System and method for behavior-based firewall modeling

US 7,610,621 B2
Filed: 03/10/2005
Issued: 10/27/2009
Est. Priority Date: 03/10/2004
Status: Active Grant

First Claim

Patent Images

1. A method for controlling data flow through a firewall comprising:

establishing a firewall model for the firewall, wherein the firewall model defines nodes, connections between the nodes, and a set of firewall rules applicable to the nodes, the connections between the nodes, or a combination thereof, wherein each of the nodes represents simultaneously a source and a destination for data packets, and wherein the set of firewall rules comprise a tree graph with an arriving sub-tree having one or more rule chains for conditioning the data packets without accepting or dropping the data packets, a matrix sub-tree having one or more rule chains for accepting or dropping in the data packets without changing the data packets, and an extensible sub-tree having one or more rule chains for providing dynamic extensibility to the firewall rules;

implementing the firewall within one or more machines connected to network segments where the nodes reside;

receiving a packet at an arriving node, wherein the arriving node is one of the nodes defined by the firewall model;

conditioning the packet based on rules in the one or more rule chains in the arriving sub-tree that are associated with the arriving node; and

accepting or dropping the packet based on rules in the one or more rule chains in the matrix sub-tree that are associated with the arriving node, an inter-node connection, or a combination thereof, wherein the inter-node connection is one of the connections defined by the firewall model.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention creates a model of the traffic through a network firewall and uses that model to dynamically manipulate the network firewall based on human intervention or based on the automatic invocations of processes and protocols that implement firewall policy. Another embodiment of the invention creates a model of the physical and virtual network interfaces that a firewall system controls and presents abstracted entities representing both the interface abstractions and the processing nodes (network segments or network client devices) to and through which network traffic flows.

265 Citations

20 Claims

1. A method for controlling data flow through a firewall comprising:
- establishing a firewall model for the firewall, wherein the firewall model defines nodes, connections between the nodes, and a set of firewall rules applicable to the nodes, the connections between the nodes, or a combination thereof, wherein each of the nodes represents simultaneously a source and a destination for data packets, and wherein the set of firewall rules comprise a tree graph with an arriving sub-tree having one or more rule chains for conditioning the data packets without accepting or dropping the data packets, a matrix sub-tree having one or more rule chains for accepting or dropping in the data packets without changing the data packets, and an extensible sub-tree having one or more rule chains for providing dynamic extensibility to the firewall rules;
  
  implementing the firewall within one or more machines connected to network segments where the nodes reside;
  
  receiving a packet at an arriving node, wherein the arriving node is one of the nodes defined by the firewall model;
  
  conditioning the packet based on rules in the one or more rule chains in the arriving sub-tree that are associated with the arriving node; and
  
  accepting or dropping the packet based on rules in the one or more rule chains in the matrix sub-tree that are associated with the arriving node, an inter-node connection, or a combination thereof, wherein the inter-node connection is one of the connections defined by the firewall model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein each of the nodes comprises at least a service defined by the firewall, at least a device defined by the firewall, or a combination thereof.
  - 3. The method of claim 1, wherein the firewall rules further comprise a departing sub-tree having one or more rule chains for post-processing the data packets at their destination node or nodes.
  - 4. The method of claim 1, wherein the rules in the one or more rule chains in the arriving sub-tree that are associated with the arriving node implement behaviors of the arriving node.
  - 5. The method of claim 1, wherein the rules in the one or more rule chains in the matrix sub-tree that are associated with the inter-node connection implement behaviors of the inter-node connection.
  - 6. The method of claim 1, further comprising reconfiguring the firewall while the firewall is executing on the one or more machines to account for a functional requirement or a network operating environment change.
  - 7. The method of claim 6, wherein reconfiguring the firewall comprises extending, pruning, or modifying one or more serialized sequences of the firewall rules while the firewall is executing on the one or more machines.
  - 8. The method of claim 7, wherein extending a serialized sequence comprises inserting one or more firewall rules while the firewall is executing on the one or more machines.
  - 9. The method of claim 7, wherein pruning a serialized sequence comprises deleting one or more firewall rules while the firewall is executing on the one or more machines.

10. A computer program product comprising a computer readable storage medium storing computer executable instructions for:
- establishing a firewall model for a firewall, wherein the firewall model defines nodes, connections between the nodes, and a set of firewall rules applicable to the nodes, the connections between the nodes, or a combination thereof, wherein each of the nodes represents simultaneously a source and a destination for data packets, and wherein the set of firewall rules comprise a tree graph with an arriving sub-tree having one or more rule chains for conditioning the data packets without accepting or dropping the data packets, a matrix sub-tree having one or more rule chains for accepting or dropping the data packets without changing the data packets, and an extensible sub-tree having one or more rule chains for providing dynamic extensibility to the firewall rules; and
  
  implementing the firewall within one or more machines connected to network segments where the nodes reside, wherein when a packet arrives at one of the nodes, the packet is conditioned based on rules in the one or more rule chains in the arriving sub-tree that are associated with the node, and wherein the packet is accepted or dropped based on rules in the one or more rule chains in the matrix sub-tree that are associated with the node, the inter-node connection, or a combination thereof wherein the inter-node connection is one of the connections defined by the firewall model.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer program product of claim 10, wherein each of the nodes comprises at least a service defined by the firewall, at least a device defined by the firewall, or a combination thereof.
  - 12. The computer program product of claim 10, wherein the firewall rules further comprise a departing sub-tree having one or more rule chains for post-processing the data packets at their destination node or nodes.
  - 13. The computer program product of claim 10, wherein the computer readable storage medium farther stores computer executable instructions for reconfiguring the firewall while the firewall is executing on the one or more machines to account for a functional requirement or a network operating environment change.
  - 14. The computer program product of claim 13, wherein reconfiguring the firewall comprises extending, pruning, or modifying one or more serialized sequences of the firewall rules while the firewall is executing on the one or more machines.
  - 15. The computer program product of claim 13, wherein a node comprises one or more devices, one or more services, or a combination thereof, wherein a device represents a source or sink of network traffic, wherein the device is mapped to a physical device or network interface, or to a virtual device, wherein a service represents a node-specific or connection-specific behavior, and wherein the network operating environment change comprises moving one or more devices, one or more services, or a combination thereof from one node to another.

16. A system for controlling data flow through a firewall, comprising:
- at least one processor; and
  
  a computer readable storage medium accessible by the at least one processor and storing computer instructions executable by the at least one processor for;
  
  establishing a firewall model for a firewall, wherein the firewall model defines nodes, connections between the nodes, and a set of firewall rules applicable to the nodes, the connections between the nodes, or a combination thereof, wherein each of the nodes represents simultaneously a source and a destination for data packets, and wherein the set of firewall rules comprise a tree graph with an arriving sub-tree having one or more rule chains for conditioning the data packets without accepting or dropping the data packets, a matrix sub-tree having one or more rule chains for accepting or dropping the data packets without changing the data packets, and an extensible sub-tree having one or more rule chains for providing dynamic extensibility to the firewall rules; and
  
  implementing the firewall within one or more machines connected to network segments where the nodes reside, wherein when a packet arrives at one of the nodes, the packet is conditioned based on rules in the one or more rule chains in the arriving sub-tree that are associated with the node, and wherein the packet is accepted or dropped based on rules in the one or more rule chains in the matrix sub-tree that are associated with the node, the inter-node connection, or a combination thereof, wherein the inter-node connection is one of the connections defined by the firewall model.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the rules in the one or more rule chains in the arriving sub-tree that are associated with the node implement behaviors of the node.
  - 18. The system of claim 16, wherein the rules in the one or more rule chains in the matrix sub-tree that are associated with the inter-node connection implement behaviors of the inter-node connection.
  - 19. The system of claim 16, wherein the computer readable storage medium further stores computer instructions executable by the at least one processor for reconfiguring the firewall while the firewall is executing on the one or more machines to account for a functional requirement or a network operating environment change.
  - 20. The system of claim 19, wherein a node comprises one or more devices, one or more services, or a combination thereof, wherein a device represents a source or sink of network traffic, wherein the device is mapped to a physical device or network interface, or to a virtual device, wherein a service represents a node-specific or connection-specific behavior, and wherein the network operating environment change comprises moving one or more devices, one or more services, or a combination thereof from one node to another.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Eric White
Inventors
Turley, Patrick, White, Eric
Primary Examiner(s)
Dinh, Minh

Application Number

US11/076,719
Publication Number

US 20050204402A1
Time in Patent Office

1,692 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 63/0263 Rule management

System and method for behavior-based firewall modeling

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

265 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for behavior-based firewall modeling

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

265 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links