Network firewall policy configuration facilitation

US 7,328,451 B2
Filed: 06/30/2003
Issued: 02/05/2008
Est. Priority Date: 06/30/2003
Status: Active Grant

First Claim

Patent Images

1. A system for providing network-based firewall policy configuration and facilitation associated with a firewall, the system comprising:

a memory device for storing a program for providing the network-based firewall policy configuration and facilitation associated with the firewall; and

a processor, functionally coupled to the memory device, the processor being responsive to computer-executable instructions contained in the program and operative to;

receive a first request to add an application not currently supported by a user'"'"'s firewall policy,generate a time window during which a user can run the application,receive a firewall modification request to modify the user'"'"'s firewall policy to allow the application,determine whether the application includes one or more questionable packets, andif the application is determined to include one or more questionable packets, modify the user'"'"'s firewall policy to allow packets associated with the application determined not to be questionable to pass through the firewall unblocked and exclude the one or more questionable packets associated with the application from modification of the user'"'"'s firewall policy such that the one or more questionable packets are blocked from passing through the firewall.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems for providing information on network firewall policy configuration facilitation include a firewall facilitation coordinator configured to receive a request to add an application not currently supported by a user'"'"'s firewall policy, and to generate a time window during which a user can run the application and observe which types of packets are utilized by the application. A policy modification agent associated with the firewall is configured to communicate with the firewall facilitation coordinator. The policy modification agent is further configured to receive a firewall modification request from the firewall facilitation coordinator, to accomplish the observation of packets flowing through the firewall during the time window, and to subsequently modify the user'"'"'s firewall policy such that the application is able to communicate as needed through the firewall, rather than being blocked. Other systems and methods are also provided.

66 Citations

View as Search Results

44 Claims

1. A system for providing network-based firewall policy configuration and facilitation associated with a firewall, the system comprising:
- a memory device for storing a program for providing the network-based firewall policy configuration and facilitation associated with the firewall; and
  
  a processor, functionally coupled to the memory device, the processor being responsive to computer-executable instructions contained in the program and operative to;
  
  receive a first request to add an application not currently supported by a user'"'"'s firewall policy,generate a time window during which a user can run the application,receive a firewall modification request to modify the user'"'"'s firewall policy to allow the application,determine whether the application includes one or more questionable packets, andif the application is determined to include one or more questionable packets, modify the user'"'"'s firewall policy to allow packets associated with the application determined not to be questionable to pass through the firewall unblocked and exclude the one or more questionable packets associated with the application from modification of the user'"'"'s firewall policy such that the one or more questionable packets are blocked from passing through the firewall.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the processor is further operative to decode and decrypt the first firewall modification request, and to authenticate the user before taking action on the first request.
  - 3. The system of claim 1, wherein the processor is further operative to:
    - receive a second request to add the application; and
      
      modify the user'"'"'s firewall policy to allow at least a portion of the previously blocked one or more questionable packets associated with the application to pass through the firewall unblocked.
  - 4. The system of claim 1, wherein the one or more questionable packets include packets or packet types that are already part of the user'"'"'s firewall policy or packets previously blocked at times other than during the time window but which are now observed during the time window.
  - 5. The system of claim 1, wherein the processor is further operative to record the one or more questionable packets in a blocking history database if the application is determined to include one or more questionable packets.
  - 6. The system of claim 1, wherein the processor is further operative to send an acknowledgement to the user that modification of the user'"'"'s firewall policy was successful, the acknowledgement including an alert regarding the one or more questionable packets if the application is determined to include the one or more questionable packets.
  - 7. The system of claim 1, wherein the processor is further operative to:
    - attempt to modify the user'"'"'s firewall policy a configurable number of times; and
      
      if unsuccessful, notify the user to seek assistance or to notify appropriate personnel for assistance.
  - 8. The system of claim 1, wherein the processor is further operative to group the one or more questionable packets into one or more groups based on a type associated with the one or more questionable packets if the application is determined to include one or more questionable packets.
  - 9. The system of claim 8, wherein the processor is further operative to:
    - prioritize the groups based on a likelihood that the groups will be required to be added to the user'"'"'s firewall policy in order to allow the new application to function properly; and
      
      label the groups in order of priority.
  - 10. The system of claim 9, wherein the processor is further operative to perform successive policy modification attempts to allow one or more of the questionable packet groups previously excluded from modification of the user'"'"'s firewall policy having a next highest priority to pass through the firewall unblocked.

11. A method for modifying a firewall policy of a network-based firewall, the method comprising:
- receiving a first request to modify the firewall policy to incorporate filtering rules to allow packets associated with a new application to pass through the network-based firewall without being blocked;
  
  sending a user an indication of a time window during which the user can exercise the new application;
  
  examining the packets traversing to/from the network-based firewall from/to the user to determine whether the new application includes one or more questionable packets; and
  
  if the new application is determined to include one or more questionable packets, then;
  
  modifying the firewall policy to allow packets associated with the new application determined not to be questionable to pass through the network-based firewall unblocked, andexcluding the one or more questionable packets associated with the new application from modification of the user'"'"'s firewall policy such that the one or more questionable packets are blocked from passing through the network-based firewall.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 12. The method of claim 11, further comprising acknowledging the first modification request and sending an acknowledgement of the first modification request to a user'"'"'s processing device.
  - 13. The method of claim 11, further comprising authenticating the user before acting on the first modification request.
  - 14. The method of claim 11, further comprising notifying a policy modifier of the first request to modify the firewall policy, wherein notifying the policy modifier further comprises providing a name of the new application and a time frame for modifying the firewall policy.
  - 15. The method of claim 11, further comprising sending an acknowledgement of completion of the modification to a user'"'"'s processing device.
  - 16. The method of claim 11, wherein the one or more questionable packets are associated with an application other than the new application.
  - 17. The method of claim 11, wherein the one or more questionable packets include packets or packet types already included in the firewall policy or which were previously blocked at times other than during the time window but which are now observed during the time window.
  - 18. The method of claim 11, further comprising:
    - receiving a second request to add the new application; and
      
      further modifying the user'"'"'s firewall policy to allow at least a portion of the previously blocked one or more questionable packets associated with the new application to pass through the network-based firewall unblocked.
  - 19. The method of claim 11, further comprising if the new application is determined to include one or more questionable packets, recording the one or more questionable packets in a blocking history database.
  - 20. The method of claim 11, further comprising sending an acknowledgement to a user'"'"'s processing device to repeat an attempt to modify the firewall policy when the new application does not function properly through the network-based firewall after the firewall policy has been modified.
  - 21. The method of claim 11, further comprising notifying a user'"'"'s processing device after a configurable number of repeat attempts fail to modify the firewall policy such that the new application can function properly through the firewall.
  - 22. The method of claim 11, further comprising if the new application is determined to include one or more questionable packet, grouping the one or more questionable packets into one or more groups based on a type associated with the one or more questionable packets.
  - 23. The method of claim 22, further comprising prioritizing the groups based on a likelihood that the groups will be required to be added to the firewall policy in order to allow the new application to function, properly;
    - and labeling the groups in order of priority.
  - 24. The method of claim 23, further comprising performing successive policy modification attempts to allow one or more of the questionable packet groups previously excluded from modification of the user'"'"'s firewall policy having a next highest priority to pass through the network-based firewall unblocked.

25. A computer-readable storage medium for providing network-based firewall policy configuration and facilitation associated with a firewall, comprising:
- logic configured to receive a first request to modify a firewall policy to incorporate filtering rules to allow packets associated with a new application to pass through the firewall without being blocked;
  
  logic configured to send a user an indication of a time window during which the user can exercise the new application;
  
  logic configured to examine the packets traversing to/from the firewall from/to the user to determine whether the new application includes one or more questionable packets; and
  
  if the application is determined to include one or more questionable packets, logic configured to modify the firewall policy to allow packets associated with the new application determined not to be questionable to pass through the firewall unblocked and exclude the one or more questionable packets associated with the new application from modification of the firewall policy such that the one or more questionable packets are blocked from passing through the firewall.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 26. The computer-readable storage medium of claim 25, further comprising logic configured to acknowledge the first modification request and logic configured to send an acknowledgement of the first modification request to a user'"'"'s processing device.
  - 27. The computer-readable storage medium of claim 25, further comprising logic configured to authenticate the user before acting on the first modification request.
  - 28. The computer-readable storage medium of claim 25, further comprising logic configured to notify a policy modifier of the first request to modify the firewall policy, the logic configured to notify the policy modifier further configured to provide a name of the new application and a time frame for modifying the firewall policy.
  - 29. The computer-readable storage medium of claim 25, further comprising logic configured to send an acknowledgement of completion of the modification to a user'"'"'s processing device.
  - 30. The computer-readable storage medium of claim 25, wherein the one or more questionable packets are associated with an application other than the new application.
  - 31. The computer-readable storage medium of claim 25, wherein the one or more questionable packets include packets or packet types already included in the firewall policy or which were previously blocked at times other than during the time window but which are now observed during the time window.
  - 32. The computer-readable storage medium of claim 25, further comprising:
    - logic configured to receive a second request to add the new application; and
      
      logic configured to modify the firewall policy to allow at least a portion of the previously blocked one or more questionable packets associated with the new application to pass through the firewall unblocked.
  - 33. The computer-readable storage medium of claim 25, further comprising logic configured to record the one or more questionable packets in a blocking history database if the new application is determined to include one or more questionable packets.
  - 34. The computer-readable storage medium of claim 25, further comprising logic configured to send an acknowledgement to a user'"'"'s processing device to repeat an attempt to modify the firewall policy when the new application does not function properly through the firewall after the firewall policy has been modified.
  - 35. The computer-readable storage medium of claim 25, further comprising logic configured to notify a user'"'"'s processing device after a configurable number of repeat attempts fail to modify the firewall policy such that the new application functions properly through the firewall.
  - 36. The computer-readable storage medium of claim 25, further comprising logic configured to group the one or more questionable packets into one or more groups based on a type associated with the one or more questionable packets if the new application is determined to include one or more questionable packets.
  - 37. The computer-readable storage medium of claim 36, further comprising logic configured to prioritize the groups based on a likelihood that the groups will be required to be added to the firewall policy in order to allow the new application to function properly, and to label the groups in order of priority.
  - 38. The computer-readable storage medium of claim 37, further comprising logic configured to perform successive policy modification attempts to allow one or more of the questionable packet groups previously excluded from modification of the firewall policy having a next highest priority to pass through the firewall unblocked.

39. A system for providing network-based firewall policy configuration and facilitation associated with a firewall, comprising:
- a memory device for storing a program for providing the network-based firewall policy configuration and facilitation associated with the firewall; and
  
  a processor, functionally coupled to the memory device, the processor being responsive to computer-executable instructions contained in the program and operative to;
  
  receive a request to add an application not currently supported by a user'"'"'s firewall policy,generate a time window during which a user can run the application,check packets observed during the time window to be associated with the application to determine whether the packets include one or more questionable packets,when the application is determined to include one or more questionable packets, group the one or more questionable packets by type,prioritize groups of the one or more questionable packets based on a likelihood that the groups will be required to be added to the firewall policy in order to allow the application to function properly, andmodify the user'"'"'s firewall policy to allow packets associated with the application determined not to be questionable to pass through the firewall unblocked and exclude the groups of the one or more questionable packets associated with the application from modification of the user'"'"'s firewall policy such that the groups of the one or more questionable packets are blocked from passing through the firewall.
- View Dependent Claims (40)
- - 40. The system of claim 39, wherein the processor is further operative to perform successive policy modification attempts to allow one or more of the groups of the one or more questionable packets previously excluded from modification of the user'"'"'s firewall policy to pass through the firewall unblocked, an order of the one or more groups allowed to pass through the firewall unblocked based on a priority associated with each of the one or more groups.

41. A method for modifying a firewall policy of a network-based firewall, comprising:
- notifying a coordinating entity of a request to modify the firewall policy to incorporate filtering rules to allow packets from a new application to pass through the network-based firewall without being blocked;
  
  notifying a policy modifier of the modification request;
  
  sending a user an indication of a time window during which the user can exercise the new application;
  
  examining the packets traversing to/from the network-based firewall from/to the userto determine whether the packets include one or more questionable packets;
  
  when the application is determined to include one or more questionable packets, grouping the one or more questionable packets by type;
  
  prioritizing groups of the one or more questionable packets based on a likelihood that the groups will be required to be added to the firewall policy in order to allow the new application to function properly;
  
  modifying the firewall policy to allow packets associated with the application determined not to be questionable to pass through the firewall unblocked; and
  
  excluding the groups of the one or more questionable packets associated with the application from modification of the firewall policy such that the groups of the one or more questionable packets are blocked from passing through the firewall.
- View Dependent Claims (42)
- - 42. The method of claim 41, wherein examining the packets further comprises performing successive policy modification attempts to allow one or more of the groups of the one or more questionable packets previously excluded from modification of the firewall policy to pass through the network-based firewall unblocked, an order of the one or more groups allowed to pass through the firewall unblocked based on a priority associated with each of the one or more groups.

43. A computer-readable storage medium for providing network-based firewall policy configuration and facilitation associated with a firewall, comprising:
- logic configured to notify a coordinating entity of a request to modify a firewall policy to incorporate filtering rules to allow packets from a new application to pass through the firewall without being blocked;
  
  logic configured to notify a policy modifier of the modification request;
  
  logic configured to send a user an indication of a time window during which the user can exercise the new application;
  
  logic configured to examine the packets traversing to/from the firewall from/to the user to determine whether the packets include one or more questionable packets;
  
  when the packets are determined to include one or more questionable packets, logic configured to group the one or more questionable packets by type;
  
  logic configured to prioritize groups of the one or more questionable packets based on a likelihood that the groups will be required to be added to the firewall policy in order to allow the new application to function properly; and
  
  logic configured to modify the firewall policy to allow packets associated with the new application determined not to be questionable to pass through the firewall unblocked and to exclude the groups of the one or more questionable packets associated with the new application from modification of the user'"'"'s firewall policy such that the groups of the one or more questionable packets are blocked from passing through the firewall.
- View Dependent Claims (44)
- - 44. The computer-readable storage medium of claim 43, further comprising logic configured to perform successive policy modification attempts to allow one or more of the groups of the one or more questionable packets previously excluded from modification of the firewall policy to pass through the firewall unblocked, an order of the one or more groups allowed to pass through the firewall unblocked based on a priority associated with each of the one or more groups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures Assets 3 LLC (Intellectual Ventures LLC)
Original Assignee
At&T Delaware Intellectual Property, Inc. (AT&T, Inc.)
Inventors
Aaron, Jeffrey A.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
LEMMA, SAMSON B

Application Number

US10/611,635
Publication Number

US 20040268150A1
Time in Patent Office

1,681 Days
Field of Search

726/11, 726/1, 726/12, 726/13, 713/153
US Class Current

726/13
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0263   Rule management

H04L 63/108   when the policy decisions a...

Network firewall policy configuration facilitation

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Network firewall policy configuration facilitation

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links