Method and system for controlling access to network resources using resource groups
First Claim
Patent Images
1. A method for controlling access to network resources, comprising:
- at a central configuration machine;
defining an internal protection domain for each of a plurality of firewalls, each internal protection domain including at least one zone, each zone having at least one access-controlled network resource;
defining at least one external protection domain for the plurality of firewalls, the external protection domain including at least one zone having at least one access-controlled network resource, wherein each of the plurality of firewalls protects the internal protection domain relative to the external protection domain and each of the internal and external protection domains comprise one or more of networks and subnetworks of machines;
creating a plurality of resource groups, each resource group including at least one zone;
specifying an access control rule, including a scope, for each resource group, the scope, and thus the access control rule, is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls;
configuring each firewall using the access control rules; and
at each firewall;
in response to a request to access a destination network resource received from a source network resource, determining whether to apply the access control rule specified for the resource group associated with the destination network resource based on the scope of the access control rule.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and device for configuring a firewall in a computer system employing a rule for controlling access between a source resource and a destination resource only if said source and destination resources belong to the same protection domain. At a central configuration machine, an access control rule is specified, including a scope, for each resource group, the scope, and thus the access control rule is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls.
22 Citations
15 Claims
-
1. A method for controlling access to network resources, comprising:
-
at a central configuration machine; defining an internal protection domain for each of a plurality of firewalls, each internal protection domain including at least one zone, each zone having at least one access-controlled network resource; defining at least one external protection domain for the plurality of firewalls, the external protection domain including at least one zone having at least one access-controlled network resource, wherein each of the plurality of firewalls protects the internal protection domain relative to the external protection domain and each of the internal and external protection domains comprise one or more of networks and subnetworks of machines; creating a plurality of resource groups, each resource group including at least one zone; specifying an access control rule, including a scope, for each resource group, the scope, and thus the access control rule, is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls; configuring each firewall using the access control rules; and at each firewall; in response to a request to access a destination network resource received from a source network resource, determining whether to apply the access control rule specified for the resource group associated with the destination network resource based on the scope of the access control rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for controlling access to network resources, comprising:
-
an external network including at least one external subnetwork having at least one network resource; a plurality of firewalls, coupled to the external network, each firewall including at least one internal subnetwork, each internal subnetwork having at least one access-controlled network resource; and a central configuration machine, coupled to the external network, adaptively configured to; define an internal protection domain for each of the plurality of firewalls, each internal protection domain including a zone corresponding to each internal subnetwork, define an external protection domain for the plurality of firewalls, the external protection domain including a zone corresponding to each external subnetwork, wherein each of the plurality of firewalls protects the internal protection domain relative to the external protection domain and each of the internal and external protection domains comprise one or more of networks and subnetworks of machines, create a plurality of resource groups, each resource group including at least one zone, specify an access control rule, including a scope, for each resource group, the scope, and thus the access control rule, is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls, and configure each firewall using the access control rules. - View Dependent Claims (14, 15)
-
Specification