Method and apparatus for analyzing one or more firewalls

US 7,016,980 B1
Filed: 01/18/2000
Issued: 03/21/2006
Est. Priority Date: 01/18/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of rules, said network having a plurality of addresses, said method comprising the steps of:

generating a gateway-zone graph that models said network based on said packet filtering configuration file, said gateway-zone graph having at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway;

receiving a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address; and

evaluating said query against each of said rules associated with each gateway node in said gateway-zone graph that is encountered between said at least one source address and said at least one destination address.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are disclosed for analyzing the operation of one or more network gateways, such as firewalls or routers, that perform a packet filtering function in a network environment. Given a user query, the disclosed firewall analysis tool simulates the behavior of the various firewalls, taking into account the topology of the network environment, and determines which portions of the services or machines specified in the original query would manage to reach from the source to the destination. The relevant packet-filtering configuration files are collected and an internal representation of the implied security policy is derived. A graph data structure is used to represent the network topology. A gateway-zone graph permits the firewall analysis tool to determine where given packets will travel in the network, and which gateways will be encountered along those paths. In this manner, the firewall analysis tool can evaluate a query object against each rule-base object, for each gateway node in the gateway-zone graph that is encountered along each path between the source and destination. A graphical user interface is provided for receiving queries, such as whether one or more given services are permitted between one or more given machines, and providing results. A spoofing attack can be simulated by allowing the user to specify where packets are to be injected into the network, which may not be the true location of the source host-group.

89 Citations

View as Search Results

29 Claims

1. A method for analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of rules, said network having a plurality of addresses, said method comprising the steps of:
- generating a gateway-zone graph that models said network based on said packet filtering configuration file, said gateway-zone graph having at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway;
  
  receiving a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address; and
  
  evaluating said query against each of said rules associated with each gateway node in said gateway-zone graph that is encountered between said at least one source address and said at least one destination address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said rules are expressed as rule-base objects.
  - 3. The method of claim 1, wherein said gateway-zone graph is derived from a network topology file.
  - 4. The method of claim 1, wherein said query includes a wildcard for at least one of said service, source address or destination address.
  - 5. The method of claim 1, further comprising the step of determining a portion of said one or more given services that are permitted between at least one source address and at least one destination address.
  - 6. The method of claim 1, further comprising the step of transforming said packet filtering configuration files into a table of logical rules that are processed during said evaluating step.
  - 7. The method of claim 1, wherein said query consists of a source host-group, a destination host-group, and a service host-group.
  - 8. The method of claim 1, wherein said query specifies a location where packets are to be inserted into the network that is different from a source address.

9. A method of modeling a network having a plurality of gateway devices, comprising the steps of:
- identifying each gateway device in said network having a packet-filtering rule-base and each zone in said network defined by said gateway devices; and
  
  generating a gateway-zone graph that models said network based on said packet-filtering rule-base, said gateway-zone graph having a gateway node corresponding to each of said gateway devices and a zone node corresponding to each of said zones.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, wherein said gateway-zone graph is derived from a network topology file.
  - 11. The method of claim 9, further comprising the step of transforming said packet-filtering rule-base into a table of logical rules.

12. An apparatus for analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of packet filtering rules, said network having a plurality of addresses, said tool comprising:
- a user interface for receiving a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address, wherein each of said source addresses and said destination addresses correspond to one of said zones; and
  
  a user interface for indicating a portion of said one or more given services that are permitted between a portion of said at least one source address and a portion of said at least one destination address, said portions obtained by analyzing a gateway-zone graph that models said network based on said packet filtering configuration file with at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, wherein said rules are expressed as rule-base objects.
  - 14. The method of claim 12, wherein said gateway-zone graph is derived from a network topology file.
  - 15. The method of claim 12, wherein said query includes a wildcard for at least one of said service, source address or destination address.
  - 16. The method of claim 12, wherein said packet filtering configuration files are expressed as a set of logical rules.
  - 17. The method of claim 12, wherein said query consists of a source host-group, a destination host-group, and a service host-group.
  - 18. The method of claim 12, wherein said user interface allows a user to specify a location where packets are to be inserted into the network that is different from a source address.

19. An apparatus for analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of rules, said network having a plurality of addresses, said tool comprising:
- a memory for storing computer readable code; and
  
  a processor operatively coupled to said memory, said processor configured to;
  
  generate a gateway-zone graph that models said network based on said packet filtering configuration file, said gateway-zone graph having at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway;
  
  receive a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address; and
  
  evaluate said query against each of said rules associated with each gateway node in said gateway-zone graph that is encountered between said at least one source address and said at least one destination address.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The tool of claim 19, wherein said rules are expressed as rule-base objects.
  - 21. The tool of claim 19, wherein said gateway-zone graph is derived from a network topology file.
  - 22. The tool of claim 19, wherein said query includes a wildcard for at least one of said service, source address or destination address.
  - 23. The tool of claim 19, further comprising the step of determining a portion of said one or more given services that are permitted between at least one source address and at least one destination address.
  - 24. The tool of claim 19, further comprising the step of transforming said packet filtering configuration files into a table of logical rules that are processed during said evaluating step.
  - 25. The tool of claim 19, wherein said query consists of a source host-group, group, a destination host-group, and a service host-group.
  - 26. The tool of claim 19, wherein said query specifies a location where packets are to be inserted into the network that is different from a source address.

27. A computer readable medium having computer readable program code means embodied thereon, said computer readable program code means analyzing at least one gateway in a network, said at least one gateway having a packet filtering configuration file including a plurality of rules, said network having a plurality of addresses, said computer readable program code means comprising:
- a step to generate a gateway-zone graph that models said network based on said packet filtering configuration file, said gateway-zone graph having at least one gateway node corresponding to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned collection of said addresses created by said at least one gateway;
  
  a step to receive a query inquiring whether one or more given services are permitted between at least one source address and at least one destination address; and
  
  a step to evaluate said query against each of said rules associated with each gateway node in said gateway-zone graph that is encountered between said at least one source address and said at least one destination address.

28. A system for modeling a network, comprising:
- a memory for storing computer readable code; and
  
  a processor operatively coupled to said memory, said processor configured to;
  
  identify each gateway device in said network having a packet-filtering rule-base and each zone in said network defined by said gateway devices; and
  
  generate a gateway-zone graph that models said network based on said packet-filtering rule-base, said gateway-zone graph having a gateway node corresponding to each of said gateway devices and a zone node corresponding to each of said zones.

29. A computer readable medium having computer readable program code means embodied thereon, said computer readable program code means comprising:
- a step to identify each gateway device in a network having a packet-filtering rule-base and each zone in said network defined by said gateway devices; and
  
  a step to generate a gateway-zone graph that models said network based on said packet-filtering rule-base, said gateway-zone graph having a gateway node corresponding to each of said gateway devices and a zone node corresponding to each of said zones.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Wool, Avishai, Mayer, Alain, Ziskind, Elisha
Primary Examiner(s)
MIRZA, ADNAN M

Application Number

US09/483,876
Time in Patent Office

2,254 Days
Field of Search

709/248, 709/249, 713/201, 370/11
US Class Current

709/249
CPC Class Codes

H04L 41/0853   by actively collecting conf...

H04L 41/12   Discovery or management of ...

H04L 41/145   involving simulating, desig...

H04L 63/0263   Rule management

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Method and apparatus for analyzing one or more firewalls

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for analyzing one or more firewalls

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links