Security checking program for communication between networks
First Claim
Patent Images
1. A system for managing a security policy for a multiplicity of networks, said system comprising:
- means for recording, for each of said multiplicity of networks, (a) a type of said each network, (b) whether said each network is a source and/or a destination network, and (c) a list of IP protocol(s) supported by said each network, said multiplicity of networks comprising a trusted type, a DMZ type, and an untrusted type, said DMZ type of network being managed by a same enterprise that manages said trusted type of network to provide security for said DMZ type of network;
means for recording, for said each network, a multiplicity of permitted message flows for which a firewall for said each network is configured, each of said permitted message flows comprising a combination of IP protocol, destination network and source network;
means for automatically identifying a multiplicity of possible combinations of said multiplicity of networks, wherein each of said possible combinations comprises a source network and a destination network;
means for automatically determining, based on a type of said each network, a subset of said possible combinations, each of said possible combinations in said subset comprising two networks which are permitted to communicate with each other based on the respective types of said two networks, a trusted network being permitted to communicate with said DMZ network but not with said untrusted network, said DMZ network being permitted to communicate with both said trusted network and said untrusted network;
means for automatically determining, for each of said possible combinations in said subset, (a) what IP protocol(s) are supported by said networks in said each possible combination in said subset, and (b) whether respective firewalls for said networks in said each possible combination in said subset permit message flows having IP protocols supported by said networks in said each possible combination of said subset; and
means, based on determinations by both automatic determining means, for automatically determining which combinations of said multiplicity of networks comprise networks which are both (a) entitled to communicate with each other based on types of networks within each combination of said multiplicity of networks and (b) able to communicate with each other based on IP protocols supported by networks in each combination of said multiplicity of networks and IP protocols of permitted message flows through a firewall(s) for networks in each combination of said multiplicity of networks.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for determining if a multiplicity of networks are authorized to communicate with each other and what IP protocol can be used for communication between each combination of two of the networks. For each network, a computer readable data base stores a record of (a) IP protocol(s) permitted to be used with said each network and (b) types of other networks permitted to communicate to said each network. For said each network, a computer readable data base stores a record of IP protocols and destination and source networks permitted by a respective firewall or router for said each network. For said each network, a computer readable data base stores a record of a type of said each network. Multiple combinations of the networks are automatically identified. Each of the combinations comprises a source network and a destination network. For each of the combinations, based on the records, it is automatically determined if each of the networks in the combination is permitted to communicate with the other network in the combination and what IP protocol(s) are common to both of the networks in the combination.
-
Citations
5 Claims
-
1. A system for managing a security policy for a multiplicity of networks, said system comprising:
-
means for recording, for each of said multiplicity of networks, (a) a type of said each network, (b) whether said each network is a source and/or a destination network, and (c) a list of IP protocol(s) supported by said each network, said multiplicity of networks comprising a trusted type, a DMZ type, and an untrusted type, said DMZ type of network being managed by a same enterprise that manages said trusted type of network to provide security for said DMZ type of network; means for recording, for said each network, a multiplicity of permitted message flows for which a firewall for said each network is configured, each of said permitted message flows comprising a combination of IP protocol, destination network and source network; means for automatically identifying a multiplicity of possible combinations of said multiplicity of networks, wherein each of said possible combinations comprises a source network and a destination network; means for automatically determining, based on a type of said each network, a subset of said possible combinations, each of said possible combinations in said subset comprising two networks which are permitted to communicate with each other based on the respective types of said two networks, a trusted network being permitted to communicate with said DMZ network but not with said untrusted network, said DMZ network being permitted to communicate with both said trusted network and said untrusted network; means for automatically determining, for each of said possible combinations in said subset, (a) what IP protocol(s) are supported by said networks in said each possible combination in said subset, and (b) whether respective firewalls for said networks in said each possible combination in said subset permit message flows having IP protocols supported by said networks in said each possible combination of said subset; and means, based on determinations by both automatic determining means, for automatically determining which combinations of said multiplicity of networks comprise networks which are both (a) entitled to communicate with each other based on types of networks within each combination of said multiplicity of networks and (b) able to communicate with each other based on IP protocols supported by networks in each combination of said multiplicity of networks and IP protocols of permitted message flows through a firewall(s) for networks in each combination of said multiplicity of networks. - View Dependent Claims (2, 3, 4, 5)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeKyndryl Incorporated (Kyndryl Holdings, Inc.)
-
Original AssigneeInternational Business Machines Corporation
-
InventorsBernoth, Andrew John
-
Primary Examiner(s)Burgess; Glenton B.
-
Assistant Examiner(s)Higa; Brendan Y
-
Application NumberUS10/464,006Publication NumberTime in Patent Office1,666 DaysField of Search709/249, 709223-226, 726/1, 726/2, 726 11- 13US Class Current709/225CPC Class CodesH04L 63/0236 Filtering by address, proto...H04L 63/0263 Rule managementH04L 63/102 Entity profilesH04L 63/104 Grouping of entities
