-set is integrated with a pre-configured rule-set.
  - 5. The method of claim 4 wherein the integration is provided by adding an “
    - Accept-All-And-Log”
      
      rule as a last rule to the pre-configured rule-set.
  - 6. The method of claim 1 wherein at least part of the obtained log records are generated by the security gateway configured to control at least part of traffic in accordance with said initial rule-set.
  - 7. The method of claim 1 wherein at least part of the log records is obtained by sniffing the traffic to be controlled by the security gateway and logging respective communication events.
  - 8. The method of claim 1 wherein the sufficient amount of log records is characterized by achieving a certain threshold.
  - 9. The method of claim 1 wherein the sufficient amount of log records is characterized by terminating a certain substantial collection period.
  - 10. The method of claim 1 wherein the obtained log records are normalized before transforming.
  - 11. The method of claim 1 further comprising adjusting the operable rule-set in accordance with policy format used by a certain security gateway vendor.
  - 12. The method of claim 1 further comprising repeating the operations b)-d) while using the generated operable rule-set instead of the initial rule-set so as to generate a refined operable rule-set.
  - 13. The method of claim 1 wherein the processing of transformation-based rule-set comprises:
    - a) identifying and removing duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein each remaining rule is provided with an initial hit count characterizing the number of respective duplicated rules before removing; and
      
      b) consolidating the remained rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein each consolidated rule is provided with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule.
  - 14. The method of claim 13 wherein the consolidated rule-set is further optimized by reordering the rules in accordance with their consolidation hit count, wherein the more frequent rules are put higher in a rule table.
  - 15. The method of claim 13 wherein the consolidated rule-set is further adjusted according to at least one criterion selected from a group comprising:
    - vulnerability black lists, organizational policies, best practices, recommended white lists, regulations, standards for security gateways.
  - 16. The method of claim 13 wherein consolidating comprises combining a range of IP addresses of respective sources and/or destinations in a sub-network.
  - 17. The method of claim 16 wherein said range of IP addresses is non-consecutive and combining in a sub-network is provided in accordance with a Subnet Threshold Parameter (STM) defined as a ratio of the largest allowable gap in the network IP addresses to a number of addresses in a resulting sub-network.
  - 26. A computer program comprising a computer program code means for performing all the stages of claim 1 when said program is run on a computer.
  - 27. A computer program as claimed in claim 26 embodied on a computer readable medium.

18. A rule-set generator comprising:
- a) a first repository configured to accommodate an initial rule-set to be used for configuring a security gateway;
  
  b) a second repository configured to accommodate log records of communication events corresponding to the initial rule-set;
  
  c) a processor operatively coupled to the first repository and the second repository and configured to;
  
  i) transform said accommodated log records into respective rules, wherein source, destination and service fields in each rule correspond to source, destination and service values in respective log record, and the action in all rules is defined as “
  
  Accept”
  
  , thus giving rise to a transformation-based rule-set; and
  
  ii) processing the transformation-based rule-set so as to generate an operable rule-set.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The rule-set generator of claim 18 further comprising a sniffer operatively coupled to the second repository and capable of capturing network traffic to be controlled by the security gateway and of generating respective log records.
  - 20. The rule-set generator of claim 18 at least partly integrated with the security gateway.
  - 21. The rule-set generator of claim 18 wherein the initial rule-set is related to all traffic to be controlled by the security gateway and comprises only one rule, this rule permitting any traffic between any data network resources.
  - 22. The rule-set generator of claim 18 wherein at least part of the log records accommodated in the second repository is generated by the security gateway configured to control at least part of traffic in accordance with said initial rule-set.
  - 23. The rule-set generator of claim 18 wherein the processor is further configured to process the transformation-based rule-set as following:
    - a) to identify and remove duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein to provide each remaining rule with an initial hit count characterizing the number of respective duplicated rules before removing;
      
      b) to consolidate the remaining rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein to provide each consolidated rule with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule.
  - 24. The rule-set generator of claim 23 wherein the consolidation comprises combining a range of IP addresses of respective sources and/or destinations in a sub-network.
  - 25. The rule-set generator of claim 24 wherein said range of IP addresses is non-consecutive and combining in a sub-network is provided in accordance with a Subnet Threshold Parameter (STM) defined as a ratio of the largest allowable gap in the network IP addresses to a number of addresses in a resulting sub-network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
PERSKY, Yakov, HARRISON, Reuven

Granted Patent

US 8,490,171 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/0263 Rule management

METHOD OF CONFIGURING A SECURITY GATEWAY AND SYSTEM THEREOF

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD OF CONFIGURING A SECURITY GATEWAY AND SYSTEM THEREOF

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links