Methods, network services, and computer program products for dynamically assigning users to firewall policy groups
First Claim
1. A method of dynamically assigning a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block communications through firewalls on the computer network, the method comprising:
- assigning a user to a first firewall policy group in a hierarchical structure of firewall policy groups, wherein the user accesses the network via a user device, wherein the hierarchical structure has a plurality of levels, and wherein the plurality of levels are arranged such that rules within the plurality of firewall policy groups are different at each level, wherein the first firewall policy group is based on software applications the user may utilize via the user device;
continuously monitoring user activity on the computer network via an agent at the user device, wherein continuously monitoring comprises monitoring at least one of the following;
user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices;
assigning the user to a second, different firewall policy group in the hierarchical structure automatically if monitored user activity indicates that a change in detail level of the rules is necessary;
automatically assigning the user to a third firewall policy group at a level different from the level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network, wherein the third firewall policy group has fewer firewall rule details than the first firewall policy group;
detecting an attempt by a software application executing on the user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and
assigning the user to a different one of the plurality of firewall policy groups that allows the communication through the firewall.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, network services, and computer program products that dynamically assign computer network users to firewall policy groups are provided. A user is assigned to a first firewall policy group, and user activity on the computer network is monitored. The user is assigned to a second, different firewall policy group automatically if monitored user activity indicates that a change in detail level of rules is necessary. Each firewall policy group has rules that control whether to block or allow communications through firewalls on the computer network. The firewall policy groups are arranged in a hierarchical structure having a plurality of levels that are arranged such that rules within the firewall policy groups are different at each level. A user may be assigned to a different firewall policy group that is below, above, or at the same level as the initial firewall policy group.
-
Citations
14 Claims
-
1. A method of dynamically assigning a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block communications through firewalls on the computer network, the method comprising:
-
assigning a user to a first firewall policy group in a hierarchical structure of firewall policy groups, wherein the user accesses the network via a user device, wherein the hierarchical structure has a plurality of levels, and wherein the plurality of levels are arranged such that rules within the plurality of firewall policy groups are different at each level, wherein the first firewall policy group is based on software applications the user may utilize via the user device; continuously monitoring user activity on the computer network via an agent at the user device, wherein continuously monitoring comprises monitoring at least one of the following;
user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices;assigning the user to a second, different firewall policy group in the hierarchical structure automatically if monitored user activity indicates that a change in detail level of the rules is necessary; automatically assigning the user to a third firewall policy group at a level different from the level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network, wherein the third firewall policy group has fewer firewall rule details than the first firewall policy group; detecting an attempt by a software application executing on the user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and assigning the user to a different one of the plurality of firewall policy groups that allows the communication through the firewall. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A network service that dynamically assigns a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block communications through firewalls on the computer network, comprising:
-
means for assigning a user to a first firewall policy group in a hierarchical structure of firewall policy groups, wherein the user accesses the network via a user device, wherein the hierarchical structure has a plurality of levels, and wherein the plurality of levels are arranged such that rules within the plurality of firewall policy groups are different at each level, wherein the first firewall policy group is based on software applications the user may utilize via the user device; means for continuously monitoring user activity on the computer network via an agent at the user device comprising means for monitoring at least one of the following;
user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices;means for assigning the user to a second, different firewall policy group in the hierarchical structure automatically if monitored user activity indicates that a change in detail level of the rules is necessary, wherein the second firewall policy group is at a level below or above the first firewall policy group level; means for automatically assigning the user to a third firewall policy group at a level different from the level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network, wherein the third firewall policy group has fewer firewall rule details than the first firewall policy group; means for detecting an attempt by a software application executing on the user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and means for assigning the user to a different one of the plurality of firewall policy groups that allows the communication through the firewall. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer program product that dynamically assigns a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block communications through firewalls on the computer network, comprising a non-transitory computer readable storage medium having encoded thereon instructions that, when executed on a processor, causes the processor to perform the following:
-
assign a user to a first firewall policy group in a hierarchical structure of firewall policy groups, wherein the user accesses the network via a user device, wherein the hierarchical structure has a plurality of levels, and wherein the plurality of levels are arranged such that rules within the plurality of firewall policy groups are different at each level, wherein the first firewall policy group is based on software applications the user may utilize via the user device; continuously monitor user activity on the computer network via an agent at the user device, comprising monitoring at least one of the following;
user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices;assign the user to a second, different firewall policy group in the hierarchical structure automatically if monitored user activity indicates that a change in detail level of the rules is necessary; automatically assign the user to a third firewall policy group at a level different from the level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network, wherein the third firewall policy group has fewer firewall rule details than the first firewall policy group; detect an attempt by a software application executing on the user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and assign the user to a different one of the plurality of firewall policy groups that allows the communication through the firewall.
-
Specification