Network firewall test methods and apparatus

US 8,001,589 B2
Filed: 08/27/2008
Issued: 08/16/2011
Est. Priority Date: 10/03/2003
Status: Active Grant

First Claim

Patent Images

1. A firewall test system, comprising:

a first test device located on a first side of said firewall, the first test device including;

i) a session signal generator for transmitting a communications session initiation signal using an Internet Protocol (IP) address corresponding to said signal source to establish a communications session to be conducted through said firewall; and

ii) a probe signal generator for generating test signals at a range of ports in the first side of said firewall through which media signals may be transmitted when said ports are open, said test signals including said IP address;

a second test device located on a second side of said firewall, the second test device including;

a traffic analyzer for monitoring the second side of said firewall to detect any transmitted test signals that pass through said firewall; and

an analysis module for identifying any open ports that are not associated with an established communications session, which passed at least one of said transmitted test signals, as erroneously open ports.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall.

94 Citations

View as Search Results

20 Claims

1. A firewall test system, comprising:
- a first test device located on a first side of said firewall, the first test device including;
  
  i) a session signal generator for transmitting a communications session initiation signal using an Internet Protocol (IP) address corresponding to said signal source to establish a communications session to be conducted through said firewall; and
  
  ii) a probe signal generator for generating test signals at a range of ports in the first side of said firewall through which media signals may be transmitted when said ports are open, said test signals including said IP address;
  
  a second test device located on a second side of said firewall, the second test device including;
  
  a traffic analyzer for monitoring the second side of said firewall to detect any transmitted test signals that pass through said firewall; and
  
  an analysis module for identifying any open ports that are not associated with an established communications session, which passed at least one of said transmitted test signals, as erroneously open ports.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein said probe signal generator generates IP packets which include said IP address as a source address.
  - 3. The system of claim 1, wherein said analysis module further determines from at least one session initiation signal at least one port associated with the established communications session that should be open;
    - anda media generation module for generating an error signal indicating that said at least one port associated with the established communications session is erroneously closed if a test signal is not detected passing through the at least one port, associated with the communications session, to the second side of said firewall.
  - 4. The system of claim 3, wherein the test signal generator of said first test device includes:
    - a port scanning probe for transmitting a first test signal at the first side of said network firewall from the signal source using an IP address that is not associated with any ongoing communications session being conducted through said firewall.
  - 5. The system of claim 3, wherein said first test device further includes:
    - an analysis module for monitoring the second side of said firewall to determine if said first test signal passed through said firewall; and
      
      a report generation module for reporting a firewall error if it is determined that said first signal passed through said firewall.
  - 6. The system of claim 1, wherein said session signal generates at least one of SIP and H.323 compliant signals.
  - 7. The system of claim 1, wherein the first test device further includes timing synchronization circuitry for synchronizing said session signal generator and said probe signal generator to at least one of another test device or a clock signal source located external to said first test device.
  - 8. The system of claim 1, wherein the probe signal generator generates the test signals after the communications session is established and before the communications session is terminated.

9. A method comprising:
- transmitting a communication session initiation signal to establish a communication session through a firewall for passing communications between a device on a first side of the firewall and a device on a second side of the firewall;
  
  transmitting test signals, from the first side of the firewall destined to the second side of the firewall, after initiation of the communication session and prior to termination of the communication session, to a range of ports;
  
  monitoring the second side of the firewall to detect the test signals that pass through the firewall; and
  
  identifying, based on the monitoring, an open port that is not associated with the communication session, which passed one of the transmitted test signals, as an erroneously open port.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein transmitting test signals includes transmitting Internet Protocol (IP) packets including an IP address as a source address, wherein the IP address is associated with the communication session.
  - 11. The method of claim 9, further comprising:
    - determining a port, associated with the communication session, that should be open;
      
      wherein transmitting test signals includes transmitting a test signal to the port associated with the communication session;
      
      wherein monitoring the second side of the firewall includes monitoring the second side of the firewall to detect the test signal on the port associated with the communication session; and
      
      generating an error signal indicating that the port associated with the communication session is erroneously closed if the test signal transmitted to the port associated with the communication session is not detected.
  - 12. The method of claim 11, further comprising:
    - transmitting another test signal to the first side of the firewall from an IP address that is not associated with a communication session being conducted through the firewall;
      
      monitoring the second side of the firewall to determine if the other test signal passed through the firewall; and
      
      reporting an error if the other test signal passed through the firewall.
  - 13. The method of claim 11, wherein transmitting test signals includes transmitting test signals from a first test device, and wherein monitoring the second side of the firewall includes monitoring the second side of the firewall by a second test device, the second test device being physically separate from the first test device, the method further comprising:
    - synchronizing the first and second test devices to a common clock.
  - 14. The method of claim 13, further comprising:
    - identifying ports through which test signals were detected passing through the firewall from the first side to the second test device;
      
      identifying ports through which test signals were detected passing through the firewall from the second side to the first test device; and
      
      generating a report including information about the identified ports.

15. A system comprising:
- a firewall to receive a communication session initiation signal to establish a communication session through the firewall for passing communications between a device on a first side of the firewall and a device on a second side of the firewall;
  
  a receiver to monitor the second side of the firewall to receive test signals that pass through the firewall, wherein the test signals were transmitted to a range of ports, after initiation of the communication session and prior to termination of the communication session, from the first side of the firewall to the second side of the firewall;
  
  a processor to identify, based on the monitoring by the receiver, an open port that is not associated with the communication session, which passed one of the transmitted test signals, as an erroneously open port.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, further comprising:
    - a transmitter to transmit the test signals to the range of ports, wherein the transmitter transmits Internet Protocol (IP) packets including an IP address as a source address, and wherein the IP address is associated with the communication session.
  - 17. The system of claim 15, further comprising:
    - a transmitter to transmit the test signals, wherein the test signals include a test signal to a port associated with the communication session, wherein the port associated with the communication session should be open;
      
      wherein the receiver monitors the second side of the firewall to determine if the test signal transmitted to the port associated with the communication session passed through the firewall; and
      
      wherein the processor generates an error signal indicating that the port associated with the communication session is erroneously closed if the test signal transmitted to the port associated with the communication session is not received.
  - 18. The system of claim 17, further comprising:
    - wherein the transmitter transmits another test signal to the first side of the firewall from an IP address that is not associated with a communication session being conducted through the firewall;
      
      wherein the receiver monitors the second side of the firewall to determine if the other test signal passed through the firewall; and
      
      wherein the processor reports an error if the other test signal passed through the firewall.
  - 19. The system of claim 17, further comprising:
    - a first test device including a first clock and the transmitter for transmitting test signals; and
      
      a second test device, physically separate from the first test device, including a second clock and the receiver to monitor the second side of the firewall;
      
      wherein the first clock and the second clock are synchronized.
  - 20. The system of claim 19,wherein the processor identifies ports through which test signals were detected passing through the firewall from the first side to the second test device;
    - wherein the processor identifies ports through which test signals were detected passing through the firewall from the second side to the first test device; and
      
      wherein the processor generates a report including information about the identified ports.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Verizon Services Corporation (Verizon Communications Inc.)
Inventors
Ormazabal, Gaston S., Harvey, Edward P., Sylvester, James E.
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US12/199,486
Publication Number

US 20090083845A1
Time in Patent Office

1,084 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1433   Vulnerability analysis

Network firewall test methods and apparatus

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

94 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network firewall test methods and apparatus

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links