Verification of correctness of networking aspects of an information technology system

US 7,937,462 B2
Filed: 04/30/2007
Issued: 05/03/2011
Est. Priority Date: 12/14/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for determining a firewall connectivity indication for a host network of an Information Technology (IT) structure of an IT system, said host network comprising a plurality of hosts including at least one server and at least one firewall, said hosts configured to be interconnected within the host network via interfaces comprised by said hosts, each server being a hardware server having at least one interface, each firewall being a hardware firewall having at least two interfaces, said host network connected to at least one interface of a communication network, said method comprising:

determining whether the at least one firewall comprises at least one malconnected firewall, wherein a malconnected firewall is an isolated firewall or a cross-zone connected firewall, wherein an isolated firewall is a firewall that is not connected to the communication network, and wherein a cross-zone connected firewall is a firewall that is connected to the communication network by a first continuous path and a second continuous path such that the first and second continuous paths do not each comprise a same number of firewalls; and

determining the firewall connectivity indication from said determining whether the at least one firewall comprises at least one malconnected firewall, wherein the firewall connectivity indication indicates that the host network comprises at least one malconnected firewall or that the host network does not comprise at least one malconnected firewall;

wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises determining for each firewall whether each firewall is a malconnected firewall;

wherein said determining for each firewall whether said each firewall is a malconnected firewall comprises;

performing an initialization comprising selecting a current label from an ordered sequence of different labels, setting a set of partially labeled firewalls to an empty set; and

setting a set of reference interfaces to the at least one interface of the communication network;

after said performing the initialization, executing a loop comprising executing at least one iteration of the loop, wherein each interface of each firewall is unlabeled upon initiation of said executing the loop, and wherein each iteration comprises;

determining a set of interfaces that includes each unlabeled interface of each firewall that is connected to at least one reference interface of the set of reference interfaces via at least one continuous path that does not include any firewall of the host network,after said determining the set of interfaces, assigning the current label to each interface of the set of interfaces, resulting in the set of partially labeled firewalls being updated in accordance with said assigning the current label, andafter said assigning the current label, ascertaining whether the set of partially labeled firewalls is empty;

if said ascertaining ascertains that the set of partially labeled firewalls is not empty then selecting a next partially labeled firewall from the set of partially labeled firewalls, setting the set of reference interfaces as consisting of all unlabeled interfaces in the next partially labeled firewall, changing the current label to be the next label immediately after the current label in the ordered sequence of graded labels, assigning the current label to each firewall interface of the set of reference interfaces after said setting the set of reference interfaces and after said changing the current label, and exiting the iteration to perform the next iteration by looping back to said determining a set of interfaces;

if said ascertaining ascertains that the set of partially labeled firewalls is empty then exiting the loop and after said exiting the loop;

designating each firewall having no labeled interface as an isolated firewall, designating each firewall comprising an interface with an assigned label as not being a cross-zone connected firewall if each interface of said each firewall has an assigned label and the labels assigned to the interfaces of said each firewall consist of two labels appearing consecutively in the ordered sequence of different labels, and otherwise designating each firewall comprising an interface with an assigned label as being a cross-zone connected firewall; and

storing the firewall connectivity indication in a computer readable storage medium of a computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and system for verifying correctness of networking aspects of an Information Technology (IT) system that includes a host network of hosts. The hosts include servers and firewalls. A firewall connectivity indication of whether the host network includes an isolated firewall or a cross-zone connected firewall is determined. Determining for each host whether the host is isolated from a communication network to which the IT system is connected determines whether isolated network segments exit within the host network. For each host determined to be isolated from the communication network, the method identifies all network segments of the host network to which each host is connected, determines the unique network segments of the identified network segments, and designates the unique network segments as a set of isolated network segments. The firewall connectivity indication and the set of isolated network segments are stored in a storage medium of a computer system.

Citations

32 Claims

1. A method for determining a firewall connectivity indication for a host network of an Information Technology (IT) structure of an IT system, said host network comprising a plurality of hosts including at least one server and at least one firewall, said hosts configured to be interconnected within the host network via interfaces comprised by said hosts, each server being a hardware server having at least one interface, each firewall being a hardware firewall having at least two interfaces, said host network connected to at least one interface of a communication network, said method comprising:
- determining whether the at least one firewall comprises at least one malconnected firewall, wherein a malconnected firewall is an isolated firewall or a cross-zone connected firewall, wherein an isolated firewall is a firewall that is not connected to the communication network, and wherein a cross-zone connected firewall is a firewall that is connected to the communication network by a first continuous path and a second continuous path such that the first and second continuous paths do not each comprise a same number of firewalls; and
  
  determining the firewall connectivity indication from said determining whether the at least one firewall comprises at least one malconnected firewall, wherein the firewall connectivity indication indicates that the host network comprises at least one malconnected firewall or that the host network does not comprise at least one malconnected firewall;
  
  wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises determining for each firewall whether each firewall is a malconnected firewall;
  
  wherein said determining for each firewall whether said each firewall is a malconnected firewall comprises;
  
  performing an initialization comprising selecting a current label from an ordered sequence of different labels, setting a set of partially labeled firewalls to an empty set; and
  
  setting a set of reference interfaces to the at least one interface of the communication network;
  
  after said performing the initialization, executing a loop comprising executing at least one iteration of the loop, wherein each interface of each firewall is unlabeled upon initiation of said executing the loop, and wherein each iteration comprises;
  
  determining a set of interfaces that includes each unlabeled interface of each firewall that is connected to at least one reference interface of the set of reference interfaces via at least one continuous path that does not include any firewall of the host network,after said determining the set of interfaces, assigning the current label to each interface of the set of interfaces, resulting in the set of partially labeled firewalls being updated in accordance with said assigning the current label, andafter said assigning the current label, ascertaining whether the set of partially labeled firewalls is empty;
  
  if said ascertaining ascertains that the set of partially labeled firewalls is not empty then selecting a next partially labeled firewall from the set of partially labeled firewalls, setting the set of reference interfaces as consisting of all unlabeled interfaces in the next partially labeled firewall, changing the current label to be the next label immediately after the current label in the ordered sequence of graded labels, assigning the current label to each firewall interface of the set of reference interfaces after said setting the set of reference interfaces and after said changing the current label, and exiting the iteration to perform the next iteration by looping back to said determining a set of interfaces;
  
  if said ascertaining ascertains that the set of partially labeled firewalls is empty then exiting the loop and after said exiting the loop;
  
  designating each firewall having no labeled interface as an isolated firewall, designating each firewall comprising an interface with an assigned label as not being a cross-zone connected firewall if each interface of said each firewall has an assigned label and the labels assigned to the interfaces of said each firewall consist of two labels appearing consecutively in the ordered sequence of different labels, and otherwise designating each firewall comprising an interface with an assigned label as being a cross-zone connected firewall; and
  
  storing the firewall connectivity indication in a computer readable storage medium of a computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises:
    - determining that the at least one firewall does not comprise an isolated firewall followed by determining whether the at least one firewall comprises a cross-zone connected firewall.
  - 3. The method of claim 1, wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises:
    - executing an algorithm which determines concurrently whether the at least one firewall comprises an isolated firewall and whether the at least one cross-zone connected firewall.
  - 4. The method of claim 1, wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises identifying at least one cross-zone connected firewall comprised by the at least one firewall.
  - 5. The method of claim 1, wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises identifying at least one isolated firewall comprised by the at least one firewall.
  - 6. The method of claim 1, wherein the method comprises in each iteration after said assigning the current label to each firewall interface of the set of reference interfaces:
    - graphically displaying, on a display device of the computer system, the plurality of hosts being interconnected at their respective interfaces, including displaying each unlabeled interface of each host as unlabeled and displaying each labeled interface of each host as labeled with in accordance with its respective assigned label.
  - 7. The method of claim 6, wherein the determined set of interfaces further includes each unlabeled interface of each server in each continuous path of the at least one continuous path wherein the different labels of the ordered set of different labels are color numbers, and wherein said displaying each labeled interface of each host comprises displaying each labeled interface of each host as colored with a color uniquely associated with the color number corresponding to its respective assigned label.
  - 8. The method of claim 6, wherein said graphically displaying further comprises displaying a visual attribute at each firewall designated as being a cross-zone connected firewall.
  - 9. The method of claim 1, wherein the firewall connectivity indication indicates that the host network comprises a first isolated firewall, and wherein the method further comprises after said storing the firewall connectivity indication:
    - identifying first network segments as consisting of all network segments of the host network to which the first isolated firewall is connected;
      
      identifying first hosts as consisting of all hosts of the host network which are connected to the first network segments, wherein the first hosts comprise one or more firewalls of the at least one firewall and one or more servers of the at least one server;
      
      designating an IT structure that comprises the first network segments and the first hosts;
      
      connecting the designated IT structure to the communication network at an interface of a host of the first hosts; and
      
      following said connecting the designated IT structure to the communication network;
      
      performing setting steps comprising setting said plurality of hosts to the first hosts, setting the at least one server to the one or more servers, and setting the at least one firewall to the one or more firewalls; and
      
      after said performing the setting steps, performing said determining whether the at least one firewall comprises at least one malconnected firewall, said determining the firewall connectivity indication, and said storing the firewall connectivity indication.
  - 10. The method of claim 1, wherein communication network is the Internet.
  - 11. A computer program product, comprising a computer readable storage device having a computer readable program code embodied therein, said computer readable program code configured to perform the method of claim 1 upon being executed by a processor of a computer system.
  - 12. A computer system comprising a processor and a computer readable memory unit coupled to the processor, said memory unit containing computer readable program code configured to be executed by the processor to perform the method of claim 1.

13. A process for supporting computer infrastructure, said process comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable code in a computing system, wherein the code in combination with the computing system is configured to perform a method for determining a firewall connectivity indication for a host network of an Information Technology (IT) structure of an IT system, said host network comprising a plurality of hosts including at least one server and at least one firewall, said hosts configured to be interconnected within the host network via interfaces comprised by said hosts, each server being a hardware server having at least one interface, each firewall being a hardware firewall having at least two interfaces, said host network connected to at least one interface of a communication network, said method comprising:
- determining whether the at least one firewall comprises at least one malconnected firewall, wherein a malconnected firewall is an isolated firewall or a cross-zone connected firewall, wherein an isolated firewall is a firewall that is not connected to the communication network, and wherein a cross-zone connected firewall is a firewall that is connected to the communication network by a first continuous path and a second continuous path such that the first and second continuous paths do not each comprise a same number of firewalls; and
  
  determining the firewall connectivity indication from said determining whether the at least one firewall comprises at least one malconnected firewall, wherein the firewall connectivity indication indicates that the host network comprises at least one malconnected firewall or that the host network does not comprise at least one malconnected firewall;
  
  wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises determining for each firewall whether each firewall is a malconnected firewall;
  
  wherein said determining for each firewall whether said each firewall is a malconnected firewall comprises;
  
  performing an initialization comprising selecting a current label from an ordered sequence of different labels, setting a set of partially labeled firewalls to an empty set; and
  
  setting a set of reference interfaces to the at least one interface of the communication network;
  
  after said performing the initialization, executing a loop comprising executing at least one iteration of the loop, wherein each interface of each firewall is unlabeled upon initiation of said executing the loop, and wherein each iteration comprises;
  
  determining a set of interfaces that includes each unlabeled interface of each firewall that is connected to at least one reference interface of the set of reference interfaces via at least one continuous path that does not include any firewall of the host network,after said determining the set of interfaces, assigning the current label to each interface of the set of interfaces, resulting in the set of partially labeled firewalls being updated in accordance with said assigning the current label, andafter said assigning the current label, ascertaining whether the set of partially labeled firewalls is empty;
  
  if said ascertaining ascertains that the set of partially labeled firewalls is not empty then selecting a next partially labeled firewall from the set of partially labeled firewalls, setting the set of reference interfaces as consisting of all unlabeled interfaces in the next partially labeled firewall, changing the current label to be the next label immediately after the current label in the ordered sequence of graded labels, assigning the current label to each firewall interface of the set of reference interfaces after said setting the set of reference interfaces and after said changing the current label, and exiting the iteration to perform the next iteration by looping back to said determining a set of interfaces;
  
  if said ascertaining ascertains that the set of partially labeled firewalls is empty then exiting the loop and after said exiting the loop;
  
  designating each firewall having no labeled interface as an isolated firewall, designating each firewall comprising an interface with an assigned label as not being a cross-zone connected firewall if each interface of said each firewall has an assigned label and the labels assigned to the interfaces of said each firewall consist of two labels appearing consecutively in the ordered sequence of different labels, and otherwise designating each firewall comprising an interface with an assigned label as being a cross-zone connected firewall; and
  
  storing the firewall connectivity indication in a computer readable storage medium of a computer system.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The process of claim 13, wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises:
    - determining that the at least one firewall does not comprise an isolated firewall followed by determining whether the at least one firewall comprises a cross-zone connected firewall.
  - 15. The process of claim 13, wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises:
    - executing an algorithm which determines concurrently whether the at least one firewall comprises an isolated firewall and whether the at least one cross-zone connected firewall.
  - 16. The process of claim 13, wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises identifying at least one cross-zone connected firewall comprised by the at least one firewall.
  - 17. The process of claim 13, wherein said determining whether the at least one firewall comprises at least one malconnected firewall comprises identifying at least one isolated firewall comprised by the at least one firewall.
  - 18. The process of claim 13, wherein the method comprises in each iteration after said assigning the current label to each firewall interface of the set of reference interfaces:
    - graphically displaying, on a display device of the computer system, the plurality of hosts being interconnected at their respective interfaces, including displaying each unlabeled interface of each host as unlabeled and displaying each labeled interface of each host as labeled with in accordance with its respective assigned label.
  - 19. The process of claim 18, wherein the determined set of interfaces further includes each unlabeled interface of each server in each continuous path of the at least one continuous path wherein the different labels of the ordered set of different labels are color numbers, and wherein said displaying each labeled interface of each host comprises displaying each labeled interface of each host as colored with a color uniquely associated with the color number corresponding to its respective assigned label.
  - 20. The process of claim 18, wherein said graphically displaying further comprises displaying a visual attribute at each firewall designated as being a cross-zone connected firewall.
  - 21. The process of claim 13, wherein the firewall connectivity indication indicates that the host network comprises a first isolated firewall, and wherein the method further comprises after said storing the firewall connectivity indication:
    - identifying first network segments as consisting of all network segments of the host network to which the first isolated firewall is connected;
      
      identifying first hosts as consisting of all hosts of the host network which are connected to the first network segments, wherein the first hosts comprise one or more firewalls of the at least one firewall and one or more servers of the at least one server;
      
      designating an IT structure that comprises the first network segments and the first hosts;
      
      connecting the designated IT structure to the communication network at an interface of a host of the first hosts; and
      
      following said connecting the designated IT structure to the communication network;
      
      performing setting steps comprising setting said plurality of hosts to the first hosts, setting the at least one server to the one or more servers, and setting the at least one firewall to the one or more firewalls; and
      
      after said performing the setting steps, performing said determining whether the at least one firewall comprises at least one malconnected firewall, said determining the firewall connectivity indication, and said storing the firewall connectivity indication.
  - 22. A computer program product, comprising a computer readable storage device having a computer readable program code embodied therein, said computer readable program code configured to perform the process of claim 13 upon being executed by a processor of a computer system.
  - 23. A computer system comprising a processor and a computer readable memory unit coupled to the processor, said memory unit containing computer readable program code configured to be executed by the processor to perform the process of claim 13.

24. A method, said method comprising:
- determining that at least one host of a plurality of hosts is isolated from a communication network, including determining for each host whether each host is isolated from the communication network, wherein a host network comprises the plurality of hosts, wherein an Information Technology (IT) structure of an IT system comprises the host network, wherein the hosts are interconnected within the host network via interfaces comprised by the hosts, wherein each host comprises at least one interface, and wherein the host network is connected to at least one interface of the communication network;
  
  for each host determined to be isolated from the communication network;
  
  identifying all network segments of the host network to which said each host is connected, determining the unique network segments of the identified network segments, designating the unique network segments as a set of isolated network segments; and
  
  storing the set of isolated network segments in a computer readable storage medium of a computer system;
  
  selecting a label, wherein said each host is represented as a host H, wherein said determining for the host H whether the host H is isolated from the communication network comprises;
  
  performing an initialization comprising setting a set of partially labeled hosts to an empty set, assigning the label to each interface of the host H, and setting a set of reference hosts to the host H;
  
  after said performing the initialization, executing a loop comprising executing at least one iteration of the loop, wherein each interface of each host other than the host H is unlabeled upon initiation of said executing the loop, and wherein each iteration comprises;
  
  determining a set of host interfaces that includes each unlabeled interface of each host that is directly connected to any reference host of the set of reference hosts,after said determining the set of host interfaces, assigning the label to each host interface of the set of host interfaces, resulting in the set of partially labeled hosts being updated in accordance with said assigning the label, andafter said assigning the label to each host interface, ascertaining whether the set of partially labeled hosts is empty;
  
  if said ascertaining ascertains that the set of partially labeled hosts is not empty then setting the set of reference hosts to the set of the next partially labeled hosts, followed by assigning the label to each unlabeled interface of each reference host, and followed by exiting the iteration to perform the next iteration by looping back to said determining a set of host interfaces;
  
  if said ascertaining ascertains that the set of partially labeled hosts is empty then exiting the loop and after said exiting the loop, determining whether the plurality of hosts comprises a host having an interface to which the label is assigned and which is directly connected to the communication network;
  
  if said determining determines that the plurality of hosts comprises the connected host then designating the host H as being connected to the communication network;
  
  if said determining determines that the plurality of hosts does not comprise the connected host then designating the host H as being isolated from the communication network.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
- - 25. The method of claim 24, wherein each host of the plurality of hosts is a hardware device.
  - 26. The method of claim 25, wherein the plurality of hosts include at least one server and at least one firewall, wherein each server is a hardware server having at least one interface, and wherein each firewall is a hardware firewall having at least two interfaces.
  - 27. The method of claim 24, wherein said determining determines that the plurality of hosts comprises the connected host.
  - 28. The method of claim 24, wherein said determining determines that the plurality of hosts does not comprise the connected host.
  - 29. The method of claim 24, wherein the method comprises in each iteration after said assigning the label to each host interface:
    - graphically displaying, on a display device of the computer system, the plurality of hosts being interconnected at their respective interfaces, including displaying each unlabeled interface of each host as unlabeled and displaying each labeled interface of each host as labeled in accordance with its assigned label.
  - 30. The method of claim 29, wherein the label is a color, and wherein said displaying each labeled interface of each host comprises displaying each labeled interface of each host as colored with said color.
  - 31. A computer program product, comprising a computer readable storage device having a computer readable program code embodied therein, said computer readable program code configured to perform the method of claim 24 upon being executed by a processor of a computer system.
  - 32. A computer system comprising a processor and a computer readable memory unit coupled to the processor, said memory unit containing computer readable program code configured to be executed by the processor to perform the method of claim 24.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Andreev, Dmitry, Grunin, Galina, Vilshansky, Gregory, Greenstein, Paul G.
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
Wasel; Mohamed

Application Number

US11/741,885
Publication Number

US 20070289008A1
Time in Patent Office

1,464 Days
Field of Search

709217-219, 709/224
US Class Current

709/224
CPC Class Codes

G06Q 40/00   Finance; Insurance; Tax str...

H04L 41/08   Configuration management of...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

Verification of correctness of networking aspects of an information technology system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Verification of correctness of networking aspects of an information technology system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links