Active firewall system and methodology

US 6,550,012 B1
Filed: 06/08/1999
Issued: 04/15/2003
Est. Priority Date: 12/11/1998
Status: Expired due to Term

First Claim

Patent Images

1. In a computer network system comprising a plurality of software components, a method for providing network security using authenticated communication between software components of the system, the method comprising:

specifying first, second, and third software components that may participate in authenticated communication, including creating a digital certificate for each software component;

detecting by the first component a security-related event of interest that occurs in the system;

initiating authenticated communication between the first software component and the second software component, so that the first software component may report the event to the second software component;

initiating authenticated communication between the second software component and the third software component, so that the second software component may indicate to the third software component how to handle the event; and

handling the event at the third software component in the manner indicated by the second software component, so that the event is automatically handled by the system.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methodology providing automated or “proactive” network security (“active” firewall) are described. The system implements methodology for verifying or authenticating communications, especially between network security components thereby allowing those components to share information. In one embodiment, a system implementing an active firewall is provided which includes methodology for verifying or authenticating communications between network components (e.g., sensor(s), arbiter, and actor(s)), using cryptographic keys or digital certificates. Certificates may be used to digitally sign a message or file and, in a complementary manner, to verify a digital signature. At the outset, particular software components that may participate in authenticated communication are specified, including creating a digital certificate for each such software component. Upon detection by a sensor that an event of interest that has occurred in the computer network system, the system may initiate authenticated communication between the sensor component and a central arbiter (e.g., “event orchestrator”) component, so that the sensor may report the event to the arbiter or “brain.” Thereafter, the arbiter (if it chooses to act on that information) initiates authenticated communication between itself and a third software component, an “actor” component (e.g., “firewall”). The arbiter may indicate to the actor how it should handle the event. The actor or firewall, upon receiving the information, may now undertake appropriate action, such as dynamically creating or modifying rules for appropriately handling the event, or it may choose to simply ignore the information.

629 Citations

60 Claims

1. In a computer network system comprising a plurality of software components, a method for providing network security using authenticated communication between software components of the system, the method comprising:
- specifying first, second, and third software components that may participate in authenticated communication, including creating a digital certificate for each software component;
  
  detecting by the first component a security-related event of interest that occurs in the system;
  
  initiating authenticated communication between the first software component and the second software component, so that the first software component may report the event to the second software component;
  
  initiating authenticated communication between the second software component and the third software component, so that the second software component may indicate to the third software component how to handle the event; and
  
  handling the event at the third software component in the manner indicated by the second software component, so that the event is automatically handled by the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein each of the software components operates on a separate computer connected to the computer network system.
  - 3. The method of claim 1, wherein said specifying step includes:
4. The method of claim 3, wherein said input includes:
- digitally signing a digital certificate of each software component permitted to participate in authenticated communication with a digital certificate for the user having system administrator privileges.
5. The method of claim 1, wherein authenticated communication is initiated between components by:
- exchanging digital certificates of the respective software components, and if the digital certificate of each respective software component has been signed by an entity that the other software component trusts, establishing authenticated communication between the two software components.
6. The method of claim 5, wherein each digital certificate created is stored in a central repository.
7. The method of claim 1, wherein authenticated communication provided by the method includes:
- associating a digital fingerprint with each message that occurs during authenticated communication.
8. The method of claim 7, wherein said digital fingerprint includes a cryptographic hash.
9. The method of claim 7, wherein said digital fingerprint includes a message digest.
10. The method of claim 7, wherein the digital fingerprint for a given message is based, at least in part, on a digital certificate for the respective component that created the given message.
11. The method of claim 7, wherein authenticated communication provided by the method includes:
- authenticating a given message of the authenticated communication using the digital fingerprint specifically computed for the given message.
12. The method of claim 1, further comprising:
- encrypting communication between the software components.
13. The method of claim 12, wherein said step of encrypting communication includes:
- encrypting messages from one component to a digital certificate for the other component.
14. The method of claim 1, wherein information about an event occurring in the system is transmitted as a certogram.
15. The method of claim 14, wherein each certogram comprises information organized into attribute/value format.
16. The method of claim 1, wherein authenticated communication provided by the method includes:
- validating a digital certificate for each component participating in authenticated communication.
17. The method of claim 16, wherein said validating step includes determining selected ones of expiration, revocation, and disablement for each digital certificate being validated.
18. The method of claim 1, wherein the second software component includes an event handler for instructing the third software component how to appropriately handle the event.
19. The method of claim 1, wherein said event occurring in the system comprises a detected vulnerability.
20. The method of claim 19, wherein said system includes a firewall as said third component and wherein said event handler instructs the firewall to create a new firewall rule for appropriately handling the detected vulnerability.

21. A method for providing automated network security for a network system, the method comprising:
- providing a configurable firewall capable of limiting access to the network system, a sensor for detecting vulnerabilities in the network system, and an arbiter for specifying reconfiguration of the firewall for handling vulnerabilities detected by the sensor;
  
  specifying that the firewall, the sensor, and the arbiter may participate in authenticated communication;
  
  detecting by the sensor a particular vulnerability in the network system;
  
  establishing an authenticated communication session between the sensor and the arbiter for transmitting information about the particular vulnerability from the sensor to the arbiter; and
  
  establishing an authenticated communication session between the arbiter and the firewall for transmitting instructions for handling the particular vulnerability from the arbiter to the firewall, such that the particular vulnerability may be handled in an automated manner.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The method of claim 21, wherein the firewall, the sensor, and the arbiter each operates on a separate computer connected to the network system.
  - 23. The method of claim 21, wherein said specifying step includes:
24. The method of claim 23, wherein said specifying step further includes:
- creating a digital certificate for the user having system administrator privileges and creating a digital certificate for each component that is permitted to participate in authenticated communication;
  
  digitally signing the digital certificate of each component permitted to participate in authenticated communication with the digital certificate for the user having system administrator privileges.
25. The method of claim 24, wherein each digital certificate comprises a PGP-compatible key.
26. The method of claim 23, wherein each digital certificate created is stored in a central repository.
27. The method of claim 21, wherein authenticated communication is established between components by authenticating messages communicated between those components using digital fingerprints.
28. The method of claim 27, wherein each digital fingerprint comprises a cryptographic hash.
29. The method of claim 27, wherein each digital fingerprint comprises a message digest.
30. The method of claim 27, wherein the digital fingerprint for a given message is based, at least in part, on a digital certificate of the respective component that created the given message.
31. The method of claim 27, wherein authenticated communication is established between components by authenticating a given message using a digital fingerprint specifically computed for the given message.
32. The method of claim 21, further comprising:
- encrypting communication between components of the network system.
33. The method of claim 32, wherein said step of encrypting communication includes:
- encrypting messages from one component to a digital certificate created for the other component.
34. The method of claim 21, wherein said information about the particular vulnerability comprises information organized into attribute/value format.
35. The method of claim 21, wherein authenticated communication is established between two components by exchanging digital certificates of each component with the other and thereafter establishing trust and validity for each digital certificate so exchanged.
36. The method of claim 35, wherein establishing validity includes determining selected ones of expiration, revocation, and disablement for each digital certificate being validated.
37. The method of claim 21, wherein the particular vulnerability comprises detection of unauthorized access to the network system.
38. The method of claim 21, wherein the particular vulnerability comprises detection of an unauthorized mail server on the network system.
39. The method of claim 21, wherein the particular vulnerability comprises detection of an unauthorized FTP (File Transport Protocol) server on the network system.
40. The method of claim 21, wherein the particular vulnerability comprises detection of an unauthorized writeable directory on the network system.

41. A system providing automatically-reconfigurable security for a computer network, the system comprising:
- a configurable firewall component providing security to the computer network;
  
  a sensor component for detecting security-related events that occur in the computer network;
  
  an arbiter component for specifying reconfiguration of the firewall component for handling at least some of the security-related events detected by the sensor component; and
  
  a communication layer, configured to specify that the firewall component, the sensor component, and the arbiter component may participate in authenticated communication, so that the firewall component may be automatically reconfigured by the arbiter component to handle a particular security-related event that has been detected by the sensor component.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 42. The system of claim 41, wherein the firewall component, the sensor component, and the arbiter component each operates on a separate computer connected to the computer network.
  - 43. The system of claim 41, wherein said communication layer may be configured from input from a user having system administrator privileges that specify which particular components in the system may participate in authenticated communication.
  - 44. The system of claim 43, wherein said system operates, in response to said input, to create a digital certificate for the user having system administrator privileges, to create a digital certificate for each component that is permitted to participate in authenticated communication, and to digitally sign the digital certificate of each component permitted to participate in authenticated communication with the digital certificate for the user having system administrator privileges.
  - 45. The system of claim 44, wherein each digital certificate comprises a PGP-compatible key.
  - 46. The system of claim 44, wherein each digital certificate created is stored in a central repository.
  - 47. The system of claim 41, wherein authenticated communication is established between components by authenticating messages communicated between those components using digital fingerprints.
  - 48. The system of claim 47, wherein each digital fingerprint comprises a cryptographic hash.
  - 49. The system of claim 47, wherein each digital fingerprint comprises a message digest.
  - 50. The system of claim 47, wherein the digital fingerprint for a given message is based, at least in part, on a digital certificate of the respective component that created the given message.
  - 51. The system of claim 47, wherein authenticated communication is established between components by authenticating a given message using a digital fingerprint specifically computed for the given message.
  - 52. The system of claim 41, wherein said communication layer provides encryption of communication between components of the system.
  - 53. The system of claim 52, wherein encrypted messages sent to a particular component are encrypted to the public key certificate of that component.
  - 54. The system of claim 41, wherein information about security-related events is communicated in attribute/value format.
  - 55. The system of claim 41, wherein authenticated communication is established between two components by exchanging digital certificates of each component with the other and thereafter establishing trust and validity for each digital certificate so exchanged.
  - 56. The system of claim 55, wherein establishing validity includes determining selected ones of expiration, revocation, and disablement for each digital certificate being validated.
  - 57. The system of claim 41, wherein the particular security-related event comprises detection, of unauthorized access to the computer network.
  - 58. The system of claim 41, wherein the particular security-related event comprises detection of an unauthorized mail server on the computer network.
  - 59. The system of claim 41, wherein the particular security-related event comprises detection of an unauthorized FTP (File Transport Protocol) server on the computer network.
  - 60. The system of claim 41, wherein the particular security-related event comprises detection of an unauthorized writeable directory on the computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Network Associates, Inc.
Inventors
Varga, Michael David, Jones, Michael Kevin, Zidaritz, Adrian, Villa, Emilio, McArdle, Mark James, Eschelbeck, Gerhard
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/328,177
Time in Patent Office

1,407 Days
Field of Search

713/201, 713/200, 713/168, 713/170
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/0823   using certificates cryptogr...

H04L 63/20   for managing network securi...

Active firewall system and methodology

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

629 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Active firewall system and methodology

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

629 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links