System and method for on-demand dynamic control of security policies/rules by a client computing device

US 7,882,540 B2
Filed: 09/23/2008
Issued: 02/01/2011
Est. Priority Date: 09/02/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method, in a data processing system, for configuring a data flow filtering device that filters data flows to a plurality of protected client computers that are protected from an external network by the data flow filtering device, comprising:

the data processing system establishing, in default configuration information of the data flow filtering device, one or more portions of configuration information for the data flow filtering device that are modifiable by a protected client computer in a plurality of protected client computers and one or more portions of configuration information for the data flow filtering device that are not modifiable by the protected client computer;

the data processing system receiving a request from the protected client computer to modify a portion of configuration information for the data flow filtering device that was previously established as modifiable by the protected client computer;

in response to receiving the request, the data processing system modifying a configuration profile of the protected client computer to incorporate the modification to the portion of the configuration information, wherein the configuration profile is used by the data flow filtering device to filter a data flow to or from the protected client computer;

the data processing system determining if there is a conflict between a security policy/rule in the modified configuration profile and a security policy/rule in the default configuration information of the data flow filtering device; and

in response to determining the conflict, the data processing system determining whether to use the security policy/rule in the modified configuration policy or the security policy/rule in the default configuration information of the data flow filtering device based on a security policy/rule conflict resolution policy;

wherein each protected client computer of the plurality of protected client computers has a respective configuration profile such that the each protected client computer has its own customizable configuration profile that does not affect how the data flow filtering device operates with regard to other protected client computers of the plurality of protected client computers.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for an end user to change the operation of a data flow filter mechanism, such as a firewall, that operates to control data flows between a plurality of protected computing devices and one or more non-protected computing devices. With the system and method, an administrator of a sub-network of computing devices may set a client computing device'"'"'s scope of rules/policies that may be changed by a user of the client computing device, with regard to a data flow filter mechanism. The user of the client computing device, or the client computing device itself, may then log onto the data flow filter mechanism and modify the operation of the data flow filter mechanism within the limits established by the administrator.

56 Citations

View as Search Results

19 Claims

1. A method, in a data processing system, for configuring a data flow filtering device that filters data flows to a plurality of protected client computers that are protected from an external network by the data flow filtering device, comprising:
- the data processing system establishing, in default configuration information of the data flow filtering device, one or more portions of configuration information for the data flow filtering device that are modifiable by a protected client computer in a plurality of protected client computers and one or more portions of configuration information for the data flow filtering device that are not modifiable by the protected client computer;
  
  the data processing system receiving a request from the protected client computer to modify a portion of configuration information for the data flow filtering device that was previously established as modifiable by the protected client computer;
  
  in response to receiving the request, the data processing system modifying a configuration profile of the protected client computer to incorporate the modification to the portion of the configuration information, wherein the configuration profile is used by the data flow filtering device to filter a data flow to or from the protected client computer;
  
  the data processing system determining if there is a conflict between a security policy/rule in the modified configuration profile and a security policy/rule in the default configuration information of the data flow filtering device; and
  
  in response to determining the conflict, the data processing system determining whether to use the security policy/rule in the modified configuration policy or the security policy/rule in the default configuration information of the data flow filtering device based on a security policy/rule conflict resolution policy;
  
  wherein each protected client computer of the plurality of protected client computers has a respective configuration profile such that the each protected client computer has its own customizable configuration profile that does not affect how the data flow filtering device operates with regard to other protected client computers of the plurality of protected client computers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the data flow filtering device is one of a firewall, a router, a switch, a network infrastructure component, and a virtual private network node.
  - 3. The method of claim 1, wherein the portion of the configuration information identifies security policies or rules to be applied by the data flow filtering device to data flows through the data flow filtering device.
  - 4. The method of claim 3, wherein the security polices or rules identify one or more of data flow types that are permitted to pass through the data flow filtering device unaltered, data flow types that are to be blocked by the data flow filtering device, and types of data that are to be removed from data flows.
  - 5. The method of claim 1, wherein the configuration profile applies only to data flows to and from the protected client computer through the data flow filtering device and does not affect data flows to the other protected client computers through the data flow filtering device.
  - 6. The method of claim 1, wherein the request to modify a portion of the configuration information is automatically generated by the protected client computer in response to a detected condition or event.
  - 7. The method of claim 1, further comprising:
    - the data processing system providing one or more interfaces through which a user may select or enter configuration parameters in the modifiable portion of the configuration information for configuring the data flow filtering device for filtering data flows to and from the protected client computer.
  - 8. The method of claim 1, further comprising:
    - the data processing system receiving a data flow;
      
      the data processing system determining if the data flow is associated with the protected client computer that is protected by the data flow filtering device; and
      
      the data processing system filtering the data flow based on the configuration profile associated with the protected client computer in response to a determination that the data flow is associated with the protected client computer.
  - 9. The method of claim 8, wherein determining if the data flow is associated with the protected client computer includes:
    - the data processing system reading header information in one or more data packets of the data flow;
      
      the data processing system determining if one of a source identifier and a destination identifier in the header information identifies the protected client computer; and
      
      the data processing system retrieving the configuration profile in response to a determination that one of the source identifier and the destination identifier identifies the protected client computer.

10. A computer program product for configuring a data flow filtering device that filters data flows to a plurality of protected client computers that are protected from an external network by the data flow filtering device, comprising:
- a computer readable storage medium;
  
  first instructions for establishing, in default configuration information of the data flow filtering device, one or more portions of configuration information for the data flow filtering device that are modifiable by a protected client computer in a plurality of protected client computers and one or more portions of configuration information for the data flow filtering device that are not modifiable by the protected client computer;
  
  second instructions for receiving a request from the protected client computer to modify a portion of configuration information for the data flow filtering device that was previously established as modifiable by the protected client computer;
  
  third instructions for modifying, in response to receiving the request, a configuration profile of the protected client computer to incorporate the modification to the portion of the configuration information, wherein the configuration profile is used by the data flow filtering device to filter a data flow to or from the protected client computer;
  
  fourth instructions for determining if there is a conflict between a security policy/rule in the modified configuration profile and a security policy/rule in the default configuration information of the data flow filtering device;
  
  fifth instructions for determining, in response to determining the conflict, whether to use the security policy/rule in the modified configuration policy or the security policy/rule in the default configuration information of the data flow filtering device based on a security policy/rule conflict resolution policy;
  
  wherein each protected client computer of the plurality of protected client computers has a respective configuration profile such that the each protected client computer has its own customizable configuration profile that does not affect how the data flow filtering device operates with regard to other protected client computers of the plurality of protected client computers; and
  
  wherein said first, second, third, fourth and fifth instructions are stored on said computer readable storage medium.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer program product of claim 10, wherein the data flow filtering device is one of a firewall, a router, a switch, a network infrastructure component, and a virtual private network node.
  - 12. The computer program product of claim 10, wherein the portion of the configuration information identifies identify security policies or rules to be applied by the data flow filtering device to data flows through the data flow filtering device.
  - 13. The computer program product of claim 12, wherein the security polices or rules identify one or more of data flow types that are permitted to pass through the data flow filtering device unaltered, data flow types that are to be blocked by the data flow filtering device, and types of data that are to be removed from data flows.
  - 14. The computer program product of claim 10, wherein the configuration profile applies only to data flows to and from the protected client computer through the data flow filtering device and does not affect data flows to the other protected client computers through the data flow filtering device.
  - 15. The computer program product of claim 10, wherein the request to modify a portion of the configuration information is automatically generated by the protected client computer in response to a detected condition or event.
  - 16. The computer program product of claim 10, further comprising:
    - sixth instructions for providing one or more interfaces through which a user may select or enter configuration parameters in the modifiable portion of the configuration information for configuring the data flow filtering device for filtering data flows to and from the protected client computer.
  - 17. The computer program product of claim 10, further comprising:
    - seventh instructions for receiving a data flow;
      
      eighth instructions for determining if the data flow is associated with the protected client computer that is protected by the data flow filtering device; and
      
      ninth instructions for filtering the data flow based on the configuration profile associated with the protected client computer in response to a determination that the data flow is associated with the protected client computer.
  - 18. The computer program product of claim 17, wherein the instructions for determining if the data flow is associated with the protected client computer include:
    - instructions for reading header information in one or more data packets of the data flow;
      
      instructions for determining if one of a source identifier and a destination identifier in the header information identifies the protected client computer; and
      
      instructions for retrieving the configuration profile in response to a determination that one of the source identifier and the destination identifier identifies the protected client computer.

19. A system for configuring a data flow filtering device that filters data flows to a plurality of protected client computers that are protected from an external network by the data flow filtering device, comprising:
- a CPU, a computer readable memory and a computer readable storage media;
  
  first program instructions to establish, in default configuration information of the data flow filtering device, one or more portions of configuration information for the data flow filtering mechanism that are modifiable by a protected client computer in a plurality of protected client computers and one or more portions of configuration information for the data flow filtering mechanism that are not modifiable by the protected client computer;
  
  second program instructions to receive a request from the protected client computer to modify a portion of configuration information for the data flow filtering device that was previously established as modifiable by the protected client computer;
  
  third program instructions to modify, in response to receiving the request, a configuration profile of the protected client computer to incorporate the modification to the portion of the configuration information, wherein the configuration profile is used by the data flow filtering device to filter a data flow to or from the protected client computer;
  
  fourth program instructions to determine if there is a conflict between a security policy/rule in the modified configuration profile and a security policy/rule in the default configuration information of the data flow filtering device; and
  
  fifth program instructions to determine, in response to determining the conflict, whether to use the security policy/rule in the modified configuration policy or the security policy/rule in the default configuration information of the data flow filtering device based on a security policy/rule conflict resolution policy;
  
  wherein each protected client computer of the plurality of protected client computers has a respective configuration profile such that the each protected client computer has its own customizable configuration profile that does not affect how the data flow filtering device operates with regard to other protected client computers of the plurality of protected client computers; and
  
  wherein the first, second, third, fourth and fifth program instructions are stored on the computer readable storage media for execution by the CPU via the computer readable memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Vu, Chien D., Lingafelt, Charles Steven, Nguyen, Phuong Thanh
Primary Examiner(s)
Cervetti; David García

Application Number

US12/236,180
Publication Number

US 20090044263A1
Time in Patent Office

861 Days
Field of Search

726/1, 726/11, 726/13
US Class Current

726/1
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 67/303 Terminal profiles

System and method for on-demand dynamic control of security policies/rules by a client computing device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

System and method for on-demand dynamic control of security policies/rules by a client computing device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others