Multilayer firewall system

US 5,968,176 A
Filed: 05/29/1997
Issued: 10/19/1999
Est. Priority Date: 05/29/1997
Status: Expired due to Term

First Claim

Patent Images

1. A system providing multiple protocol layer security in a network including nodes of a plurality of network device types, with nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node in the network, comprising:

a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes in the network;

a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and

a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes, wherein the security functions operating in the plurality of network device types across multiple protocol layers are coordinated by the security policy so that particular device types enforce the part of the security policy pertinent to the associated part of the network.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system provides for establishing security in a network that include nodes having security functions operating in multiple protocol layers. Multiple network devices, such as remote access equipment, routers, switches, repeaters and network cards having security functions are configured to contribute to implementation of distributed firewall functions in the network. By distributing firewall functionality throughout many layers of the network in a variety of network devices, a pervasive firewall is implemented. The pervasive, multilayer firewall includes a policy definition component that accepts policy data that defines how the firewall should behave. The policy definition component can be a centralized component, or a component that is distributed over the network. The multilayer firewall also includes a collection of network devices that are used to enforce the defined policy. The security functions operating in this collection of network devices across multiple protocol layers are coordinated by the policy definition component so that particular devices enforce that part of the policy pertinent to their part of the network.

1110 Citations

70 Claims

1. A system providing multiple protocol layer security in a network including nodes of a plurality of network device types, with nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node in the network, comprising:
- a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes in the network;
  
  a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and
  
  a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes, wherein the security functions operating in the plurality of network device types across multiple protocol layers are coordinated by the security policy so that particular device types enforce the part of the security policy pertinent to the associated part of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23)
- - 2. The system of claim 1, wherein the set of the nodes in the network includes nodes providing medium access control (MAC) layer filtering according to filter parameters, and the configuration data includes filter parameters for the MAC layer filtering.
  - 3. The system of claim 1, wherein the set of the nodes in the network includes nodes providing network layer filtering according to filter parameters, and the configuration data includes filter parameters for the network layer filtering.
  - 4. The system of claim 1, wherein the set of the nodes in the network includes nodes providing transport layer filtering according to filter parameters, and the configuration data includes filter parameters for the transport layer filtering.
  - 5. The system of claim 1, wherein the set of the nodes in the network includes nodes providing application layer filtering according to filter parameters, and the configuration data includes filter parameters for the application layer filtering.
  - 6. The system of claim 1, wherein the security functions include authentication protocols.
  - 7. The system of claim 1, wherein the security functions include auditing.
  - 8. The system of claim 1, wherein the security functions include authorization.
  - 9. The system of claim 1, wherein the set of the nodes in the network includes nodes executing repeater functions, and the security functions include medium access control MAC layer filtering in the repeater functions.
  - 10. The system of claim 1, wherein the set of the nodes in the network includes nodes executing data link layer switch functions, and the security functions include medium access control MAC layer filtering in the switch functions.
  - 11. The system of claim 1, wherein the set of the nodes in the network includes nodes executing network layer routing functions, and the security functions include network layer filtering in the routing functions.
  - 12. The system of claim 1, wherein the set of the nodes in the network includes nodes executing multiple protocol layer routing functions, and the security functions include authentication mechanisms.
  - 13. The system of claim 1, wherein the set of the nodes in the network includes nodes executing network layer routing functions and nodes executing data link layer switch functions, and the security functions include medium access control MAC layer filtering and network layer filtering.
  - 14. The system of claim 13, wherein the set of the nodes in the network includes nodes executing multiple protocol layer routing functions, and the security functions include authentication.
  - 15. The system of claim 1, wherein the topology data store includes data indicating nodes coupled to network links to nodes external to the set of nodes in the network.
  - 16. The system of claim 1, wherein the configuration interface includes a script interpreter which interprets a script language to determine the security policy statements.
  - 17. The system of claim 16, wherein the script language includes a syntax for specifying a security policy statement including a source set identifier, a destination set identifier, a communication activity identifier, and a rule for the identified communication activity between the identified source set and the identified destination set.
  - 18. The system of claim 17, wherein the syntax further includes an identifier of the location at which the rule is to be enforced.
  - 19. The system of claim 1, including a configuration store having persistent storage capability in communication with a particular node in the set of the nodes in the network, and wherein the configuration driver transmits configuration data for the particular node to the configuration store.
  - 20. The system of claim 19, wherein the configuration store is coupled with the particular node by a communication link.
  - 23. The system of claim 18, wherein the security policy statements indicate security policies for communication between a source set of one or more end stations and a destination set of one or more end stations.

21. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
- a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes,wherein the topology data store includes data indicating nodes coupled to network links to nodes external to the set of nodes, active nodes in the network capable of enforcing a security policy and passive nodes which are incapable of enforcing, or not trusted to enforce, a security policy; and
  
  wherein the security policy statements indicate security policies for active nodes, passive nodes, and for communications traversing network links to nodes external to the set of the nodes in the network;
  
  a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and
  
  a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes.

22. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
- a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes, wherein the topology data store includes data indicating active nodes capable for enforcing a security policy and passive nodes which are incapable of enforcing, or not trusted to enforce, a security policy;
  
  a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and
  
  a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes.
- View Dependent Claims (24)
- - 24. The system of claim 22, wherein the configuration driver includes resources to enforce security policies for passive nodes by generating configuration data for active nodes linked to passive nodes.

25. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
- a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes;
  
  a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network, wherein the configuration interface includes a script interpreter which interprets a script language to determine the security policy statements, wherein the script language includes a syntax for specifying a security policy statement including a source set identifier, a destination identifier, a communication activity identifier, and a rule for the identified communication activity between the identified source set and the identified destination set; and
  
  a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality configuration data to the network, and which conveys the configuration data to the nodes, wherein the configuration driver includes resources to identify security policy statements which cannot be enforced according to the data in the topology data store.

26. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
- a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes, wherein the topology data store includes data structures providing information for particular nodes, including network layer addresses, medium access control MAC layer addresses, user identifiers, whether or not the particular node is trusted to enforce security policy, the type of security policy it is able to enforce, and its connections to other nodes;
  
  a configuration interface, coupled to the topology data store including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and
  
  a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes.

27. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
- a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes;
  
  a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network, wherein the security policy statements indicate security policies for communication between a source set including one or more end stations in the network, and a destination set including one or more end stations in the network, and wherein the configuration driver includes resources to identify a cut vertex set of nodes capable of enforcing the indicated security policies within the set of nodes in the network, and to establish the configuration data in the nodes in the cut vertex set; and
  
  a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes.
- View Dependent Claims (28)
- - 28. The system of claim 27, wherein said cut vertex set consists of a minimal cut vertex set.

29. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node in the network, comprising:
- a topology data store, storing information about security functions in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes in the network, the topology data store including data structures providing information for particular nodes, including addresses at one or more protocol layers, whether or not the particular node is trusted to enforce security policy, the type of security policy the particular node is able to enforce, and connections of the particular node to other nodes;
  
  a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented between source sets of one or more end stations and destination sets of one or more end stations in the network, including a script interpreter which interprets a script language to determine the security policy statements, and the script language includes a syntax for specifying a security policy statement including a source set identifier, a destination set identifier, a communication activity identifier, and a rule for the identified communication activity between the identified source set and the identified destination set; and
  
  a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for various types of nodes in the network, and which send the configuration data to the nodes.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 30. The system of claim 29, wherein the set of the nodes in the network includes nodes providing medium access control (MAC) layer filtering according to filter parameters, and the configuration data includes filter parameters for the MAC layer filtering.
  - 31. The system of claim 29, wherein the set of the nodes in the network includes nodes providing network layer filtering according to filter parameters, and the configuration data includes filter parameters for the network layer filtering.
  - 32. The system of claim 29, wherein the set of the nodes in the network includes nodes providing transport layer filtering according to filter parameters, and the configuration data includes filter parameters for the transport layer filtering.
  - 33. The system of claim 29, wherein the set of the nodes in the network includes nodes providing application layer filtering according to filter parameters, and the configuration data includes filter parameters for the application layer filtering.
  - 34. The system of claim 29, wherein the topology data store includes data indicating active nodes capable of enforcing a security policy and passive nodes which are incapable of enforcing, or not trusted to enforce, a security policy.
  - 35. The system of claim 29, wherein the topology data store includes data indicating nodes in the network coupled to network links to nodes external to the set of nodes.
  - 36. The system of claim 35, wherein the security policy statements indicate security policies for communications traversing network links to nodes external to the set of the nodes in the network.
  - 37. The system of claim 29, wherein the syntax further includes an identifier of a location at which the rule is to be enforced.
  - 38. The system of claim 29, wherein the configuration driver includes resources to identify security policy statements which cannot be enforced according to the data in the topology data store.
  - 39. The system of claim 29, including a configuration store having persistent storage capability in communication with a particular node in the set of the nodes in the network, and wherein the configuration driver transmits configuration data for the particular node to the configuration store.
  - 40. The system of claim 39, wherein the configuration store is coupled with the particular node by a communication link.
  - 41. The system of claim 29, wherein the configuration driver includes resources to identify a cut vertex set of nodes capable of enforcing the indicated security policies, and to establish the configuration data in nodes in the cut vertex set.
  - 42. The system of claim 41, wherein said cut vertex set consists of a minimal cut vertex set.

43. A method for establishing a firewall system in a network including a set of nodes of a plurality of types, nodes in the set of nodes in the network including security functions executing in response to configuration data adapted for the corresponding node, comprising:
- providing topology data including information about security functions operating in nodes in the set, and about interconnection of nodes in the set,providing security policy statements indicating security policies to be implemented among end systems in the set;
  
  translating, in response to the topology data, the security policy statements into configuration data for security functions operating at nodes in the set; and
  
  establishing the configuration data in the security functions at the nodes in the network;
  
  wherein the topology data includes data structures providing information for particular nodes, including addresses at one or more protocol layers, whether or not the particular node is trusted to enforce security policy, the type of security policy the particular node is able to enforce, and connections of the particular node to other nodes.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62)
- - 44. The method of claim 43, wherein the step of providing the security policy statements includes interpreting a script language to determine the security policy statements, the script language including a syntax for specifying a security policy statement including a source identifier, a destination identifier, a communication activity identifier, and a rule for the identified communication activity between the identified source and the identified destination.
  - 45. The method of claim 44, wherein the syntax further includes an identifier of the location at which the rule is to be enforced.
  - 46. The method of claim 43, wherein the step of establishing includes transmitting the configuration data on the network to persistent storage in communication with the nodes.
  - 47. The method of claim 46, wherein for at least one node, the persistent storage in communication with the node is local to the node, and for at least one other node the persistent storage in communication with the node is remote from the node.
  - 48. The method of claim 46, wherein for at least one node, the persistent storage in communication with the node is remote from the node, and the step of establishing the configuration data at the node includes after transmitting the configuration data to the persistent storage, signaling the security function at the node that the configuration data has been changed.
  - 49. The method of claim 43, wherein the topology data includes data indicating active nodes capable of enforcing a security policy and passive nodes which are incapable of enforcing, or not trusted to enforce, a security policy.
  - 50. The method of claim 49, wherein the topology data includes data indicating nodes in the network coupled to network links to nodes external to the set of nodes in the network.
  - 51. The method of claim 50, wherein the security policy statements indicate security policies for communications traversing network links to nodes external to the set of the nodes in the network.
  - 52. The method of claim 49, wherein the step of translating includes, to enforce security policies for passive nodes, generating configuration data for active nodes linked to passive nodes.
  - 53. The method of claim 43, wherein the step of translating includes identifying security policy statements which cannot be enforced according to the data in the topology data store.
  - 54. The method of claim 43, wherein the set of the nodes in the network includes nodes providing MAC layer filtering according to filter parameters, and the configuration data includes filter parameters for the MAC layer filtering.
  - 55. The method of claim 43, wherein the set of the nodes in the network includes nodes providing network layer filtering according to filter parameters, and the configuration data includes filter parameters for the network layer filtering.
  - 56. The method of claim 43, wherein the set of the nodes in the network includes nodes providing transport layer filtering according to filter parameters, and the configuration data includes filter parameters for the transport layer filtering.
  - 57. The method of claim 43, wherein the set of the nodes in the network includes nodes providing application layer filtering according to filter parameters, and the configuration data includes filter parameters for the application layer filtering.
  - 58. The method of claim 43, wherein the security functions include authorization.
  - 59. The method of claim 43, wherein the security functions include authentication.
  - 60. The method of claim 43, wherein the security functions include auditing.
  - 61. The method of claim 43, wherein the set of the nodes in the network includes nodes providing network layer filtering according to Internet Protocol (IP) filter parameters, and the configuration data includes IP filter parameters.
  - 62. The method of claim 43, wherein the set of the nodes in the network includes nodes providing filtering according to Internet protocol and transport control protocol (TCP/IP) filter parameters, and the configuration data includes TCP/IP filter parameters.

63. A method for establishing a firewall system in a network including a set of nodes of a plurality of types, nodes in the set of nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node in the network, comprising:
- providing topology data including information about security functions operating in nodes in the set, and about interconnection of nodes in the set;
  
  providing security policy statements indicating security policies to be implemented between a source set of end stations and a destination set of end stations in the set;
  
  identifying, in response to the topology data and the security policy statements, a cut vertex set of nodes consisting of nodes capable of enforcing the security policy statements, and which if removed from the network would isolate the source set from the destination set;
  
  translating, in response to the identified cut vertex set and the security policy statements, into configuration data for security functions operating at nodes in the cut vertex set; and
  
  establishing the configuration data in the security functions at the nodes in the cut vertex set.
- View Dependent Claims (64, 65, 66, 67, 68, 69, 70)
- - 64. The method of claim 63, wherein the topology data includes data structures providing information for particular nodes, including addresses, whether or not the particular node is trusted to enforce security policy, the type of security policy the particular node is able to enforce, and connections of the particular node to other nodes.
  - 65. The method of claim 63, wherein the step of providing the security policy statements includes interpreting a script language to determine the security policy statements, the script language including a syntax for specifying a security policy statement including a source identifier, a destination identifier, a communication activity identifier, and a rule for the identified communication activity between the identified source and the identified destination.
  - 66. The method of claim 63, wherein the step of establishing includes transmitting the configuration data on the network to persistent storage in communication with the nodes in the cut vertex set.
  - 67. The method of claim 66, wherein for at least one node, the persistent storage in communication with the node is local to the node, and for at least one other node the persistent storage in communication with the node is remote from the node.
  - 68. The method of claim 63, wherein the set of the nodes in the network includes nodes providing network layer filtering according to Internet Protocol (IP) filter parameters, and the configuration data includes IP filter parameters.
  - 69. The method of claim 63, wherein the set of the nodes in the network includes nodes providing filtering according to Internet protocol and transport control protocol (TCP/IP) filter parameters, and the configuration data includes TCP/IP filter parameters.
  - 70. The method of claim 63, wherein said cut vertex set consists of a minimal cut vertex set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Nessett, Danny M., Sherer, William Paul
Primary Examiner(s)
Hua, Ly V.
Assistant Examiner(s)
BADERMAN, SCOTT T

Application Number

US08/865,482
Time in Patent Office

873 Days
Field of Search

395/187.01, 395/188.01, 395/186, 395/200.59, 395/200.53, 395/683, 380/23, 380/25
US Class Current

726/11
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

Multilayer firewall system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

1110 Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

Multilayer firewall system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1110 Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links