PASSPORT-CONTROLLED FIREWALL

US 20170048198A1
Filed: 08/10/2015
Published: 02/16/2017
Est. Priority Date: 08/10/2015
Status: Active Grant

First Claim

Patent Images

1. A method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:

receiving, by one or more processors, a unit of deployment at a requestor module on a server, wherein the unit of deployment comprises the application code and a signed passport, and wherein the passport comprises a firewall rule and a first application hash value;

said one or more processors authenticating the received passport;

said one or more processors hashing the received application code, resulting in a second application hash value;

said one or more processors validating that the received first application hash value and the second application hash value are equal; and

in response to said authenticating and said validating, said one or more processors receiving the passport by a border control agent of the firewall from the requestor module, modifying a firewall in the firewall infrastructure according to the received firewall rule, and communicating with the application code through the modified firewall.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, and associated system and computer program product, for dynamically modifying rules in a firewall infrastructure. A unit of deployment is received at a requestor module at a server. The unit of deployment includes the application code and a signed passport. The passport includes a firewall rule and a first application hash value. The received passport is authenticated, the received application code is hashed resulting in a second application hash value, and it is validated that the received first application hash value and the generated application hash value are equal. In response to the validation, the passport is received by a border control agent of the firewall from the server, a firewall is modified in the firewall infrastructure according to the received firewall rule, and communicating with the application is enabled through the modified firewall.

27 Citations

View as Search Results

20 Claims

1. A method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
- receiving, by one or more processors, a unit of deployment at a requestor module on a server, wherein the unit of deployment comprises the application code and a signed passport, and wherein the passport comprises a firewall rule and a first application hash value;
  
  said one or more processors authenticating the received passport;
  
  said one or more processors hashing the received application code, resulting in a second application hash value;
  
  said one or more processors validating that the received first application hash value and the second application hash value are equal; and
  
  in response to said authenticating and said validating, said one or more processors receiving the passport by a border control agent of the firewall from the requestor module, modifying a firewall in the firewall infrastructure according to the received firewall rule, and communicating with the application code through the modified firewall.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the passport further comprises a heart-beat time-out interval.
  - 3. The method of claim 2, said method further comprising:
    - said one or more processors confirming on a regular basis within each of the heart-beat time-out intervals the firewall rule by the requestor module of the server to a border control agent of the firewall.
  - 4. The method of claim 3, said method further comprising:
    - in response to a determination that no confirmation was received by the border control agent within the heart-beat time-out interval, said one or more processors resetting the firewall rule in the firewall.
  - 5. The method of claim 1, wherein a first hash function used to generate the first application hash value and a second hash function used to generate the second application hash value are equal.
  - 6. The method of claim 1, wherein an encryption used for encrypting the passport is based on an asymmetric encryption process.
  - 7. The method of claim 1, wherein a secure communication channel is established between the requestor module of the server and the border control agent of the firewall.
  - 8. The method of claim 1, wherein an encryption of the passport is based on a public key certificate registered with a trusted signer.

9. A computer program product, comprising one or more computer readable hardware storage devices having computer readable program code stored therein, said program code containing instructions executable by one or more processors to implement a method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
- said one or more processors receiving a unit of deployment at a requestor module on a server, wherein the unit of deployment comprises the application code and a signed passport, and wherein the passport comprises a firewall rule and a first application hash value;
  
  said one or more processors authenticating the received passport;
  
  said one or more processors hashing the received application code, resulting in a second application hash value;
  
  said one or more processors validating that the received first application hash value and the second application hash value are equal; and
  
  in response to said authenticating and said validating, said one or more processors receiving the passport by a border control agent of the firewall from the requestor module, modifying a firewall in the firewall infrastructure according to the received firewall rule, and communicating with the application code through the modified firewall.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer program product of claim 9, wherein the passport further comprises a heart-beat time-out interval.
  - 11. The computer program product of claim 10, said method further comprising:
    - said one or more processors confirming on a regular basis within each of the heart-beat time-out intervals the firewall rule by the requestor module of the server to a border control agent of the firewall.
  - 12. The computer program product of claim 11, said method further comprising:
    - on a determination that no confirmation was received by the border control agent within the heart-beat time-out interval, said one or more processors resetting the firewall rule in the firewall.
  - 13. The computer program product of claim 9, wherein a first hash function used to generate the first application hash value and a second hash function used to generate the second application hash value are equal.
  - 14. The computer program product of claim 9, wherein an encryption used for encrypting the passport is based on an asymmetric encryption process.

15. A computer system, comprising one or more processors, one or more memories, and one or more computer readable hardware storage devices, said one or more storage device containing program code executable by the one or more processors via the one or more memories to implement a method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
- said one or more processors receiving a unit of deployment at a requestor module on a server, wherein the unit of deployment comprises the application code and a signed passport, and wherein the passport comprises a firewall rule and a first application hash value;
  
  said one or more processors authenticating the received passport;
  
  said one or more processors hashing the received application code, resulting in a second application hash value;
  
  said one or more processors validating that the received first application hash value and the second application hash value are equal; and
  
  in response to said authenticating and said validating, said one or more processors receiving the passport by a border control agent of the firewall from the requestor module, modifying a firewall in the firewall infrastructure according to the received firewall rule, and communicating with the application code through the modified firewall.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15, wherein the passport further comprises a heart-beat time-out interval.
  - 17. The computer system of claim 16, said method further comprising:
    - said one or more processors confirming on a regular basis within each of the heart-beat time-out intervals the firewall rule by the requestor module of the server to a border control agent of the firewall.
  - 18. The computer system of claim 17, said method further comprising:
    - on a determination that no confirmation was received by the border control agent within the heart-beat time-out interval, said one or more processors resetting the firewall rule in the firewall.
  - 19. The computer system of claim 15, wherein a first hash function used to generate the first application hash value and a second hash function used to generate the second application hash value are equal.
  - 20. The computer system of claim 15, wherein an encryption used for encrypting the passport is based on an asymmetric encryption process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Frank, Joachim H., Karn, Holger

Granted Patent

US 9,900,285 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G07C 9/20   involving the use of a pass

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 9/006   involving public key infras...

H04L 9/3268   using certificate validatio...

PASSPORT-CONTROLLED FIREWALL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PASSPORT-CONTROLLED FIREWALL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links