SECURE FIREWALL CONFIGURATIONS

US 20190081983A1
Filed: 10/27/2017
Published: 03/14/2019
Est. Priority Date: 09/12/2017
Status: Active Grant

First Claim

Patent Images

1. A computer program product for managing a firewall on an endpoint, the computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on one or more computing devices, performs the steps of:

storing a process cache in a kernel space of an operating system on the endpoint, the endpoint having a memory that includes the kernel space and a user space and the process cache storing at least one property for a configuration of a firewall provided by a software firewall process executing in the user space on the endpoint;

storing a tamper protection cache in the kernel space, the tamper protection cache identifying one or more protected computing objects on the endpoint, wherein the tamper protection cache secures the one or more computing objects with reference to a trust authority external to the operating system, and wherein the one or more protected computing objects includes the software firewall process;

receiving a request for a change to the configuration of the firewall from a second process with a kernel driver; and

conditionally authorizing the change from the kernel driver only when the one or more protected computing objects also includes the second process that requests the change to the configuration of the firewall.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The configuration of a firewall on an endpoint is secured to prevent changes by unauthorized processes, while permitting changes that are requested by authorized processes. Authorized processes can be stored in a tamper protection cache within a kernel of the operating system of the endpoint and secured with reference to a trust authority external to the operating system. When a process on the endpoint requests a change to the firewall configuration, the requesting process can be checked against the processes listed in the tamper protection cache, and any suitable rules can be applied to limit or prevent changes to firewall configuration.

77 Citations

View as Search Results

20 Claims

1. A computer program product for managing a firewall on an endpoint, the computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on one or more computing devices, performs the steps of:
- storing a process cache in a kernel space of an operating system on the endpoint, the endpoint having a memory that includes the kernel space and a user space and the process cache storing at least one property for a configuration of a firewall provided by a software firewall process executing in the user space on the endpoint;
  
  storing a tamper protection cache in the kernel space, the tamper protection cache identifying one or more protected computing objects on the endpoint, wherein the tamper protection cache secures the one or more computing objects with reference to a trust authority external to the operating system, and wherein the one or more protected computing objects includes the software firewall process;
  
  receiving a request for a change to the configuration of the firewall from a second process with a kernel driver; and
  
  conditionally authorizing the change from the kernel driver only when the one or more protected computing objects also includes the second process that requests the change to the configuration of the firewall.

2. A method for managing a firewall on an endpoint, the method comprising:
- storing a process cache in a kernel space of an operating system on the endpoint, the endpoint having a memory that includes the kernel space and a user space and the process cache storing at least one property for a software firewall process executing in the user space on the endpoint;
  
  storing a tamper protection cache in the kernel space, the tamper protection cache identifying one or more protected computing objects on the endpoint, wherein the tamper protection cache secures the one or more computing objects with reference to a trust authority external to the operating system, and wherein the one or more protected computing objects includes the software firewall process;
  
  receiving a request for a change to a configuration of the software firewall process from a second process with a kernel driver; and
  
  conditionally authorizing the change from the kernel driver only when the one or more protected computing objects also includes the second process.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 3. The method of claim 2 wherein the request for the change to the configuration of the software firewall process originates from a source external to the endpoint.
  - 4. The method of claim 2 wherein the configuration of the software firewall process is stored in one or more registry keys for the endpoint.
  - 5. The method of claim 4 wherein the one or more registry keys are contained in the one or more protected computing objects stored in the tamper protection cache.
  - 6. The method of claim 2 wherein the trust authority is external to the endpoint.
  - 7. The method of claim 2 wherein the trust authority includes a remote trust authority maintained by a threat management facility for an enterprise network that includes the endpoint.
  - 8. The method of claim 2 wherein the trust authority includes a remote third-party trust authority.
  - 9. The method of claim 2 wherein the configuration specifies one or more firewall rules.
  - 10. The method of claim 2 wherein the configuration identifies permitted or prohibited network addresses.
  - 11. The method of claim 2 wherein the configuration identifies permitted or prohibited applications executing on the endpoint.
  - 12. The method of claim 2 wherein the second process is a remote process executing on a threat management facility for an enterprise network that includes the endpoint.
  - 13. The method of claim 2 wherein the change to the configuration includes a request to allow traffic from an application executing on the endpoint.
  - 14. The method of claim 2 wherein the second process evaluates an application requesting network access through the software firewall process and responsively requests the change to permit the application to communicate through the firewall.
  - 15. The method of claim 2 wherein the second process implements a policy change for an enterprise network to permit network use by an application by configuring the software firewall process and a remote firewall on a gateway for the enterprise network to allow traffic by the application.

16. A system comprising:
- an endpoint having a memory and an operating system that organizes the memory into a user space for executing processes and a kernel space for the operating system;
  
  a software firewall process executing in the user space;
  
  a process cache stored in the kernel space, the process cache storing at least one property for the software firewall process executing in the user space;
  
  a tamper protection cache stored in the kernel space, the tamper protection cache secured with reference to a trust authority external to the operating system and identifying one or more protected computing objects on the endpoint, wherein the one or more protected computing objects includes the software firewall process; and
  
  a kernel driver executing in the kernel space and configured to detect a request for a change to the at least one property of the software firewall process from a second process and to conditionally authorize the change only when the one or more protected computing objects also includes the second process.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16 wherein the at least one property of the software firewall process is stored in one or more registry keys for the endpoint.
  - 18. The system of claim 17 wherein the one or more registry keys are contained in the one or more protected computing objects stored in the tamper protection cache.
  - 19. The system of claim 16 wherein the trust authority includes a remote trust authority maintained by a threat management facility for an enterprise network that includes the endpoint.
  - 20. The system of claim 16 wherein the trust authority includes a remote third-party trust authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Teal, Richard S.

Granted Patent

US 10,885,213 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0813   with a network or matrix co...

G06F 21/44   Program or device authentic...

G06F 21/50   Monitoring users, programs ...

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 2212/1052   Security improvement

G06F 2212/60   Details of cache memory

G06F 2212/62   Details of cache specific t...

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 43/045   for graphical visualisation...

H04L 43/062   related to network traffic

H04L 43/10   Active monitoring, e.g. hea...

H04L 47/2475   for supporting traffic char...

H04L 63/02   for separating internal fro...

H04L 63/0218 : Distributed architectures, ...

H04L 63/0227 : Filtering policies mail mes...

H04L 63/0236 : Filtering by address, proto...

H04L 63/0263 : Rule management

H04L 63/14 : for detecting or protecting...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/145 : the attack involving the pr...

H04L 63/168 : above the transport layer

H04L 63/20 : for managing network securi...

H04L 63/205 : involving negotiation or de...

H04L 67/568 : Storing data temporarily at...

H04L 9/0891 : Revocation or update of sec...

H04L 9/30 : Public key, i.e. encryption...

H04L 9/321 : involving a third party or ...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

View All

SECURE FIREWALL CONFIGURATIONS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SECURE FIREWALL CONFIGURATIONS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others