Method and system for controlling access to network resources using resource groups

US 7,225,255 B2
Filed: 12/21/2000
Issued: 05/29/2007
Est. Priority Date: 12/21/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for controlling access to network resources, comprising:

at a central configuration machine;

defining an internal protection domain for each of a plurality of firewalls, each internal protection domain including at least one zone, each zone having at least one access-controlled network resource;

defining at least one external protection domain for the plurality of firewalls, the external protection domain including at least one zone having at least one access-controlled network resource, wherein each of the plurality of firewalls protects the internal protection domain relative to the external protection domain and each of the internal and external protection domains comprise one or more of networks and subnetworks of machines;

creating a plurality of resource groups, each resource group including at least one zone;

specifying an access control rule, including a scope, for each resource group, the scope, and thus the access control rule, is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls;

configuring each firewall using the access control rules; and

at each firewall;

in response to a request to access a destination network resource received from a source network resource, determining whether to apply the access control rule specified for the resource group associated with the destination network resource based on the scope of the access control rule.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for configuring a firewall in a computer system employing a rule for controlling access between a source resource and a destination resource only if said source and destination resources belong to the same protection domain. At a central configuration machine, an access control rule is specified, including a scope, for each resource group, the scope, and thus the access control rule is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls.

22 Citations

View as Search Results

15 Claims

1. A method for controlling access to network resources, comprising:
- at a central configuration machine;
  
  defining an internal protection domain for each of a plurality of firewalls, each internal protection domain including at least one zone, each zone having at least one access-controlled network resource;
  
  defining at least one external protection domain for the plurality of firewalls, the external protection domain including at least one zone having at least one access-controlled network resource, wherein each of the plurality of firewalls protects the internal protection domain relative to the external protection domain and each of the internal and external protection domains comprise one or more of networks and subnetworks of machines;
  
  creating a plurality of resource groups, each resource group including at least one zone;
  
  specifying an access control rule, including a scope, for each resource group, the scope, and thus the access control rule, is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls;
  
  configuring each firewall using the access control rules; and
  
  at each firewall;
  
  in response to a request to access a destination network resource received from a source network resource, determining whether to apply the access control rule specified for the resource group associated with the destination network resource based on the scope of the access control rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method according to claim 1, further comprising:
    - determining the protection domain of the access-controlled network resources using firewall network interfaces through which communications pass to reach said access-controlled network resources.
  - 3. A method according to claim 2, further comprising:
    - associating each firewall network interface with an internal or external protection domain,determining incoming and outgoing firewall network interfaces of current traffic,analyzing whether the incoming and outgoing firewall network interfaces are attached to an internal or external protection domain, andapplying the rule for controlling access only if the incoming and outgoing firewall network interfaces are attached to the same internal protection domain and the access-controlled network resources belong to the same protection domain.
  - 4. A method according to claim 3, wherein the rule for controlling access is applied between each of the access-controlled network resources of a source resource group and a destination resource group.
  - 5. A method according to claim 4, further comprising:
    - specifying the scope of each rule for controlling access as local or global,when the scope of the rule is local, applying the rule to the access-controlled network resources in question only if said access-controlled network resources belong to the same internal or external protection domain, andwhen the scope of the rule is global, applying the rule to all of the access-controlled network resources in question.
  - 6. A method according to claim 3, further comprising:
    - specifying the scope of each rule for controlling access as local or global,when the scope of the rule is local, applying the rule to the access-controlled network resources in question only if said access-controlled network resources belong to the same internal or external protection domain, andwhen the scope of the rule is global, applying the rule to all of the access-controlled network resources in question.
  - 7. A method according to claim 2, further comprising:
    - specifying the scope of each rule for controlling access as local or global,when the scope of the rule is local, applying the rule to the access-controlled network resources in question only if said access-controlled network resources belong to the same internal or external protection domain, andwhen the scope of the rule is global, applying the rule to all of the access-controlled network resources in question.
  - 8. A method according to claim 1, wherein the rule for controlling access is applied between each of the access-controlled network resources of a source resource group and a destination resource group.
  - 9. A method according to claim 8, further comprising:
    - specifying the scope of each rule for controlling access as local or global,when the scope of the rule is local, applying the rule to the access-controlled network resources in question only if said access-controlled network resources belong to the same internal or external protection domain, andwhen the scope of the rule is global, applying the rule to all of the access-controlled network resources in question.
  - 10. A method according to claim 2, wherein the rule for controlling access is applied between each of to access-controlled network resources of a source resource group and a destination resource group.
  - 11. A method according to claim 10, further comprising:
    - specifying the scope of each rule for controlling access as local or global,when the scope of the rule is local, applying the rule to the access-controlled network resources in question only if said access-controlled network resources belong to the same internal or external protection domain, andwhen the scope of the rule is global, applying the rule to all of the access-controlled network resources in question.
  - 12. A method according to claim 1, further comprising:
    - specifying the scope of each rule for controlling access as local or global,when the scope of the rule is local, applying the rule to the access-controlled network resources in question only if said access-controlled network resources belong to the same internal or external protection domain, andwhen the scope of the rule is global, applying the rule to all of the access-controlled network resources in question.

13. A system for controlling access to network resources, comprising:
- an external network including at least one external subnetwork having at least one network resource;
  
  a plurality of firewalls, coupled to the external network, each firewall including at least one internal subnetwork, each internal subnetwork having at least one access-controlled network resource; and
  
  a central configuration machine, coupled to the external network, adaptively configured to;
  
  define an internal protection domain for each of the plurality of firewalls, each internal protection domain including a zone corresponding to each internal subnetwork,define an external protection domain for the plurality of firewalls, the external protection domain including a zone corresponding to each external subnetwork, wherein each of the plurality of firewalls protects the internal protection domain relative to the external protection domain and each of the internal and external protection domains comprise one or more of networks and subnetworks of machines,create a plurality of resource groups, each resource group including at least one zone,specify an access control rule, including a scope, for each resource group, the scope, and thus the access control rule, is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls, andconfigure each firewall using the access control rules.
- View Dependent Claims (14, 15)
- - 14. A device according to claim 13, wherein the central configuration machine includes a graphical interface from which an administrator can enter the protection domains and the access control rules.
  - 15. A device according to claim 14, wherein the graphical interface allows the administrator to define a local or global scope for the access control rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Evidian
Original Assignee
Evidian
Inventors
Guionneau, Christophe, Favier, Vale, Grardel, Free
Primary Examiner(s)
Caldwell; Andrew
Assistant Examiner(s)
WILLETT, STEPHAN F

Application Number

US09/740,801
Publication Number

US 20020129142A1
Time in Patent Office

2,350 Days
Field of Search

709/225, 709/221, 713/201, 707/221, 726 11- 15
US Class Current

709/225
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 63/0227   Filtering policies mail mes...

H04L 63/20   for managing network securi...

Method and system for controlling access to network resources using resource groups

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for controlling access to network resources using resource groups

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links