System and method for on-demand dynamic control of security policies/rules by a client computing device
First Claim
1. A method, in a data processing system, for configuring a data flow filtering device that filters data flows to a plurality of protected client computers that are protected from an external network by the data flow filtering device, comprising:
- the data processing system establishing, in default configuration information of the data flow filtering device, one or more portions of configuration information for the data flow filtering device that are modifiable by a protected client computer in a plurality of protected client computers and one or more portions of configuration information for the data flow filtering device that are not modifiable by the protected client computer;
the data processing system receiving a request from the protected client computer to modify a portion of configuration information for the data flow filtering device that was previously established as modifiable by the protected client computer;
in response to receiving the request, the data processing system modifying a configuration profile of the protected client computer to incorporate the modification to the portion of the configuration information, wherein the configuration profile is used by the data flow filtering device to filter a data flow to or from the protected client computer;
the data processing system determining if there is a conflict between a security policy/rule in the modified configuration profile and a security policy/rule in the default configuration information of the data flow filtering device; and
in response to determining the conflict, the data processing system determining whether to use the security policy/rule in the modified configuration policy or the security policy/rule in the default configuration information of the data flow filtering device based on a security policy/rule conflict resolution policy;
wherein each protected client computer of the plurality of protected client computers has a respective configuration profile such that the each protected client computer has its own customizable configuration profile that does not affect how the data flow filtering device operates with regard to other protected client computers of the plurality of protected client computers.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method for an end user to change the operation of a data flow filter mechanism, such as a firewall, that operates to control data flows between a plurality of protected computing devices and one or more non-protected computing devices. With the system and method, an administrator of a sub-network of computing devices may set a client computing device'"'"'s scope of rules/policies that may be changed by a user of the client computing device, with regard to a data flow filter mechanism. The user of the client computing device, or the client computing device itself, may then log onto the data flow filter mechanism and modify the operation of the data flow filter mechanism within the limits established by the administrator.
56 Citations
19 Claims
-
1. A method, in a data processing system, for configuring a data flow filtering device that filters data flows to a plurality of protected client computers that are protected from an external network by the data flow filtering device, comprising:
-
the data processing system establishing, in default configuration information of the data flow filtering device, one or more portions of configuration information for the data flow filtering device that are modifiable by a protected client computer in a plurality of protected client computers and one or more portions of configuration information for the data flow filtering device that are not modifiable by the protected client computer; the data processing system receiving a request from the protected client computer to modify a portion of configuration information for the data flow filtering device that was previously established as modifiable by the protected client computer; in response to receiving the request, the data processing system modifying a configuration profile of the protected client computer to incorporate the modification to the portion of the configuration information, wherein the configuration profile is used by the data flow filtering device to filter a data flow to or from the protected client computer; the data processing system determining if there is a conflict between a security policy/rule in the modified configuration profile and a security policy/rule in the default configuration information of the data flow filtering device; and in response to determining the conflict, the data processing system determining whether to use the security policy/rule in the modified configuration policy or the security policy/rule in the default configuration information of the data flow filtering device based on a security policy/rule conflict resolution policy; wherein each protected client computer of the plurality of protected client computers has a respective configuration profile such that the each protected client computer has its own customizable configuration profile that does not affect how the data flow filtering device operates with regard to other protected client computers of the plurality of protected client computers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer program product for configuring a data flow filtering device that filters data flows to a plurality of protected client computers that are protected from an external network by the data flow filtering device, comprising:
-
a computer readable storage medium; first instructions for establishing, in default configuration information of the data flow filtering device, one or more portions of configuration information for the data flow filtering device that are modifiable by a protected client computer in a plurality of protected client computers and one or more portions of configuration information for the data flow filtering device that are not modifiable by the protected client computer; second instructions for receiving a request from the protected client computer to modify a portion of configuration information for the data flow filtering device that was previously established as modifiable by the protected client computer; third instructions for modifying, in response to receiving the request, a configuration profile of the protected client computer to incorporate the modification to the portion of the configuration information, wherein the configuration profile is used by the data flow filtering device to filter a data flow to or from the protected client computer; fourth instructions for determining if there is a conflict between a security policy/rule in the modified configuration profile and a security policy/rule in the default configuration information of the data flow filtering device; fifth instructions for determining, in response to determining the conflict, whether to use the security policy/rule in the modified configuration policy or the security policy/rule in the default configuration information of the data flow filtering device based on a security policy/rule conflict resolution policy; wherein each protected client computer of the plurality of protected client computers has a respective configuration profile such that the each protected client computer has its own customizable configuration profile that does not affect how the data flow filtering device operates with regard to other protected client computers of the plurality of protected client computers; and wherein said first, second, third, fourth and fifth instructions are stored on said computer readable storage medium. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for configuring a data flow filtering device that filters data flows to a plurality of protected client computers that are protected from an external network by the data flow filtering device, comprising:
-
a CPU, a computer readable memory and a computer readable storage media; first program instructions to establish, in default configuration information of the data flow filtering device, one or more portions of configuration information for the data flow filtering mechanism that are modifiable by a protected client computer in a plurality of protected client computers and one or more portions of configuration information for the data flow filtering mechanism that are not modifiable by the protected client computer; second program instructions to receive a request from the protected client computer to modify a portion of configuration information for the data flow filtering device that was previously established as modifiable by the protected client computer; third program instructions to modify, in response to receiving the request, a configuration profile of the protected client computer to incorporate the modification to the portion of the configuration information, wherein the configuration profile is used by the data flow filtering device to filter a data flow to or from the protected client computer; fourth program instructions to determine if there is a conflict between a security policy/rule in the modified configuration profile and a security policy/rule in the default configuration information of the data flow filtering device; and fifth program instructions to determine, in response to determining the conflict, whether to use the security policy/rule in the modified configuration policy or the security policy/rule in the default configuration information of the data flow filtering device based on a security policy/rule conflict resolution policy; wherein each protected client computer of the plurality of protected client computers has a respective configuration profile such that the each protected client computer has its own customizable configuration profile that does not affect how the data flow filtering device operates with regard to other protected client computers of the plurality of protected client computers; and wherein the first, second, third, fourth and fifth program instructions are stored on the computer readable storage media for execution by the CPU via the computer readable memory.
-
Specification