Methods, network services, and computer program products for dynamically assigning users to firewall policy groups

US 7,954,143 B2
Filed: 11/13/2006
Issued: 05/31/2011
Est. Priority Date: 11/13/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of dynamically assigning a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block communications through firewalls on the computer network, the method comprising:

assigning a user to a first firewall policy group in a hierarchical structure of firewall policy groups, wherein the user accesses the network via a user device, wherein the hierarchical structure has a plurality of levels, and wherein the plurality of levels are arranged such that rules within the plurality of firewall policy groups are different at each level, wherein the first firewall policy group is based on software applications the user may utilize via the user device;

continuously monitoring user activity on the computer network via an agent at the user device, wherein continuously monitoring comprises monitoring at least one of the following;

user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices;

assigning the user to a second, different firewall policy group in the hierarchical structure automatically if monitored user activity indicates that a change in detail level of the rules is necessary;

automatically assigning the user to a third firewall policy group at a level different from the level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network, wherein the third firewall policy group has fewer firewall rule details than the first firewall policy group;

detecting an attempt by a software application executing on the user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and

assigning the user to a different one of the plurality of firewall policy groups that allows the communication through the firewall.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, network services, and computer program products that dynamically assign computer network users to firewall policy groups are provided. A user is assigned to a first firewall policy group, and user activity on the computer network is monitored. The user is assigned to a second, different firewall policy group automatically if monitored user activity indicates that a change in detail level of rules is necessary. Each firewall policy group has rules that control whether to block or allow communications through firewalls on the computer network. The firewall policy groups are arranged in a hierarchical structure having a plurality of levels that are arranged such that rules within the firewall policy groups are different at each level. A user may be assigned to a different firewall policy group that is below, above, or at the same level as the initial firewall policy group.

Citations

14 Claims

1. A method of dynamically assigning a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block communications through firewalls on the computer network, the method comprising:
- assigning a user to a first firewall policy group in a hierarchical structure of firewall policy groups, wherein the user accesses the network via a user device, wherein the hierarchical structure has a plurality of levels, and wherein the plurality of levels are arranged such that rules within the plurality of firewall policy groups are different at each level, wherein the first firewall policy group is based on software applications the user may utilize via the user device;
  
  continuously monitoring user activity on the computer network via an agent at the user device, wherein continuously monitoring comprises monitoring at least one of the following;
  
  user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices;
  
  assigning the user to a second, different firewall policy group in the hierarchical structure automatically if monitored user activity indicates that a change in detail level of the rules is necessary;
  
  automatically assigning the user to a third firewall policy group at a level different from the level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network, wherein the third firewall policy group has fewer firewall rule details than the first firewall policy group;
  
  detecting an attempt by a software application executing on the user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and
  
  assigning the user to a different one of the plurality of firewall policy groups that allows the communication through the firewall.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein continuously monitoring also comprises obtaining a user response to at least one query.
  - 3. The method of claim 1, wherein the predefined period of time is variable based on the number of firewall policy group changes of other users on the computer network occurring at a particular time.
  - 4. The method of claim 1, further comprising notifying the user when the user is assigned to the second firewall policy group.
  - 5. The method of claim 1, further comprising requesting user input regarding user activity prior to assigning the user to the third firewall policy group.
  - 6. The method of claim 1, further comprising notifying the user when the user is assigned to a different firewall policy group.
  - 7. The method of claim 1, wherein continuously monitoring user activity on the computer network comprises determining what detail level is required by user activity.
  - 8. The method of claim 1, further comprising displaying the hierarchical tree structure to the user in response to a user request therefor.

9. A network service that dynamically assigns a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block communications through firewalls on the computer network, comprising:
- means for assigning a user to a first firewall policy group in a hierarchical structure of firewall policy groups, wherein the user accesses the network via a user device, wherein the hierarchical structure has a plurality of levels, and wherein the plurality of levels are arranged such that rules within the plurality of firewall policy groups are different at each level,wherein the first firewall policy group is based on software applications the user may utilize via the user device;
  
  means for continuously monitoring user activity on the computer network via an agent at the user device comprising means for monitoring at least one of the following;
  
  user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices;
  
  means for assigning the user to a second, different firewall policy group in the hierarchical structure automatically if monitored user activity indicates that a change in detail level of the rules is necessary, wherein the second firewall policy group is at a level below or above the first firewall policy group level;
  
  means for automatically assigning the user to a third firewall policy group at a level different from the level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network, wherein the third firewall policy group has fewer firewall rule details than the first firewall policy group;
  
  means for detecting an attempt by a software application executing on the user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and
  
  means for assigning the user to a different one of the plurality of firewall policy groups that allows the communication through the firewall.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The network service of claim 9, further comprising means for notifying the user when the user is assigned to the second firewall policy group.
  - 11. The network service of claim 9, further comprising means for requesting user input regarding user activity prior to assigning the user to the third firewall policy group.
  - 12. The network service of claim 9, wherein the means for continuously monitoring user activity on the computer network comprises means for determining what detail level is required by user activity.
  - 13. The network service of claim 9, further comprising means for displaying the hierarchical tree structure to the user in response to a user request therefor.

14. A computer program product that dynamically assigns a computer network user to one of a plurality of firewall policy groups, wherein each firewall policy group has rules that control whether to block communications through firewalls on the computer network, comprising a non-transitory computer readable storage medium having encoded thereon instructions that, when executed on a processor, causes the processor to perform the following:
- assign a user to a first firewall policy group in a hierarchical structure of firewall policy groups, wherein the user accesses the network via a user device, wherein the hierarchical structure has a plurality of levels, and wherein the plurality of levels are arranged such that rules within the plurality of firewall policy groups are different at each level, wherein the first firewall policy group is based on software applications the user may utilize via the user device;
  
  continuously monitor user activity on the computer network via an agent at the user device, comprising monitoring at least one of the following;
  
  user keystrokes, user mouse clicks, user access to data and data storage, source and destination addresses of communications, source and destination ports for communications, communication protocol types and numbers, information about software applications utilized, and logged communications between a user device and other devices;
  
  assign the user to a second, different firewall policy group in the hierarchical structure automatically if monitored user activity indicates that a change in detail level of the rules is necessary;
  
  automatically assign the user to a third firewall policy group at a level different from the level of the first firewall policy group if a predefined period of time elapses without expected user activity on the computer network, wherein the third firewall policy group has fewer firewall rule details than the first firewall policy group;
  
  detect an attempt by a software application executing on the user device to communicate through a firewall, wherein the firewall has blocked the communication attempt; and
  
  assign the user to a different one of the plurality of firewall policy groups that allows the communication through the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bellsouth Intellectual Property Corporation (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Aaron, Jeffrey
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Lakhia, Viral S

Application Number

US11/598,434
Publication Number

US 20080115190A1
Time in Patent Office

1,660 Days
Field of Search

726/1, 726/11, 726/23
US Class Current

726/11
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

Methods, network services, and computer program products for dynamically assigning users to firewall policy groups

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, network services, and computer program products for dynamically assigning users to firewall policy groups

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links