Method and apparatus in an application framework system for providing a port and network hardware resource firewall for distributed applications

US 7,296,292 B2
Filed: 12/15/2000
Issued: 11/13/2007
Est. Priority Date: 12/15/2000
Status: Active Grant

First Claim

Patent Images

1. A method for managing a distributed port firewall system, the method comprising:

configuring a port for access by a specified user during a specified time interval and denying access to all other users during the specified time interval;

deploying and starting a target endpoint firewall client on a target endpoint computing device;

deploying and starting a source endpoint firewall client on the specified user'"'"'s source endpoint computing device;

responsive to a request by the specified user for access to the port and responsive to a determination that the requested port is assigned to the user for use at the time requested, returning the requested port to the specified user, wherein the request by the specified user for access to the port is from an application that the specified user is executing on the source endpoint computing device, wherein the specified user executable application is enabled to open the port on the target endpoint computing devicewherein the step of deploying and starting a target endpoint firewall client is responsive to the specified user logging onto the target endpoint, the target endpoint firewall client being operative to query a port firewall database and responsive thereto, to selectively enable access to the requested resource by the application based on firewall properties maintained in the port firewall database.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, apparatus, and computer program product are presented for a distributed port firewall system. The distributed port firewall system provides mapping of port usage to application needs, application action object (AAO) used to identify the use of ports. Application action object may be opened based on endpoint and user. Port firewall “properties” are added in order to configure firewall which are only configurable by certain trusted users or applications. Different policies applied to usage and the opening of ports based on both a collection of endpoints, managed regions, or on a per endpoint basis. Beyond just allowing an application to open a port, the allowed packet types are also configured to work in conjunction with a distributed packet snooper session.

60 Citations

View as Search Results

25 Claims

1. A method for managing a distributed port firewall system, the method comprising:
- configuring a port for access by a specified user during a specified time interval and denying access to all other users during the specified time interval;
  
  deploying and starting a target endpoint firewall client on a target endpoint computing device;
  
  deploying and starting a source endpoint firewall client on the specified user'"'"'s source endpoint computing device;
  
  responsive to a request by the specified user for access to the port and responsive to a determination that the requested port is assigned to the user for use at the time requested, returning the requested port to the specified user, wherein the request by the specified user for access to the port is from an application that the specified user is executing on the source endpoint computing device, wherein the specified user executable application is enabled to open the port on the target endpoint computing devicewherein the step of deploying and starting a target endpoint firewall client is responsive to the specified user logging onto the target endpoint, the target endpoint firewall client being operative to query a port firewall database and responsive thereto, to selectively enable access to the requested resource by the application based on firewall properties maintained in the port firewall database.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as recited in claim 1, further comprising:
    - monitoring data packets flowing through the source endpoint originating from the target endpoint.
  - 3. The method as recited in claim 2, wherein the data packets are specified types of data packets.
  - 4. The method as recited in claim 1, further comprising:
    - monitoring data packets flowing through the source endpoint destined to the target endpoint.
  - 5. The method as recited in claim 4, wherein the data packets are specified types of data packets.

6. A computer program product in a computer readable media for use in a computing device for managing a distributed port firewall system, the computer program product comprising:
- first instructions for configuring a port for access by a specified user during a specified time interval and denying access to all other users during the specified time interval;
  
  second instructions for deploying and starting a target endpoint firewall client on a target endpoint computing device;
  
  third instructions for deploying and starting a source endpoint firewall client on the specified user'"'"'s source endpoint computing device;
  
  fourth instructions for responsive to a request by the specified user for access to the port and responsive to a determination that the requested port is assigned to the user for use at the time requested, returning the requested port to the specified user, wherein the request by the specified user for access to the port is from an application that the specified user is executing on the source endpoint computing device, wherein the specified user executable application is enabled to open the port on the target endpoint computing devicewherein the third instructions for deploying and starting a target endpoint firewall client is responsive to the specified user logging onto the target endpoint, the target endpoint firewall client being operative to query a port firewall database and responsive thereto, to selectively enable access to the requested resource by the application based on firewall properties maintained in the port firewall database.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer program product as recited in claim 6, further comprising:
    - fifth instructions for monitoring data packets flowing through the source endpoint originating from the target endpoint.
  - 8. The computer program product as recited in claim 6, further comprising:
    - fifth instructions for monitoring data packets flowing through the source endpoint destined to the target endpoint.
  - 9. The computer program product as recited in claim 7, wherein the data packets are specified types of data packets.
  - 10. The computer program product as recited in claim 8, wherein the data packets are specified types of data packets.

11. A system for managing a distributed port firewall system, the system comprising:
- first means for configuring a port for access by a specified user during a specified time interval and denying access to all other users during the specified time interval;
  
  second means for deploying and starting a target endpoint firewall client on a target endpoint computing device;
  
  third means for deploying and starting a source endpoint firewall client on the specified user'"'"'s source endpoint computing device;
  
  fourth means for responsive to a request by the specified user for access to the port and responsive to a determination that the requested port is assigned to the user for use at the time requested, returning the requested port to the specified user, wherein the request by the specified user for access to the port is from an application that the specified user is executing on the source endpoint computing device, wherein the specified user executable application is enabled to open the port on the target endpoint computing devicewherein the third means for deploying and starting a target endpoint firewall client is responsive to the specified user logging onto the target endpoint, the target endpoint firewall client being operative to query a port firewall database and responsive thereto, to selectively enable access to the requested resource by the application based on firewall properties maintained in the port firewall database.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system as recited in claim 11, further comprising:
    - fifth means for monitoring data packets flowing through the source endpoint originating from the target endpoint.
  - 13. The system as recited in claim 12, wherein the data packets are specified types of data packets.
  - 14. The system as recited in claim 11, further comprising:
    - fifth means for monitoring data packets flowing through the source endpoint destined to the target endpoint.
  - 15. The system as recite in claim 14, wherein the data packets are specified types of data packets.

16. A distributed port firewall system, comprising:
- a gateway, of the distributed port firewall system, comprising a port firewall database, the port firewall database having stored therein firewall properties for endpoints of the distributed port firewall system, including an indication of which endpoints can have remote access to ports of the distributed port firewall system;
  
  a first endpoint computing device, of the distributed port firewall system, comprising an application requesting a resource; and
  
  a second endpoint computing device, of the distributed port firewall system, comprising the requested resource and a firewall process operative to query the port firewall database and responsive thereto, to selectively enable access to the requested resource by the applicationwherein the firewall process on the second endpoint computing device retrieves firewall properties from a port firewall manager coupled to the port firewall database.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. A method of using the distributed port firewall system of claim 16, comprising steps of:
    - sending, from the first endpoint computing device, an action object requesting the resource;
      
      receiving, by the gateway, the action object and determining that the requested resource is located at the second endpoint computing device;
      
      initiating, by the gateway, the firewall process on the second endpoint computing device; and
      
      returning, by the gateway, a response to the first endpoint computing device indicating a location for the requested resource.
  - 18. The method of claim 17, wherein the response is the action object.
  - 19. The method of claim 17, wherein the action object determines which of a plurality of gateways to send itself to.
  - 20. The method of claim 17, wherein the firewall properties comprises (i) an allowable time for which a requested port can be accessed, and (ii) an indication of which endpoint(s) can have remote access to the requested port.
  - 21. The method of claim 17, wherein the gateway converts the received action object to a form compatible with the second endpoint computing device and sends the compatible form to the second endpoint computing device.

22. A port firewall manager, comprising:
- means for receiving an action object from an application executing on a source endpoint computing device, said action object containing a request for a resource; and
  
  means for initiating, responsive to the means for receiving the action object, a client firewall process on a target endpoint computing device, the target endpoint computing device comprising the requested resource, wherein the client firewall process is operable to determine access properties associated with the requested resourcemeans for receiving, from the target endpoint computing device, a request for firewall properties associated with the requested resource;
  
  means for retrieving the firewall properties from a firewall database; and
  
  means for sending the retrieved firewall properties to the target endpoint computing device.
- View Dependent Claims (23, 24, 25)
- - 23. The port firewall manager of claim 22, further comprising:
    - means for determining whether a user executing the application on the source endpoint computing device is authorized to use the requested resource.
  - 24. The port firewall manager of claim 23, wherein the means for determining is based upon time of requested resource access and location of where the resource request was initiated.
  - 25. The port firewall manager of claim 22, wherein the action object comprises a mechanism for determining transport of the action object to a gateway comprising the port firewall manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Chang, Ching-Jye, Ullmann, Lorin Evan
Primary Examiner(s)
Moazzami, Nasser
Assistant Examiner(s)
Colin, Carl

Application Number

US09/738,336
Publication Number

US 20020078377A1
Time in Patent Office

2,524 Days
Field of Search

709/223, 709/225, 709/166, 709/161, 709/129, 709/229, 709/132
US Class Current

726/13
CPC Class Codes

H04L 63/0218 Distributed architectures, ...

H04L 63/0236 Filtering by address, proto...

Method and apparatus in an application framework system for providing a port and network hardware resource firewall for distributed applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus in an application framework system for providing a port and network hardware resource firewall for distributed applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links