Integrated computer security management system and method
First Claim
1. A computer-implemented method for managing computer security information comprising the steps of:
- acquiring a packet from an information stream;
determining whether an intrusion detection system (IDS) has been placed in a monitoring mode;
performing a first evaluation of the packet with a firewall by comparing the packet with one or more firewall rules and classifying the packet with the firewall based upon the comparison, wherein the classifying step comprises a determination by the firewall of whether the packet should be deemed as trusted;
generating firewall status information by the firewall using the first evaluation of the packet made by the firewall, wherein the firewall status information comprises the determination made by the firewall with respect to the packet;
communicating the packet and the firewall status information from the firewall to the intrusion detection system for a second evaluation;
if the packet is deemed by the firewall as trusted, then sending the trusted packet irrespective of the second evaluation and determination by the intrusion detection system, and sending a copy of the trusted packet to the intrusion detection system for the second evaluation;
performing the second evaluation within the intrusion detection system by evaluating the packet and the firewall status information communicated from the firewall; and
determining whether to send or drop the packet using the intrusion detection system based upon at least one of the firewall status information and the intrusion detection system evaluation.
16 Assignments
0 Petitions
Accused Products
Abstract
The present invention is generally directed to a computer security management system that integrates a firewall with an intrusion detection system (IDS). In other words, the firewall and IDS of the present invention can be designed to communicate process or status information and packets with one another. The present invention can facilitate centralized control of the firewall and the IDS and can increase the speed at which packets are passed between a secured computer network and an external network. Increased packet processing speed can be achieved in several ways. For example, the firewall and IDS can process packets in series, in parallel, and sometimes singularly when one of the components is not permitted to process a packet. Alternatively, singular processing can also be performed when one component is permitted to pass a packet to the secured computer network without checking with the other component.
272 Citations
24 Claims
-
1. A computer-implemented method for managing computer security information comprising the steps of:
-
acquiring a packet from an information stream; determining whether an intrusion detection system (IDS) has been placed in a monitoring mode; performing a first evaluation of the packet with a firewall by comparing the packet with one or more firewall rules and classifying the packet with the firewall based upon the comparison, wherein the classifying step comprises a determination by the firewall of whether the packet should be deemed as trusted; generating firewall status information by the firewall using the first evaluation of the packet made by the firewall, wherein the firewall status information comprises the determination made by the firewall with respect to the packet; communicating the packet and the firewall status information from the firewall to the intrusion detection system for a second evaluation; if the packet is deemed by the firewall as trusted, then sending the trusted packet irrespective of the second evaluation and determination by the intrusion detection system, and sending a copy of the trusted packet to the intrusion detection system for the second evaluation; performing the second evaluation within the intrusion detection system by evaluating the packet and the firewall status information communicated from the firewall; and determining whether to send or drop the packet using the intrusion detection system based upon at least one of the firewall status information and the intrusion detection system evaluation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method for managing computer security information comprising the steps of:
-
acquiring a packet from an information stream; performing a first evaluation of the packet with a firewall by comparing the packet with one or more firewall rules and classifying the packet with the firewall based upon the comparison, wherein the classifying step comprises a determination that the firewall has deemed a packet as trusted; generating firewall status information by the firewall using the first evaluation of the packet made by the firewall, wherein the firewall status information comprises the determination made by the firewall with respect to the packet; determining whether to communicate the packet and the firewall status information to an intrusion detection system by evaluating at least one of (a-d); (a) whether the intrusion detection system is available for processing the packet; (b) whether the firewall has been placed in a mode of operation for ignoring the intrusion detection system; and (c) whether the intrusion detection system has been placed in a mode of operation for monitoring packets processed by the firewall; (d) stopping processing of a packet by the firewall after being processed by the firewall; and performing the second evaluation within the intrusion detection system by evaluating the packet and the firewall status information communicated from the firewall. - View Dependent Claims (13)
-
-
14. An integrated computer security management system comprising:
-
a secured computer network; a packet acquisition engine connected to the secured computer network; a firewall coupled to the packet acquisition engine, for performing a first evaluation of a packet with one or more rules in order to determine whether to send the packet to the secured computer network, for generating firewall status information by classifying the packet with the firewall based upon the comparison of the packet with the one or more rules, wherein the classifying step comprises a determination by the firewall of whether the packet should be deemed as trusted, and for communicating the firewall status information and the packet to an intrusion detection system; an intrusion detection system coupled to the packet acquisition engine, for receiving the packet and firewall status information from the firewall, for performing a second evaluation by evaluating the firewall status information and the packet communicated from the firewall, for comparing the packet with one or more listed signatures and evaluating the firewall status information in order to determine whether to send the packet from or grant entry of the packet into the secured computer network, and for generating an alert if a match between the packet and one or more listed signatures exists; and a central controller coupled to the firewall and the intrusion detection system, for configuring at least one of the firewall and intrusion detection system. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer-implemented method for managing computer security information comprising the steps of:
-
acquiring a packet from an information stream; performing a first evaluation of the packet with a firewall by comparing the packet with one or more firewall rules and classifying the packet with the firewall based upon the comparison, wherein the classifying step comprises a determination by the firewall of whether the packet should be deemed as trusted; generating firewall status information by the firewall using the first evaluation of the packet made by the firewall, wherein the firewall status information comprises the determination made by the firewall with respect to the packet; communicating the packet to a virus scanning device; evaluating the packet with the virus scanning device; communicating the packet and the firewall status information and virus status information to an intrusion detection system for a second evaluation, the virus status information comprises at least a decision made by the virus scanning device with respect to the packet based upon a comparison of the packet with one or more virus signatures; and performing the second evaluation within the intrusion detection system by evaluating the packet and the firewall status information and virus status information. - View Dependent Claims (23, 24)
-
Specification