Integrated computer security management system and method

US 7,331,061 B1
Filed: 09/07/2001
Issued: 02/12/2008
Est. Priority Date: 09/07/2001
Status: Expired due to Term

First Claim

Patent Images

1. A computer-implemented method for managing computer security information comprising the steps of:

acquiring a packet from an information stream;

determining whether an intrusion detection system (IDS) has been placed in a monitoring mode;

performing a first evaluation of the packet with a firewall by comparing the packet with one or more firewall rules and classifying the packet with the firewall based upon the comparison, wherein the classifying step comprises a determination by the firewall of whether the packet should be deemed as trusted;

generating firewall status information by the firewall using the first evaluation of the packet made by the firewall, wherein the firewall status information comprises the determination made by the firewall with respect to the packet;

communicating the packet and the firewall status information from the firewall to the intrusion detection system for a second evaluation;

if the packet is deemed by the firewall as trusted, then sending the trusted packet irrespective of the second evaluation and determination by the intrusion detection system, and sending a copy of the trusted packet to the intrusion detection system for the second evaluation;

performing the second evaluation within the intrusion detection system by evaluating the packet and the firewall status information communicated from the firewall; and

determining whether to send or drop the packet using the intrusion detection system based upon at least one of the firewall status information and the intrusion detection system evaluation.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is generally directed to a computer security management system that integrates a firewall with an intrusion detection system (IDS). In other words, the firewall and IDS of the present invention can be designed to communicate process or status information and packets with one another. The present invention can facilitate centralized control of the firewall and the IDS and can increase the speed at which packets are passed between a secured computer network and an external network. Increased packet processing speed can be achieved in several ways. For example, the firewall and IDS can process packets in series, in parallel, and sometimes singularly when one of the components is not permitted to process a packet. Alternatively, singular processing can also be performed when one component is permitted to pass a packet to the secured computer network without checking with the other component.

272 Citations

24 Claims

1. A computer-implemented method for managing computer security information comprising the steps of:
- acquiring a packet from an information stream;
  
  determining whether an intrusion detection system (IDS) has been placed in a monitoring mode;
  
  performing a first evaluation of the packet with a firewall by comparing the packet with one or more firewall rules and classifying the packet with the firewall based upon the comparison, wherein the classifying step comprises a determination by the firewall of whether the packet should be deemed as trusted;
  
  generating firewall status information by the firewall using the first evaluation of the packet made by the firewall, wherein the firewall status information comprises the determination made by the firewall with respect to the packet;
  
  communicating the packet and the firewall status information from the firewall to the intrusion detection system for a second evaluation;
  
  if the packet is deemed by the firewall as trusted, then sending the trusted packet irrespective of the second evaluation and determination by the intrusion detection system, and sending a copy of the trusted packet to the intrusion detection system for the second evaluation;
  
  performing the second evaluation within the intrusion detection system by evaluating the packet and the firewall status information communicated from the firewall; and
  
  determining whether to send or drop the packet using the intrusion detection system based upon at least one of the firewall status information and the intrusion detection system evaluation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising the steps of:
    - prior to communicating the packet and firewall status information to the intrusion detection system,copying the packet;
      
      determining whether to send the packet based upon the firewall evaluation alone;
      
      sending the packet if the packet does not violate any rules of the firewall; and
      
      forwarding the copy of the packet to the intrusion detection system.
  - 3. The method of claim 1, further comprising the steps of:
    - prior to communicating the packet and firewall status information to the intrusion detection system,copying the packet;
      
      determining whether to deny the packet based upon the firewall evaluation alone;
      
      dropping the packet if the packet does violate any rules of the firewall; and
      
      forwarding the copy of the packet to the intrusion detection system.
  - 4. The method of claim 1, further comprising the steps of:
    - determining whether the IDS is available for packet processing; and
      
      if the IDS is unavailable, determining whether to send the packet based upon the firewall evaluation alone.
  - 5. The method of claim 1, further comprising the steps of:
    - determining whether the IDS is available for packet processing; and
      
      if the IDS is unavailable, dropping the packet.
  - 6. The method of claim 1, further comprising the steps of:
    - identifying a source of the packet;
      
      comparing the identified source to a predetermined list; and
      
      if the identified source matches a source on the list, sending the packet.
  - 7. The method of claim 1, further comprising the step of evaluating the packet with a virus scanning device.
  - 8. The method of claim 1, further comprising the steps of:
    - determining if the packet is destined for the secured computer network; and
      
      communicating the packet to the intrusion detection system even if the packet is not destined for the secured computer network.
  - 9. The method of claim 1, wherein the step of evaluating the packet and the firewall status information further comprises the steps of:
    - determining whether the firewall has deemed a packet as trusted;
      
      determining whether the firewall has deemed a packet as rejected; and
      
      determining whether the firewall has deemed a packet as denied.
  - 10. The method of claim 1, wherein the step of evaluating the packet and the firewall status information further comprises the steps of:
    - determining whether the firewall has deemed a packet as trusted; and
      
      if the firewall has deemed the packet as trusted, terminating processing by the intrusion detection system.
  - 11. The method of claim 1, wherein the step of evaluating the packet and the firewall status information further comprises the steps of:
    - determining whether the firewall has deemed a packet as denied or rejected; and
      
      if the firewall has deemed the packet as denied or rejected, terminating processing by the intrusion detection system.

12. A computer-implemented method for managing computer security information comprising the steps of:
- acquiring a packet from an information stream;
  
  performing a first evaluation of the packet with a firewall by comparing the packet with one or more firewall rules and classifying the packet with the firewall based upon the comparison, wherein the classifying step comprises a determination that the firewall has deemed a packet as trusted;
  
  generating firewall status information by the firewall using the first evaluation of the packet made by the firewall, wherein the firewall status information comprises the determination made by the firewall with respect to the packet;
  
  determining whether to communicate the packet and the firewall status information to an intrusion detection system by evaluating at least one of (a-d);
  
  (a) whether the intrusion detection system is available for processing the packet;
  
  (b) whether the firewall has been placed in a mode of operation for ignoring the intrusion detection system; and
  
  (c) whether the intrusion detection system has been placed in a mode of operation for monitoring packets processed by the firewall;
  
  (d) stopping processing of a packet by the firewall after being processed by the firewall; and
  
  performing the second evaluation within the intrusion detection system by evaluating the packet and the firewall status information communicated from the firewall.
- View Dependent Claims (13)
- - 13. The method of claim 12, further comprising the step of determining whether to send the packet based upon the firewall evaluation.

14. An integrated computer security management system comprising:
- a secured computer network;
  
  a packet acquisition engine connected to the secured computer network;
  
  a firewall coupled to the packet acquisition engine, for performing a first evaluation of a packet with one or more rules in order to determine whether to send the packet to the secured computer network, for generating firewall status information by classifying the packet with the firewall based upon the comparison of the packet with the one or more rules, wherein the classifying step comprises a determination by the firewall of whether the packet should be deemed as trusted, and for communicating the firewall status information and the packet to an intrusion detection system;
  
  an intrusion detection system coupled to the packet acquisition engine, for receiving the packet and firewall status information from the firewall, for performing a second evaluation by evaluating the firewall status information and the packet communicated from the firewall, for comparing the packet with one or more listed signatures and evaluating the firewall status information in order to determine whether to send the packet from or grant entry of the packet into the secured computer network, and for generating an alert if a match between the packet and one or more listed signatures exists; and
  
  a central controller coupled to the firewall and the intrusion detection system, for configuring at least one of the firewall and intrusion detection system.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The system of claim 14, wherein the central controller receives one or more alerts that are generated by the intrusion detection system.
  - 16. The system of claim 14, wherein the secured computer network comprises a private network.
  - 17. The system of claim 14, wherein the packet acquisition engine comprises a bridge.
  - 18. The system of claim 17, wherein the bridge comprises an interface that operates at the International Organization for Standardization Open Systems Interconnection (ISO/OSI) data-link layer.
  - 19. The system of claim 17, wherein the packet acquisition engine comprises an Internet Protocol layer running at an internetwork layer in the Transfer Connection Protocol over Internet Protocol (TCP/IP) model or the network layer in the ISO/OSI reference model.
  - 20. The system of claim 14, wherein the intrusion detection system performs network address translation.
  - 21. The system of claim 14, wherein the intrusion detection system and firewall reside on at least one computer.

22. A computer-implemented method for managing computer security information comprising the steps of:
- acquiring a packet from an information stream;
  
  performing a first evaluation of the packet with a firewall by comparing the packet with one or more firewall rules and classifying the packet with the firewall based upon the comparison, wherein the classifying step comprises a determination by the firewall of whether the packet should be deemed as trusted;
  
  generating firewall status information by the firewall using the first evaluation of the packet made by the firewall, wherein the firewall status information comprises the determination made by the firewall with respect to the packet;
  
  communicating the packet to a virus scanning device;
  
  evaluating the packet with the virus scanning device;
  
  communicating the packet and the firewall status information and virus status information to an intrusion detection system for a second evaluation, the virus status information comprises at least a decision made by the virus scanning device with respect to the packet based upon a comparison of the packet with one or more virus signatures; and
  
  performing the second evaluation within the intrusion detection system by evaluating the packet and the firewall status information and virus status information.
- View Dependent Claims (23, 24)
- - 23. The method of claim 22, further comprising the step of evaluating the packet with a virus scanning device.
  - 24. The method of claim 22, further comprising the step of determining whether to send the packet based upon at least one of the firewall, intrusion detection, and virus scanning device evaluations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secureworks Incorporated (Dell Technologies Inc.)
Original Assignee
Secureworks Incorporated (Dell Technologies Inc.)
Inventors
Ketts, Kevin, Ramsey, Jon, Buer, Steve
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
SHAW, YIN CHEN

Application Number

US09/949,095
Time in Patent Office

2,349 Days
Field of Search

713/200, 713/201, 713/154, 713/188, 726/11, 726/13, 726 22- 24
US Class Current

726/23
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Integrated computer security management system and method

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

272 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Integrated computer security management system and method

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

272 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others