METHOD AND APPARATUS FOR AUTOMATIC RISK ASSESSMENT OF A FIREWALL CONFIGURATION

US 20100293617A1
Filed: 07/21/2010
Published: 11/18/2010
Est. Priority Date: 07/15/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method of detecting firewall mis-configurations of a firewall operatively associated with a computer network, the method comprising:

receiving a firewall configuration report exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response, wherein the report is achieved by algorithmically simulating all potential packet receipts on an internal model of the firewall;

converting the firewall configuration report into a computer searchable file enabling detection of firewall mis-configurations;

detecting firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined knowledge base exhibiting risk items associated with corresponding firewall mis-configurations; and

customizing the detected firewall mis-configurations according to the knowledge base and the firewall configuration report thereby producing a list of risks associated with the firewall;

eliminating redundancy of reported risks by defining a suppression code for each risk associated with at least one second risk where the rules of the second risk logically contains the rules of the first risk, wherein the reported risks which have same number of triggering rules as the corresponding second risk defined by suppression code of the first risk, are suppressedwherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the report; and

wherein the searched mis-configurations are in a particular predefined search expression format that corresponds with the particular predefined schema;

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for Automatic Risk Assessment of a Firewall Configuration facilitates the automatic generation of a risk assessment of a given firewall configuration. The method scans the firewall analyzer report, before the human user does, and flag the Configuration errors. Each found mis-configuration is called a risk item. The report is analyzed according a Knowledge Base of known risk items. The method further filters duplicate risk item which are trigger by different rules

Citations

13 Claims

1. A computer implemented method of detecting firewall mis-configurations of a firewall operatively associated with a computer network, the method comprising:
- receiving a firewall configuration report exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response, wherein the report is achieved by algorithmically simulating all potential packet receipts on an internal model of the firewall;
  
  converting the firewall configuration report into a computer searchable file enabling detection of firewall mis-configurations;
  
  detecting firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined knowledge base exhibiting risk items associated with corresponding firewall mis-configurations; and
  
  customizing the detected firewall mis-configurations according to the knowledge base and the firewall configuration report thereby producing a list of risks associated with the firewall;
  
  eliminating redundancy of reported risks by defining a suppression code for each risk associated with at least one second risk where the rules of the second risk logically contains the rules of the first risk, wherein the reported risks which have same number of triggering rules as the corresponding second risk defined by suppression code of the first risk, are suppressedwherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the report; and
  
  wherein the searched mis-configurations are in a particular predefined search expression format that corresponds with the particular predefined schema;
- View Dependent Claims (2, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the firewall configuration report is arranged according to name/type of risk accumulating all rules which triggered said risk, wherein said arrangement is a result of what-if simulation for correlating the risks and their corresponding rules
  - 4. The method according to claim 1, wherein the Knowledge Base is maintained in an Extensible Markup Language (XML) document.
  - 5. The method according to claim 1, wherein the Knowledge Base is maintained in a relational database.
  - 6. The method according to claim 1, wherein each risk item in said Knowledge Base comprises at least one of:
    - a brief description of the risk item;
      
      a risk rating;
      
      an explanation about the risk item;
      
      links to further details of the risk item; and
      
      a remedy.
  - 7. The method according to claim 1, wherein the List-of-Risks is displayed in HTML format.
  - 8. The method according to claim 1, wherein the List-of-Risks is displayed as a bar chart.
  - 9. The method of claim 1, wherein the risk items are customized before being searched for in said searchable report.
  - 10. The method of claim 1, wherein said List-of-Risks is sorted in decreasing risk rating order.
  - 11. The method of claim 1, wherein each risk item associated with a search expression used by the software module to search the computer searchable file to identify occurrences of said each risk item.

3. A computer implemented method of detecting firewall mis-configurations of a firewall operatively associated with a computer network, the method comprising:
- receive a firewall configuration report exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response, wherein the report is achieved by algorithmically simulating all potential packet receipts on an internal model of the firewall;
  
  convert the firewall configuration report into a computer searchable file enabling detection of firewall mis-configurations;
  
  detect firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined knowledge base stored on the memory exhibiting risk items associated with corresponding firewall mis-configurations; and
  
  customize the detected firewall mis-configurations according to the knowledge base and the firewall configuration report thereby producing a list of risks associated with the firewall;
  
  conducting a simulation of firewall activation for specific risk type defined a user;
  
  integrating simulation results within the computer searchable file;
  
  wherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the report; and
  
  wherein the searched mis-configurations are in a particular predefined search expression format that corresponds with the particular predefined schema;
  
  wherein the integrated computer searchable file enable searching according risk type.

12. A data processing system for detecting firewall mis-configurations of a firewall operatively associated with a computer network, the system comprising:
- a processor; and
  
  a memory,wherein the processor is configured by a computer readable code such that the processor is operable to;
  
  receive a firewall configuration report exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response, wherein the report is achieved by algorithmically simulating all potential packet receipts on an internal model of the firewall;
  
  convert the firewall configuration report into a computer searchable file enabling detection of firewall mis-configurations;
  
  detect firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined Knowledge Base stored on the memory exhibiting risk items associated with corresponding firewall mis-configurations; and
  
  customize the detected firewall mis-configurations according to the Knowledge Base and the firewall configuration report thereby producing a list of risks associated with the firewall;
  
  eliminating redundancy of reported risks by defining a suppression code for each risk associated with at least one second risk where the rules of the second risk contains the rules of the first risk, wherein the reported risks which have same number of triggering rules as the corresponding second risk defined by suppression code of the first risk, are suppressed.wherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the report; and
  
  wherein the searched mis-configurations are in a particular predefined search expression format that corresponds with the particular predefined schema.

13. A computer implemented method of detecting firewall mis-configurations of a firewall operatively associated with a computer network, the method comprising:
- receiving a firewall configuration report exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response, wherein the report is achieved by algorithmically simulating all potential packet receipts on an internal model of the firewall;
  
  converting the firewall configuration report into a computer searchable file enabling detection of firewall mis-configurations;
  
  detecting firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined knowledge base exhibiting risk items associated with corresponding firewall mis-configurations; and
  
  customizing the detected firewall mis-configurations according to the knowledge base and the firewall configuration report thereby producing a list of risks associated with the firewall;
  
  wherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the report; and
  
  wherein the searched mis-configurations are in a particular predefined search expression format that corresponds with the particular predefined schema;

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Algotec Systems Ltd. (Koninklijke Philips N.V.)
Original Assignee
Algotec Systems Ltd. (Koninklijke Philips N.V.)
Inventors
WOOL, Avishai

Granted Patent

US 8,677,496 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

H04L 41/0873   Checking configuration conf...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1433   Vulnerability analysis

METHOD AND APPARATUS FOR AUTOMATIC RISK ASSESSMENT OF A FIREWALL CONFIGURATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR AUTOMATIC RISK ASSESSMENT OF A FIREWALL CONFIGURATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links