System and method for on-demand dynamic control of security policies/rules by a client computing device
First Claim
1. A method, in a data processing system, for configuring a data flow filtering mechanism that filters data flows to a plurality of client computing devices, comprising:
- establishing one or more portions of configuration information for the data flow filtering mechanism that are modifiable by a protected client computing device in a plurality of protected client computing devices and one or more portions of configuration information for the data flow filtering mechanism that are not modifiable by the protected client computing device;
receiving a request from the protected client computing device to modify a portion of configuration information for the data flow filtering mechanism that is established as a client computing device modifiable portion of configuration information; and
storing a client computing device configuration profile incorporating the modification to the client computing device modifiable portion of the configuration information, wherein the client computing device configuration profile is used by the data flow filtering mechanism to filter a data flow to or from the protected client computing device, wherein the client computing device configuration profile filters data flowing between the protected client computing device and one or more non-protected client computing devices, and wherein the client computing device configuration profile applies only to data flows to and from the protected client computing device through the data flow filtering mechanism and does not affect data flows to other protected client computing devices in the plurality of protected client computing devices through the data flow filtering mechanism;
receiving a data flow;
determining if the data flow is associated with the protected client computing device that is protected by the data flow filtering mechanism;
filtering the data flow based on the client computing device configuration profile associated with the protected client computing device in response to a determination that the data flow is associated with the protected client computing device;
determining if there is a conflict between a security policy/rule in the client computing device configuration profile and a security policy/rule in default configuration information; and
resolving the conflict based on a security policy/rule conflict resolution policy, wherein the security policy/rule conflict resolution policy selects a more restrictive security policy/rule to be used by the data flow filtering mechanism.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for an end user to change the operation of a data flow filter mechanism, such as a firewall, that operates to control data flows between a plurality of protected computing devices and one or more non-protected computing devices. With the system and method, an administrator of a sub-network of computing devices may set a client computing device'"'"'s scope of rules/policies that may be changed by a user of the client computing device, with regard to a data flow filter mechanism. The user of the client computing device, or the client computing device itself, may then log onto the data flow filter mechanism and modify the operation of the data flow filter mechanism within the limits established by the administrator.
-
Citations
7 Claims
-
1. A method, in a data processing system, for configuring a data flow filtering mechanism that filters data flows to a plurality of client computing devices, comprising:
-
establishing one or more portions of configuration information for the data flow filtering mechanism that are modifiable by a protected client computing device in a plurality of protected client computing devices and one or more portions of configuration information for the data flow filtering mechanism that are not modifiable by the protected client computing device; receiving a request from the protected client computing device to modify a portion of configuration information for the data flow filtering mechanism that is established as a client computing device modifiable portion of configuration information; and storing a client computing device configuration profile incorporating the modification to the client computing device modifiable portion of the configuration information, wherein the client computing device configuration profile is used by the data flow filtering mechanism to filter a data flow to or from the protected client computing device, wherein the client computing device configuration profile filters data flowing between the protected client computing device and one or more non-protected client computing devices, and wherein the client computing device configuration profile applies only to data flows to and from the protected client computing device through the data flow filtering mechanism and does not affect data flows to other protected client computing devices in the plurality of protected client computing devices through the data flow filtering mechanism; receiving a data flow; determining if the data flow is associated with the protected client computing device that is protected by the data flow filtering mechanism; filtering the data flow based on the client computing device configuration profile associated with the protected client computing device in response to a determination that the data flow is associated with the protected client computing device; determining if there is a conflict between a security policy/rule in the client computing device configuration profile and a security policy/rule in default configuration information; and resolving the conflict based on a security policy/rule conflict resolution policy, wherein the security policy/rule conflict resolution policy selects a more restrictive security policy/rule to be used by the data flow filtering mechanism. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification