Filter rule validation and administration for firewalls

US 6,009,475 A
Filed: 12/23/1996
Issued: 12/28/1999
Est. Priority Date: 12/23/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method for validating test packets against a set of filter rules for a firewall between a secure computer network and a nonsecure computer network comprising the steps of:

presenting a user interface in which a test packet can be defined, wherein the user interface includes means for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks;

responsive to user input, validating a defined test packet against a set of filter rules in the firewall; and

responsive to failure of the test packet in the validating step, displaying a filter rule which denied the test packet in the set of filter rules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Filter rules on a firewall between a secure computer network and a nonsecure computer network are validated from a user interface. A user interface is presented in which a test packet can be defined. The user interface includes controls for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks. A defined test packet is validated against a set of filter rules in the firewall or matched against the filter rules to determine those filter rules with matching attributes to the defined packet. When validating, responsive to the failure of the test packet in the validating step, the filter rule in the set of filter rules which denied the test packet is displayed.

Citations

27 Claims

1. A method for validating test packets against a set of filter rules for a firewall between a secure computer network and a nonsecure computer network comprising the steps of:
- presenting a user interface in which a test packet can be defined, wherein the user interface includes means for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks;
  
  responsive to user input, validating a defined test packet against a set of filter rules in the firewall; and
  
  responsive to failure of the test packet in the validating step, displaying a filter rule which denied the test packet in the set of filter rules.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as recited in claim 1, further comprising the step of presenting a list of filter rules from the set of filter rules, wherein the filter rule which denied the test packet is presented in a different manner than other filter rules in the presented list.
  - 3. The method as recited in claim 2, further comprising the step of presenting a graphical bar representing the set of filter rules, wherein a distance that the packet traveled in the set of filter rules is indicated by changing the presentation of the graphical bar at a position representative of the filter rule which denied the test packet.
  - 4. The method as recited in claim 1 further comprising the steps of:
    - retrieving a plurality of test packets from memory; and
      
      running the validating and displaying steps in batch mode.
  - 5. The method as recited in claim 2 further comprising the steps of:
    - responsive to user input, selecting a filter rule in the presented list; and
      
      responsive to user input, performing an action on the selected filter rule.

6. A method for validating test packets against a set of filter rules for a firewall computer between a secure computer network and a nonsecure computer network, comprising the steps of:
- presenting a user interface in which a test packet can be defined, wherein the user interface includes means for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks;
  
  responsive to user input, running a query on a test packet to determine whether any filter rules share attributes with the test packet;
  
  displaying results of the query in a scatter bar representing a set of filter rules, wherein locations of matching filter rules are indicated by lines through the scatter bar; and
  
  responsive to user input, performing an action on a selected filter rule.
- View Dependent Claims (7, 11, 12)
- - 7. The method as recited in claim 6 further comprising the steps of:
    - displaying a list of filter rules, wherein the matching filter rules are displayed in a different manner than nonmatching filter rules; and
      
      displaying a small bar proximate to the scatter bar, the small bar indicating a portion of the set of filter rules displayed as the list of filter rules relative to a complete list of tunnel definitions represented by the scatter bar.
  - 11. The system as recited in claim 6 further comprising the steps of:
    - means for retrieving a plurality of test packets from memory; and
      
      means for running the validating and displaying steps in batch mode.
  - 12. The system as recited in claim 7 further comprising:
    - means responsive to user input for selecting a filter rule in the presented list; and
      
      means responsive to user input for performing an action on the selected filter rule.

8. A system including processor and memory for validating test packets against a set of filter rules for a firewall between a secure computer network and a nonsecure computer network comprising:
- means for presenting a user interface in which a test packet can be defined, wherein the user interface includes means for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks;
  
  means responsive to user input for validating a defined test packet against a set of filter rules in the firewall; and
  
  means responsive to failure of the test packet in the validating step for displaying a filter rule which denied the test packet in the set of filter rules.
- View Dependent Claims (9, 10)
- - 9. The system as recited in claim 8, further comprising means for presenting a list of filter rules from the set of filter rules, wherein the filter rule which denied the test packet is presented in a different manner than other filter rules in the presented list.
  - 10. The system as recited in claim 9, further comprising means for presenting a graphical bar representing the set of filter rules, wherein a distance that the packet traveled in the set of filter rules is indicated by changing the presentation of the graphical bar at a position representative of the filter rule which denied the test packet.

13. A system including processor and memory for validating test packets against a set of filtering for a firewall computer between a secure computer network and a nonsecure computer network, comprising:
- means for presenting a user interface in which a test packet can be defined, wherein the user interface includes means for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks;
  
  means responsive to user input for running a query on a test packet to determine whether any filter rules share attributes with the test packet;
  
  means for displaying results of the query in a scatter bar representing a set of filter rules, wherein locations of matching filter rules are indicated by lines through the scatter bar; and
  
  means responsive to user input for performing an action on a selected filter rule.
- View Dependent Claims (14)
- - 14. The system as recited in claim 13 further comprising:
    - means for displaying a list of filter rules, wherein the matching filter rules are displayed in a different manner than nomatching filter rules; and
      
      means for displaying a small bar proximate to the scatter bar, the small bar indicating a portion of the set of filter rules displayed as the list of filter rules relative to a complete list of tunnel definitions represented by the scatter bar.

15. A computer program product in a computer readable medium for validating test packets against a set of filter rules on a firewall between a secure computer network and a nonsecure computer network comprising:
- means for presenting a user interface in which a test packet can be defined, wherein the user interface includes means for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks;
  
  means for responsive to user input for validating a defined test packet against a set of filter rules in the firewall; and
  
  means responsive to failure of the test packet in the validating step for displaying a filter rule in the set of filter rules which denied the test packet.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The product as recited in claim 15, further comprising presenting a list of filter rules from the set of filter rules, wherein the filter rule which denied the test packet is presented in a different manner than other filter rules in the presented list.
  - 17. The product as recited in claim 16, further comprising means for presenting a graphical bar representing the set of filter rules, wherein a distance that the packet traveled in the set of filter rules is indicated by changing the presentation of the graphical bar at a position representative of the filter rule which denied the test packet.
  - 18. The product as recited in claim 15 further comprising;
    - means for retrieving a plurality of test packets from memory; and
      
      means for running the validating and displaying steps in batch mode.
  - 19. The product as recited in claim 16 further comprising:
    - means responsive to user input for selecting a filter rule it the presented list; and
      
      means responsive to user input for performing an action on the selected filter rule.

20. A computer program product in a computer readable medium for validating test packets against a set of filter rules for a firewall computer between a secure computer network and a nonsecure computer network, comprising:
- means for presenting a user interface in which a test packet can be defined, wherein the user interface includes means for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks;
  
  means for responsive to user input for running a query on a test packet to determine whether any filter rules share attributes with the test packet;
  
  means displaying results of the query in a scatter bar representing a set of filter rules, wherein locations of matching filter rules are indicated by lines through the scatter bar; and
  
  means responsive to user input for performing an action on a selected filter rule.
- View Dependent Claims (21)
- - 21. The product as recited in claim 20 further comprising:
    - means for displaying a list of filter rules, wherein the matching filter rules are displayed in a different manner than nonmatching filter rules; and
      
      means for displaying a small bar proximate to the scatter bar, the small bar indicating a portion of the set of filter rules displayed as the list of filter rules relative to a complete list of tunnel definitions represented by the scatter bar.

22. A method for validating test packets against a set filter rules for a firewall between a secure computer network and a nonsecure computer network comprising the steps of:
- presenting a user interface in which a test packet can be defined, wherein the user interface includes means for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks;
  
  responsive to user input, validating a defined test packet against a set of filter rules in the firewall; and
  
  responsive to failure of the test packet in the validating step, displaying a subset of filter rules which passed the packet and a filter rule which denied the test packet.
- View Dependent Claims (23, 24)
- - 23. The method as recited in claim 22 wherein the displaying step shows a graphical display of the filter rule which denied the test packet and the subset of filter rules through which the packet passed.
  - 24. The method as recited in claim 22 wherein a test packet can be incompletely defined.

25. A method for validating test packets against a set of filtering for a firewall computer between a secure computer network and a nonsecure computer network, comprising the steps of:
- presenting a user interface in which a test packet can be defined, wherein the user interface includes means for defining values for attributes of the test packet, wherein the attributes of the test packet are selected from a set of attributes of normal packets normally sent between the secure and nonsecure computer networks;
  
  responsive to user input, running a query on a test packet to determine whether which ones of a set of filter rules share attributes with the test packet; and
  
  displaying results of the query showing matching filter rules in a different manner from nonmatching filter rules.
- View Dependent Claims (26, 27)
- - 26. The method as recited in claim 25 wherein the displaying step presents a graphical display of the set of filter rules, wherein representations of matching filter rules are presented in a different manner than nonmatching filter rules.
  - 27. The method as recited in claim 26 wherein the set of filter rules is presented as a list of filter rules wherein matching filter rules are presented in a different manner than nonmatching filter rules and the method further comprises the step of responsive to user selection of a filter rule in the list, performing an action on the selected filter rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Shrader, Theodore Jack London
Primary Examiner(s)
Maung, Zarni
Assistant Examiner(s)
Barot, Bharat

Application Number

US08/773,543
Time in Patent Office

1,100 Days
Field of Search

395/200.47, 395/200.48, 395/200.58, 395/200.59, 395/200.57, 395/200.77, 395/200.78, 395/200.79, 395/186, 395/187.01, 395/188.01, 709/217-219, 709/227-229, 709/247-249, 709/200-203, 709/206, 709/246-250, 713/200-202
US Class Current

709/249
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/0263 Rule management

Filter rule validation and administration for firewalls

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Filter rule validation and administration for firewalls

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links