Active firewall system and methodology
First Claim
1. In a computer network system comprising a plurality of software components, a method for providing network security using authenticated communication between software components of the system, the method comprising:
- specifying first, second, and third software components that may participate in authenticated communication, including creating a digital certificate for each software component;
detecting by the first component a security-related event of interest that occurs in the system;
initiating authenticated communication between the first software component and the second software component, so that the first software component may report the event to the second software component;
initiating authenticated communication between the second software component and the third software component, so that the second software component may indicate to the third software component how to handle the event; and
handling the event at the third software component in the manner indicated by the second software component, so that the event is automatically handled by the system.
11 Assignments
0 Petitions
Accused Products
Abstract
System and methodology providing automated or “proactive” network security (“active” firewall) are described. The system implements methodology for verifying or authenticating communications, especially between network security components thereby allowing those components to share information. In one embodiment, a system implementing an active firewall is provided which includes methodology for verifying or authenticating communications between network components (e.g., sensor(s), arbiter, and actor(s)), using cryptographic keys or digital certificates. Certificates may be used to digitally sign a message or file and, in a complementary manner, to verify a digital signature. At the outset, particular software components that may participate in authenticated communication are specified, including creating a digital certificate for each such software component. Upon detection by a sensor that an event of interest that has occurred in the computer network system, the system may initiate authenticated communication between the sensor component and a central arbiter (e.g., “event orchestrator”) component, so that the sensor may report the event to the arbiter or “brain.” Thereafter, the arbiter (if it chooses to act on that information) initiates authenticated communication between itself and a third software component, an “actor” component (e.g., “firewall”). The arbiter may indicate to the actor how it should handle the event. The actor or firewall, upon receiving the information, may now undertake appropriate action, such as dynamically creating or modifying rules for appropriately handling the event, or it may choose to simply ignore the information.
629 Citations
60 Claims
-
1. In a computer network system comprising a plurality of software components, a method for providing network security using authenticated communication between software components of the system, the method comprising:
-
specifying first, second, and third software components that may participate in authenticated communication, including creating a digital certificate for each software component;
detecting by the first component a security-related event of interest that occurs in the system;
initiating authenticated communication between the first software component and the second software component, so that the first software component may report the event to the second software component;
initiating authenticated communication between the second software component and the third software component, so that the second software component may indicate to the third software component how to handle the event; and
handling the event at the third software component in the manner indicated by the second software component, so that the event is automatically handled by the system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
receiving input from a user having system administrator privileges specifying which software components may participate in authenticated communication.
-
-
4. The method of claim 3, wherein said input includes:
digitally signing a digital certificate of each software component permitted to participate in authenticated communication with a digital certificate for the user having system administrator privileges.
-
5. The method of claim 1, wherein authenticated communication is initiated between components by:
-
exchanging digital certificates of the respective software components, and if the digital certificate of each respective software component has been signed by an entity that the other software component trusts, establishing authenticated communication between the two software components.
-
-
6. The method of claim 5, wherein each digital certificate created is stored in a central repository.
-
7. The method of claim 1, wherein authenticated communication provided by the method includes:
associating a digital fingerprint with each message that occurs during authenticated communication.
-
8. The method of claim 7, wherein said digital fingerprint includes a cryptographic hash.
-
9. The method of claim 7, wherein said digital fingerprint includes a message digest.
-
10. The method of claim 7, wherein the digital fingerprint for a given message is based, at least in part, on a digital certificate for the respective component that created the given message.
-
11. The method of claim 7, wherein authenticated communication provided by the method includes:
authenticating a given message of the authenticated communication using the digital fingerprint specifically computed for the given message.
-
12. The method of claim 1, further comprising:
encrypting communication between the software components.
-
13. The method of claim 12, wherein said step of encrypting communication includes:
encrypting messages from one component to a digital certificate for the other component.
-
14. The method of claim 1, wherein information about an event occurring in the system is transmitted as a certogram.
-
15. The method of claim 14, wherein each certogram comprises information organized into attribute/value format.
-
16. The method of claim 1, wherein authenticated communication provided by the method includes:
validating a digital certificate for each component participating in authenticated communication.
-
17. The method of claim 16, wherein said validating step includes determining selected ones of expiration, revocation, and disablement for each digital certificate being validated.
-
18. The method of claim 1, wherein the second software component includes an event handler for instructing the third software component how to appropriately handle the event.
-
19. The method of claim 1, wherein said event occurring in the system comprises a detected vulnerability.
-
20. The method of claim 19, wherein said system includes a firewall as said third component and wherein said event handler instructs the firewall to create a new firewall rule for appropriately handling the detected vulnerability.
-
21. A method for providing automated network security for a network system, the method comprising:
-
providing a configurable firewall capable of limiting access to the network system, a sensor for detecting vulnerabilities in the network system, and an arbiter for specifying reconfiguration of the firewall for handling vulnerabilities detected by the sensor;
specifying that the firewall, the sensor, and the arbiter may participate in authenticated communication;
detecting by the sensor a particular vulnerability in the network system;
establishing an authenticated communication session between the sensor and the arbiter for transmitting information about the particular vulnerability from the sensor to the arbiter; and
establishing an authenticated communication session between the arbiter and the firewall for transmitting instructions for handling the particular vulnerability from the arbiter to the firewall, such that the particular vulnerability may be handled in an automated manner. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
receiving input from a user having system administrator privileges specifying which particular components in the system may participate in authenticated communication.
-
-
24. The method of claim 23, wherein said specifying step further includes:
-
creating a digital certificate for the user having system administrator privileges and creating a digital certificate for each component that is permitted to participate in authenticated communication;
digitally signing the digital certificate of each component permitted to participate in authenticated communication with the digital certificate for the user having system administrator privileges.
-
-
25. The method of claim 24, wherein each digital certificate comprises a PGP-compatible key.
-
26. The method of claim 23, wherein each digital certificate created is stored in a central repository.
-
27. The method of claim 21, wherein authenticated communication is established between components by authenticating messages communicated between those components using digital fingerprints.
-
28. The method of claim 27, wherein each digital fingerprint comprises a cryptographic hash.
-
29. The method of claim 27, wherein each digital fingerprint comprises a message digest.
-
30. The method of claim 27, wherein the digital fingerprint for a given message is based, at least in part, on a digital certificate of the respective component that created the given message.
-
31. The method of claim 27, wherein authenticated communication is established between components by authenticating a given message using a digital fingerprint specifically computed for the given message.
-
32. The method of claim 21, further comprising:
encrypting communication between components of the network system.
-
33. The method of claim 32, wherein said step of encrypting communication includes:
encrypting messages from one component to a digital certificate created for the other component.
-
34. The method of claim 21, wherein said information about the particular vulnerability comprises information organized into attribute/value format.
-
35. The method of claim 21, wherein authenticated communication is established between two components by exchanging digital certificates of each component with the other and thereafter establishing trust and validity for each digital certificate so exchanged.
-
36. The method of claim 35, wherein establishing validity includes determining selected ones of expiration, revocation, and disablement for each digital certificate being validated.
-
37. The method of claim 21, wherein the particular vulnerability comprises detection of unauthorized access to the network system.
-
38. The method of claim 21, wherein the particular vulnerability comprises detection of an unauthorized mail server on the network system.
-
39. The method of claim 21, wherein the particular vulnerability comprises detection of an unauthorized FTP (File Transport Protocol) server on the network system.
-
40. The method of claim 21, wherein the particular vulnerability comprises detection of an unauthorized writeable directory on the network system.
-
41. A system providing automatically-reconfigurable security for a computer network, the system comprising:
-
a configurable firewall component providing security to the computer network;
a sensor component for detecting security-related events that occur in the computer network;
an arbiter component for specifying reconfiguration of the firewall component for handling at least some of the security-related events detected by the sensor component; and
a communication layer, configured to specify that the firewall component, the sensor component, and the arbiter component may participate in authenticated communication, so that the firewall component may be automatically reconfigured by the arbiter component to handle a particular security-related event that has been detected by the sensor component. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
-
Specification