System and method for increasing the resiliency of firewall systems
First Claim
1. A computer system that implements a security barrier between a first computer network region and a second computer network region, the computer system comprising:
- at least one proxy agent running on the computer system, said at least one proxy agent being operative to mediate traffic between a first computer network region and a second computer network region;
at least one first software wrapper application running on the computer system, said at least one first software wrapper application associated with said at least one proxy agent and being operative to constrain at least one element of behavior of said at least one proxy agent; and
at least one second software wrapper application running on the computer system, said at least one second software wrapper application being operative to prevent other applications on the computer system from interfering with said at least one proxy agent and said at least one first software wrapper application.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for minimizing the likelihood of flaws in a firewall proxy is disclosed. Software wrappers are used to introduce fine-grained controls on the operation of existing proxy applications. These fine-grained controls create an extra measure of assurance that bugs (or malicious software) will not subvert the intent of the firewall. To provide even further assurance, the firewall system can be totally wrapped. A totally wrapped system includes a wrapper for the proxies plus a separate wrapper for everything else on the firewall system that can potentially interfere with the wrappers and the proxies. The software wrappers can also be integrated with an intrusion detection system. The fine-grained controls of the software wrapper enables it to be uniquely positioned to generate alerts based on an indication that a flaw exists in the proxy and that the proxy is misbehaving.
65 Citations
29 Claims
-
1. A computer system that implements a security barrier between a first computer network region and a second computer network region, the computer system comprising:
-
at least one proxy agent running on the computer system, said at least one proxy agent being operative to mediate traffic between a first computer network region and a second computer network region;
at least one first software wrapper application running on the computer system, said at least one first software wrapper application associated with said at least one proxy agent and being operative to constrain at least one element of behavior of said at least one proxy agent; and
at least one second software wrapper application running on the computer system, said at least one second software wrapper application being operative to prevent other applications on the computer system from interfering with said at least one proxy agent and said at least one first software wrapper application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A firewall computer system that implements a security barrier between a first computer network region and a second computer network region, the firewall computer system comprising:
-
at least one proxy agent running on the firewall computer system, said at least one proxy agent being operative to mediate traffic between a first computer network region and a second computer network region; and
at least one software wrapper application running on the firewall computer system, said at least one software wrapper application associated with said at least one proxy agent and being operative to constrain at least one element of behavior of said at least one proxy agent. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer program product for enabling a processor in a computer system to implement a security barrier between a first computer network region and a second computer network region, said computer program product comprising:
-
a computer usable medium having computer readable program code means embodied in said medium for causing a program to execute on the computer system, said computer readable program code means comprising;
a first computer readable program code means for enabling the computer system to implement a proxy agent, said proxy agent being operative to mediate traffic between said first computer network region and said second computer network region;
a second computer readable program code means for enabling the computer system to implement a first software wrapper application, said first software wrapper application associated with said proxy agent and being operative to constrain at least one element of behavior of said proxy agent; and
a third computer readable program code means for enabling the computer system to implement a second software wrapper application, said second software wrapper application being operative to prevent other applications on the computer system from interfering with said proxy agent and said first software wrapper application.
-
-
22. A computer program product for enabling a processor in a computer system to implement a security barrier between a first computer network region and a second computer network region, said computer program product comprising:
-
a computer usable medium having computer readable program code means embodied in said medium for causing a program to execute on the computer system, said computer readable program code means comprising;
a first computer readable program code means for enabling the computer system to implement a proxy agent, said proxy agent being operative to mediate traffic between said first computer network region and said second computer network region; and
a second computer readable program code means for enabling the computer system to implement a software wrapper application, said software wrapper application associated with said proxy agent and being operative to constrain at least one element of behavior of said proxy agent.
-
-
23. A method in a firewall computer system for implementing a security barrier between a first computer network region and a second computer network region, the method comprising the steps of:
-
(a) wrapping at least one proxy agent running on a computer system using at least one first software wrapper application, said at least one first software wrapper application associated with said at least one proxy agent and being operative to constrain at least one element of behavior of said at least one proxy agent; and
(b) wrapping other applications on the computer system using at least one second software wrapper application, said at least one second software wrapper application being operative to prevent said other applications on the computer system from interfering with said at least one proxy agent and said at least one first software wrapper application. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
Specification