System and method for on-demand dynamic control of security policies/rules by a client computing device

US 7,475,424 B2
Filed: 09/02/2004
Issued: 01/06/2009
Est. Priority Date: 09/02/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method, in a data processing system, for configuring a data flow filtering mechanism that filters data flows to a plurality of client computing devices, comprising:

establishing one or more portions of configuration information for the data flow filtering mechanism that are modifiable by a protected client computing device in a plurality of protected client computing devices and one or more portions of configuration information for the data flow filtering mechanism that are not modifiable by the protected client computing device;

receiving a request from the protected client computing device to modify a portion of configuration information for the data flow filtering mechanism that is established as a client computing device modifiable portion of configuration information; and

storing a client computing device configuration profile incorporating the modification to the client computing device modifiable portion of the configuration information, wherein the client computing device configuration profile is used by the data flow filtering mechanism to filter a data flow to or from the protected client computing device, wherein the client computing device configuration profile filters data flowing between the protected client computing device and one or more non-protected client computing devices, and wherein the client computing device configuration profile applies only to data flows to and from the protected client computing device through the data flow filtering mechanism and does not affect data flows to other protected client computing devices in the plurality of protected client computing devices through the data flow filtering mechanism;

receiving a data flow;

determining if the data flow is associated with the protected client computing device that is protected by the data flow filtering mechanism;

filtering the data flow based on the client computing device configuration profile associated with the protected client computing device in response to a determination that the data flow is associated with the protected client computing device;

determining if there is a conflict between a security policy/rule in the client computing device configuration profile and a security policy/rule in default configuration information; and

resolving the conflict based on a security policy/rule conflict resolution policy, wherein the security policy/rule conflict resolution policy selects a more restrictive security policy/rule to be used by the data flow filtering mechanism.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for an end user to change the operation of a data flow filter mechanism, such as a firewall, that operates to control data flows between a plurality of protected computing devices and one or more non-protected computing devices. With the system and method, an administrator of a sub-network of computing devices may set a client computing device'"'"'s scope of rules/policies that may be changed by a user of the client computing device, with regard to a data flow filter mechanism. The user of the client computing device, or the client computing device itself, may then log onto the data flow filter mechanism and modify the operation of the data flow filter mechanism within the limits established by the administrator.

Citations

7 Claims

1. A method, in a data processing system, for configuring a data flow filtering mechanism that filters data flows to a plurality of client computing devices, comprising:
- establishing one or more portions of configuration information for the data flow filtering mechanism that are modifiable by a protected client computing device in a plurality of protected client computing devices and one or more portions of configuration information for the data flow filtering mechanism that are not modifiable by the protected client computing device;
  
  receiving a request from the protected client computing device to modify a portion of configuration information for the data flow filtering mechanism that is established as a client computing device modifiable portion of configuration information; and
  
  storing a client computing device configuration profile incorporating the modification to the client computing device modifiable portion of the configuration information, wherein the client computing device configuration profile is used by the data flow filtering mechanism to filter a data flow to or from the protected client computing device, wherein the client computing device configuration profile filters data flowing between the protected client computing device and one or more non-protected client computing devices, and wherein the client computing device configuration profile applies only to data flows to and from the protected client computing device through the data flow filtering mechanism and does not affect data flows to other protected client computing devices in the plurality of protected client computing devices through the data flow filtering mechanism;
  
  receiving a data flow;
  
  determining if the data flow is associated with the protected client computing device that is protected by the data flow filtering mechanism;
  
  filtering the data flow based on the client computing device configuration profile associated with the protected client computing device in response to a determination that the data flow is associated with the protected client computing device;
  
  determining if there is a conflict between a security policy/rule in the client computing device configuration profile and a security policy/rule in default configuration information; and
  
  resolving the conflict based on a security policy/rule conflict resolution policy, wherein the security policy/rule conflict resolution policy selects a more restrictive security policy/rule to be used by the data flow filtering mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the data flow filtering mechanism is one of a firewall, a router, a switch, a network infrastructure component, and a virtual private network node.
  - 3. The method of claim 1, wherein the portions of configuration information for the data flow filtering mechanism identify security policies or rules to be applied by the data flow filtering mechanism to data flows through the data flow filtering mechanism.
  - 4. The method of claim 3, wherein the security polices or rules identify one or more of data flow types that are permitted to pass through the data flow filtering mechanism unaltered, data flow types that are to be blocked by the data flow filtering mechanism, and types of data that are to be removed from data flows.
  - 5. The method of claim 1, wherein the request to modify a portion of the configuration information is automatically generated by the protected client computing device in response to a detected condition or event.
  - 6. The method of claim 1, further comprising:
    - providing one or more interfaces through which a user may select or enter configuration parameters in the client computing device modifiable portion of the configuration information for configuring the data flow filtering mechanism for filtering data flows to and from the protected client computing device.
  - 7. The method of claim 1, wherein determining if the data flow is associated with the protected client computing device includes:
    - reading header information in one or more data packets of the data flow;
      
      determining if one of a source identifier and a destination identifier in the header information identifies the protected client computing device; and
      
      retrieving the client computing device configuration profile in response to a determination that one of the source identifier and the destination identifier identifies the protected client computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Lingafelt, Charles Steven, Vu, Chien D., Nguyen, Phuong Thanh
Primary Examiner(s)
Moazzami, Nasser G
Assistant Examiner(s)
Cervetti, David Garcia

Application Number

US10/933,624
Publication Number

US 20060048218A1
Time in Patent Office

1,587 Days
Field of Search

726/11, 726/13, 726/1
US Class Current

726/13
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 67/303 Terminal profiles

System and method for on-demand dynamic control of security policies/rules by a client computing device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for on-demand dynamic control of security policies/rules by a client computing device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links