Verification of correctness of networking aspects of an information technology system
First Claim
1. A method for determining a firewall connectivity indication for a host network of an Information Technology (IT) structure of an IT system, said host network comprising a plurality of hosts including at least one server and at least one firewall, said hosts configured to be interconnected within the host network via interfaces comprised by said hosts, each server being a hardware server having at least one interface, each firewall being a hardware firewall having at least two interfaces, said host network connected to at least one interface of a communication network, said method comprising:
- determining whether the at least one firewall comprises at least one malconnected firewall, wherein a malconnected firewall is an isolated firewall or a cross-zone connected firewall, wherein an isolated firewall is a firewall that is not connected to the communication network, and wherein a cross-zone connected firewall is a firewall that is connected to the communication network by a first continuous path and a second continuous path such that the first and second continuous paths do not each comprise a same number of firewalls; and
determining the firewall connectivity indication from said determining whether the at least one firewall comprises at least one malconnected firewall, wherein the firewall connectivity indication indicates that the host network comprises at least one malconnected firewall or that the host network does not comprise at least one malconnected firewall;
wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises determining for each firewall whether each firewall is a malconnected firewall;
wherein said determining for each firewall whether said each firewall is a malconnected firewall comprises;
performing an initialization comprising selecting a current label from an ordered sequence of different labels, setting a set of partially labeled firewalls to an empty set; and
setting a set of reference interfaces to the at least one interface of the communication network;
after said performing the initialization, executing a loop comprising executing at least one iteration of the loop, wherein each interface of each firewall is unlabeled upon initiation of said executing the loop, and wherein each iteration comprises;
determining a set of interfaces that includes each unlabeled interface of each firewall that is connected to at least one reference interface of the set of reference interfaces via at least one continuous path that does not include any firewall of the host network,after said determining the set of interfaces, assigning the current label to each interface of the set of interfaces, resulting in the set of partially labeled firewalls being updated in accordance with said assigning the current label, andafter said assigning the current label, ascertaining whether the set of partially labeled firewalls is empty;
if said ascertaining ascertains that the set of partially labeled firewalls is not empty then selecting a next partially labeled firewall from the set of partially labeled firewalls, setting the set of reference interfaces as consisting of all unlabeled interfaces in the next partially labeled firewall, changing the current label to be the next label immediately after the current label in the ordered sequence of graded labels, assigning the current label to each firewall interface of the set of reference interfaces after said setting the set of reference interfaces and after said changing the current label, and exiting the iteration to perform the next iteration by looping back to said determining a set of interfaces;
if said ascertaining ascertains that the set of partially labeled firewalls is empty then exiting the loop and after said exiting the loop;
designating each firewall having no labeled interface as an isolated firewall, designating each firewall comprising an interface with an assigned label as not being a cross-zone connected firewall if each interface of said each firewall has an assigned label and the labels assigned to the interfaces of said each firewall consist of two labels appearing consecutively in the ordered sequence of different labels, and otherwise designating each firewall comprising an interface with an assigned label as being a cross-zone connected firewall; and
storing the firewall connectivity indication in a computer readable storage medium of a computer system.
2 Assignments
0 Petitions
Accused Products
Abstract
Method and system for verifying correctness of networking aspects of an Information Technology (IT) system that includes a host network of hosts. The hosts include servers and firewalls. A firewall connectivity indication of whether the host network includes an isolated firewall or a cross-zone connected firewall is determined. Determining for each host whether the host is isolated from a communication network to which the IT system is connected determines whether isolated network segments exit within the host network. For each host determined to be isolated from the communication network, the method identifies all network segments of the host network to which each host is connected, determines the unique network segments of the identified network segments, and designates the unique network segments as a set of isolated network segments. The firewall connectivity indication and the set of isolated network segments are stored in a storage medium of a computer system.
-
Citations
32 Claims
-
1. A method for determining a firewall connectivity indication for a host network of an Information Technology (IT) structure of an IT system, said host network comprising a plurality of hosts including at least one server and at least one firewall, said hosts configured to be interconnected within the host network via interfaces comprised by said hosts, each server being a hardware server having at least one interface, each firewall being a hardware firewall having at least two interfaces, said host network connected to at least one interface of a communication network, said method comprising:
-
determining whether the at least one firewall comprises at least one malconnected firewall, wherein a malconnected firewall is an isolated firewall or a cross-zone connected firewall, wherein an isolated firewall is a firewall that is not connected to the communication network, and wherein a cross-zone connected firewall is a firewall that is connected to the communication network by a first continuous path and a second continuous path such that the first and second continuous paths do not each comprise a same number of firewalls; and determining the firewall connectivity indication from said determining whether the at least one firewall comprises at least one malconnected firewall, wherein the firewall connectivity indication indicates that the host network comprises at least one malconnected firewall or that the host network does not comprise at least one malconnected firewall; wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises determining for each firewall whether each firewall is a malconnected firewall; wherein said determining for each firewall whether said each firewall is a malconnected firewall comprises; performing an initialization comprising selecting a current label from an ordered sequence of different labels, setting a set of partially labeled firewalls to an empty set; and
setting a set of reference interfaces to the at least one interface of the communication network;after said performing the initialization, executing a loop comprising executing at least one iteration of the loop, wherein each interface of each firewall is unlabeled upon initiation of said executing the loop, and wherein each iteration comprises; determining a set of interfaces that includes each unlabeled interface of each firewall that is connected to at least one reference interface of the set of reference interfaces via at least one continuous path that does not include any firewall of the host network, after said determining the set of interfaces, assigning the current label to each interface of the set of interfaces, resulting in the set of partially labeled firewalls being updated in accordance with said assigning the current label, and after said assigning the current label, ascertaining whether the set of partially labeled firewalls is empty; if said ascertaining ascertains that the set of partially labeled firewalls is not empty then selecting a next partially labeled firewall from the set of partially labeled firewalls, setting the set of reference interfaces as consisting of all unlabeled interfaces in the next partially labeled firewall, changing the current label to be the next label immediately after the current label in the ordered sequence of graded labels, assigning the current label to each firewall interface of the set of reference interfaces after said setting the set of reference interfaces and after said changing the current label, and exiting the iteration to perform the next iteration by looping back to said determining a set of interfaces; if said ascertaining ascertains that the set of partially labeled firewalls is empty then exiting the loop and after said exiting the loop;
designating each firewall having no labeled interface as an isolated firewall, designating each firewall comprising an interface with an assigned label as not being a cross-zone connected firewall if each interface of said each firewall has an assigned label and the labels assigned to the interfaces of said each firewall consist of two labels appearing consecutively in the ordered sequence of different labels, and otherwise designating each firewall comprising an interface with an assigned label as being a cross-zone connected firewall; andstoring the firewall connectivity indication in a computer readable storage medium of a computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A process for supporting computer infrastructure, said process comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable code in a computing system, wherein the code in combination with the computing system is configured to perform a method for determining a firewall connectivity indication for a host network of an Information Technology (IT) structure of an IT system, said host network comprising a plurality of hosts including at least one server and at least one firewall, said hosts configured to be interconnected within the host network via interfaces comprised by said hosts, each server being a hardware server having at least one interface, each firewall being a hardware firewall having at least two interfaces, said host network connected to at least one interface of a communication network, said method comprising:
-
determining whether the at least one firewall comprises at least one malconnected firewall, wherein a malconnected firewall is an isolated firewall or a cross-zone connected firewall, wherein an isolated firewall is a firewall that is not connected to the communication network, and wherein a cross-zone connected firewall is a firewall that is connected to the communication network by a first continuous path and a second continuous path such that the first and second continuous paths do not each comprise a same number of firewalls; and determining the firewall connectivity indication from said determining whether the at least one firewall comprises at least one malconnected firewall, wherein the firewall connectivity indication indicates that the host network comprises at least one malconnected firewall or that the host network does not comprise at least one malconnected firewall; wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises determining for each firewall whether each firewall is a malconnected firewall; wherein said determining for each firewall whether said each firewall is a malconnected firewall comprises; performing an initialization comprising selecting a current label from an ordered sequence of different labels, setting a set of partially labeled firewalls to an empty set; and
setting a set of reference interfaces to the at least one interface of the communication network;after said performing the initialization, executing a loop comprising executing at least one iteration of the loop, wherein each interface of each firewall is unlabeled upon initiation of said executing the loop, and wherein each iteration comprises; determining a set of interfaces that includes each unlabeled interface of each firewall that is connected to at least one reference interface of the set of reference interfaces via at least one continuous path that does not include any firewall of the host network, after said determining the set of interfaces, assigning the current label to each interface of the set of interfaces, resulting in the set of partially labeled firewalls being updated in accordance with said assigning the current label, and after said assigning the current label, ascertaining whether the set of partially labeled firewalls is empty; if said ascertaining ascertains that the set of partially labeled firewalls is not empty then selecting a next partially labeled firewall from the set of partially labeled firewalls, setting the set of reference interfaces as consisting of all unlabeled interfaces in the next partially labeled firewall, changing the current label to be the next label immediately after the current label in the ordered sequence of graded labels, assigning the current label to each firewall interface of the set of reference interfaces after said setting the set of reference interfaces and after said changing the current label, and exiting the iteration to perform the next iteration by looping back to said determining a set of interfaces; if said ascertaining ascertains that the set of partially labeled firewalls is empty then exiting the loop and after said exiting the loop;
designating each firewall having no labeled interface as an isolated firewall, designating each firewall comprising an interface with an assigned label as not being a cross-zone connected firewall if each interface of said each firewall has an assigned label and the labels assigned to the interfaces of said each firewall consist of two labels appearing consecutively in the ordered sequence of different labels, and otherwise designating each firewall comprising an interface with an assigned label as being a cross-zone connected firewall; andstoring the firewall connectivity indication in a computer readable storage medium of a computer system. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method, said method comprising:
-
determining that at least one host of a plurality of hosts is isolated from a communication network, including determining for each host whether each host is isolated from the communication network, wherein a host network comprises the plurality of hosts, wherein an Information Technology (IT) structure of an IT system comprises the host network, wherein the hosts are interconnected within the host network via interfaces comprised by the hosts, wherein each host comprises at least one interface, and wherein the host network is connected to at least one interface of the communication network; for each host determined to be isolated from the communication network;
identifying all network segments of the host network to which said each host is connected, determining the unique network segments of the identified network segments, designating the unique network segments as a set of isolated network segments; and
storing the set of isolated network segments in a computer readable storage medium of a computer system;selecting a label, wherein said each host is represented as a host H, wherein said determining for the host H whether the host H is isolated from the communication network comprises; performing an initialization comprising setting a set of partially labeled hosts to an empty set, assigning the label to each interface of the host H, and setting a set of reference hosts to the host H; after said performing the initialization, executing a loop comprising executing at least one iteration of the loop, wherein each interface of each host other than the host H is unlabeled upon initiation of said executing the loop, and wherein each iteration comprises; determining a set of host interfaces that includes each unlabeled interface of each host that is directly connected to any reference host of the set of reference hosts, after said determining the set of host interfaces, assigning the label to each host interface of the set of host interfaces, resulting in the set of partially labeled hosts being updated in accordance with said assigning the label, and after said assigning the label to each host interface, ascertaining whether the set of partially labeled hosts is empty; if said ascertaining ascertains that the set of partially labeled hosts is not empty then setting the set of reference hosts to the set of the next partially labeled hosts, followed by assigning the label to each unlabeled interface of each reference host, and followed by exiting the iteration to perform the next iteration by looping back to said determining a set of host interfaces; if said ascertaining ascertains that the set of partially labeled hosts is empty then exiting the loop and after said exiting the loop, determining whether the plurality of hosts comprises a host having an interface to which the label is assigned and which is directly connected to the communication network; if said determining determines that the plurality of hosts comprises the connected host then designating the host H as being connected to the communication network; if said determining determines that the plurality of hosts does not comprise the connected host then designating the host H as being isolated from the communication network. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
-
Specification