Automated generation of configuration elements of an information technology system

US 8,028,334 B2
Filed: 05/03/2005
Issued: 09/27/2011
Est. Priority Date: 12/14/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A firewall rule generation method for an Information Technology (IT) system, said method comprising:

providing a list L_Xof I computers X_i(i=1, 2, . . . I), said I being at least 2;

providing a list L_Sof J software components S_ij(j=1, 2, . . . , J) installed on computer X_i, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;

providing a list L_Pof M ports P_ijm(m=1, 2, . . . , M) on which software component S_ijis listening, said M being a function of i and j and M is at least 1;

providing a list L_Yof N clients Y_ijmn(n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;

computer X_iand client Y_ijmnconfigured to have data transmitted therebetween;

for data transmission between each computer X_i(i=1, 2, . . . I) on the list L_Xand each associated client Y_ijmn(n=1, 2, . . . , N;

m=1, 2, . . . , M;

j=1, 2, . . . , J) on the list L_Y;

a processor of a computer system generating at least one firewall rule allowing said data transmission between X, and Y_ijmnif an Internet Protocol (IP) address (IPAddrX_i) of computer X, and an IP address (IPAddrY_ijmn) of client Y_ijmnare not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from X_ito Y_ijmnthe source component of said each firewall rule comprises IPAddrX_iand the destination component of said each firewall rule comprises IPaddrY_ijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Y_ijmnto X_ithe source component of said each firewall rule comprises IPAddrY_ijmnand the destination component of said each firewall rule comprises IPAddrX_i, andgenerating a first communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between a first client on the list of clients and a first computer on the list of computers, the first computer having a port not allowed by a security policy and being used by a software component installed on the first computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall rule generation method, a load balancing rule generation method, and a wrapper generation method, for an Information Technology (IT) system, associated computer program products, and an associated processes for integrating computing infrastructure. The firewall rule generation method generates firewall rules allowing data transmission between a computer and a client, and subsequently assigns the firewall rules to firewalls of the IT system. The load balancing rule generation method assigns a load balancing mechanism to a load balanced group to which execution of an application is assigned, wherein the load balanced group has servers therein. For a client and computer having a communication protocol therebetween that is not allowed by a security policy, the wrapper generation method generates a communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between the client and the computer such that the TCP connection is allowed by the security policy.

68 Citations

View as Search Results

19 Claims

1. A firewall rule generation method for an Information Technology (IT) system, said method comprising:
- providing a list L_Xof I computers X_i(i=1, 2, . . . I), said I being at least 2;
  
  providing a list L_Sof J software components S_ij(j=1, 2, . . . , J) installed on computer X_i, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
  
  providing a list L_Pof M ports P_ijm(m=1, 2, . . . , M) on which software component S_ijis listening, said M being a function of i and j and M is at least 1;
  
  providing a list L_Yof N clients Y_ijmn(n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
  
  computer X_iand client Y_ijmnconfigured to have data transmitted therebetween;
  
  for data transmission between each computer X_i(i=1, 2, . . . I) on the list L_Xand each associated client Y_ijmn(n=1, 2, . . . , N;
  
  m=1, 2, . . . , M;
  
  j=1, 2, . . . , J) on the list L_Y;
  
  a processor of a computer system generating at least one firewall rule allowing said data transmission between X, and Y_ijmnif an Internet Protocol (IP) address (IPAddrX_i) of computer X, and an IP address (IPAddrY_ijmn) of client Y_ijmnare not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from X_ito Y_ijmnthe source component of said each firewall rule comprises IPAddrX_iand the destination component of said each firewall rule comprises IPaddrY_ijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Y_ijmnto X_ithe source component of said each firewall rule comprises IPAddrY_ijmnand the destination component of said each firewall rule comprises IPAddrX_i, andgenerating a first communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between a first client on the list of clients and a first computer on the list of computers, the first computer having a port not allowed by a security policy and being used by a software component installed on the first computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14, 17)
- - 2. The method of claim 1, wherein for a selected value of i, j, m, and n, the data communication protocol associated with software component S_i, is Transmission Control Protocol (TCP), and wherein the at least one firewall rule allowing said data transmission between X, and Y_ijmncomprises a firewall rule allowing data transmission from Y_ijmnto X_i.
  - 3. The method of claim 1, wherein for a selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis User Datagram Protocol (UDP) for symmetric communication between X_iand Y_ijmn, and wherein the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a first firewall rule allowing data transmission from to Y_ijmnto X_iand a second firewall rule allowing data transmission from X_ito Y_ijmn.
  - 4. The method of claim 1, wherein for a selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis User Datagram Protocol (UDP) for asymmetric communication between X_iand Y_ijmn, and wherein the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a first firewall rule allowing data transmission from Y_ijmnto X_iand a second firewall rule denying data transmission from X_ito Y_ijmn.
  - 5. The method of claim 1, wherein for a selected value of i, j, m, and n, the data communication protocol associated with software component S_i, is User Datagram Protocol (UDP) for asymmetric communication between X_iand Y_ijmn, and wherein the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a first firewall rule denying data transmission from Y_ijmnto X_iand a second firewall rule allowing data transmission from X_ito Y_ijmn.
  - 6. The method of claim 1,wherein for a first selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis Transmission Control Protocol (TCP), and wherein the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a firewall rule allowing data transmission from Y_ijmnto X_i;
    - andwherein for a second selected value of i, j, m, and n that differs from the first selected value of i, j, m, and n, the data communication protocol associated with software component S_ijis User Datagram Protocol (UDP) for symmetric or asymmetric communication between X_iand Y_ijmn.
  - 7. The method of claim 1,wherein for a first selected value of i, j, m, and n, the at least one firewall rule allowing said data transmission between X_iand Y_ijmncomprises a first firewall rule allowing data transmission from Z₁to Z₂such that Z₁and Z₂represent Y_ijmnand X_i, respectively;
    - andwherein for a second selected value of i, j, m, and n, the at least one firewall rule allowing said data transmission between X_iand comprises a second firewall rule allowing data transmission from Z₂to Z₃such that Z₂and Z₃represent and X_i, respectively.
  - 8. The method of claim 1, wherein for a selected value of i, j, m, and n, the method further comprises prior to said generating the at least one firewall rule:
    - generating a default firewall rule allowing said data transmission between X, and wherein the generated at least one firewall rule overrides the default firewall rule for the selected value of i, j, m, and n.
  - 9. The method of claim 1, wherein for a selected value of i, j, m, and n, computer X, and client are each comprised by a same IT structure primitive composition.
  - 10. The method of claim 1, said method further comprising:
    - generating the list L_Xfrom processing an IT structure primitive composition that includes therein the computers X, (i=1, 2, . . . I); and
      
      generating the list L_Sfrom processing installation IT relationships which are linked to the IT structure primitive composition.
  - 11. The method of claim 1, said method further comprising:
    - providing a list L_Fof R firewalls such that for each generated firewall rule, no more than one firewall of the R firewalls may be placed between a source client and a destination computer whose respective IP addresses are comprised by the source and destination components of said each firewall rule; and
      
      assigning each generated firewall rule to a firewall r of the R firewalls such that the IP addresses comprised by the source and destination components of said each firewall rule and an IP address of the firewall r are not on a common subnet.
  - 14. The method of claim 1,wherein I, J, M, and N are each at least 2;
    - wherein J has at least two different values over the I values of i (i=1, 2, . . . , I);
      
      wherein M has at least two different values over the totality of combinations of i and j (i=1, 2, . . . , I;
      
      j=1, 2, . . . , J); and
      
      wherein N has at least two different values over the totality of combinations of i, j, and m (i=1, 2, . . . I;
      
      j=1, 2, . . . , J;
      
      m=1, 2, . . . , M).
  - 17. The method of claim 1,wherein said generating at least one firewall rule comprises generating at least one firewall rule allowing said data transmission between X_iand Y_ijmnonly if the address (IPAddrX_i) of computer X_iand the IP address (IPAddrY_ijmn) of client Y_ijmnare not on said same subnet of the IT system;
    - andwherein the IP address (IPAddrX_i) of computer X_iand the IP address (IPAddrY_ijmn) of client Y_ijmnare not on said same subnet of the IT system for at least one combination of computer X, and client Y_ijmn(i=1, 2, . . . I;
      
      n=1, 2, . . . , N;
      
      m=1, 2, . . . , M;
      
      j=1, 2, . . . , J).

12. A computer program product, comprising a computer readable physically tangible storage device having a computer readable program code embodied therein, said computer readable program code comprising an algorithm adapted to implement a firewall rule generation method for an Information Technology (IT) system, said method comprising:
- providing a list L_Xof I computers X_i(i=1, 2, . . . I), said I being at least 2;
  
  providing a list L_Sof J software components S_ij(j=1, 2, . . . , J) installed on computer X_i, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
  
  providing a list L_Pof M ports P_ijm(m=1, 2, . . . , M) on which software component S_ijis listening, said M being a function of i and j and M is at least 1;
  
  providing a list L_Yof N clients Y_ijmn(n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
  
  computer X_iand client Y_ijmnconfigured to have data transmitted therebetween;
  
  for data transmission between each computer X_i(i=1, 2, . . . I) on the list L_Xand each associated client Y_ijmn(n=1, 2, . . . , N;
  
  m=1, 2, . . . , M;
  
  j=1, 2, . . . , J) on the list L_Y;
  
  generating at least one firewall rule allowing said data transmission between X_iand Y_ijmnif an Internet Protocol (IP) address (IPAddrX_i) of computer X_iand an IP address (IPAddrY_ijmn) of client Y_ijmnare not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from X_ito Y_ijmnthe source component of said each firewall rule comprises IPAddrX_iand the destination component of said each firewall rule comprises IPaddrY_ijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Y_ijmnto X_ithe source component of said each firewall rule comprises IPAddrY_ijmnand the destination component of said each firewall rule comprises IPAddrX_i, andgenerating a first communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between a first client on the list of clients and a first computer on the list of computers, the first computer having a port not allowed by a security policy and being used by a software component installed on the first computer.
- View Dependent Claims (15, 18)
- - 15. The computer program product of claim 12,wherein I, J, M, and N are each at least 2;
    - wherein J has at least two different values over the I values of i (i=1, 2, . . . , I);
      
      wherein M has at least two different values over the totality of combinations of i and j (i=1, 2, . . . , I;
      
      j=1, 2, . . . , J); and
      
      wherein N has at least two different values over the totality of combinations of i, j, and m (i=1, 2, . . . I;
      
      j=1, 2, . . . , J;
      
      m=1, 2, . . . , M).
  - 18. The computer program product of claim 12,wherein said generating at least one firewall rule comprises generating at least one firewall rule allowing said data transmission between X_iand Y_ijmnonly if the address (IPAddrX_i)of computer X_iand the IP address (IPAddrY_ijmn) of client Y_ijmnare not on said same subnet of the IT system;
    - andwherein the IP address (IPAddrX_i) of computer X_iand the IP address (IPAddrY_ijmn) of client Y_ijmnare not on said same subnet of the IT system for at least one combination of computer X_iand client Y_ijmn(i=1, 2, . . . I;
      
      n=1, 2, . . . , N;
      
      m=1, 2, . . . , M;
      
      j=1, 2, . . . , J).

13. A computer system comprising a processor and a computer readable memory device coupled to the processor, said memory device containing program code configured to be executed by the processor to implement a firewall rule generation method, said method comprising:
- providing a list L_Xof I computers X_i(i=1, 2, . . . I), said I being at least 2;
  
  providing a list L_Sof J software components S_ij(j=1, 2, . . . , J) installed on computer X_i, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
  
  providing a list L_Pof M ports P_ijm(m=1, 2, . . . , M) on which software component S_ijis listening, said M being a function of i and j and M is at least 1;
  
  providing a list L_Yof N clients Y_ijmn(n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
  
  computer X, and client Y_ijmnconfigured to have data transmitted therebetween;
  
  for data transmission between each computer X_i(i=1, 2, . . . I) on the list L_Xand each associated client Y_ijmn(n=1, 2, . . . , N;
  
  m=1, 2, . . . , M;
  
  j=1, 2, . . . , J) on the list L_Y;
  
  a processor of a computer system generating at least one firewall rule allowing said data transmission between X, and Y_ijmnif an Internet Protocol (IP) address (IPAddrX_i) of computer X_iand an IP address (IPAddrY_ijmn) of client Y_ijmnare not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from X_ito Y_ijmnthe source component of said each firewall rule comprises IPAddrX_iand the destination component of said each firewall rule comprises IPaddrY_ijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Y_ijmnto X_ithe source component of said each firewall rule comprises IPAddrY_ijmnand the destination component of said each firewall rule comprises IPAddrX_i, andgenerating a first communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between a first client on the list of clients and a first computer on the list of computers, the first computer having a port not allowed by a security policy and being used by a software component installed on the first computer.
- View Dependent Claims (16, 19)
- - 16. The computer system of claim 13,wherein I, J, M, and N are each at least 2;
    - wherein J has at least two different values over the I values of i (i=1, 2, . . . , I);
      
      wherein M has at least two different values over the totality of combinations of i and j (i=1, 2, . . . , I;
      
      j=1, 2, . . . , J); and
      
      wherein N has at least two different values over the totality of combinations of i, j, and m (i=1, 2, . . . I;
      
      j=1, 2, . . . , J;
      
      m=1, 2, . . . , M).
  - 19. The computer system of claim 13,wherein said generating at least one firewall rule comprises generating at least one firewall rule allowing said data transmission between X_iand Y_ijmnonly if the address (IPAddrX_i) of computer X, and the IP address (IPAddrY_ijmn) of client Y_ijmnare not on said same subnet of the IT system;
    - andwherein the IP address (IPAddrX_i) of computer X_iand the IP address (IPAddrY_ijmn) of client Y_ijmnare not on said same subnet of the IT system for at least one combination of computer X_iand client Y_ijmn(i=1, 2, . . . I;
      
      n=1, 2, . . . , N;
      
      m=1, 2, . . . , M;
      
      j=1, 2, . . . , J).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Greenstein, Paul G., Andreev, Dmitry, Grunin, Galina, Vilshansky, Gregory
Primary Examiner(s)
Dinh; Minh
Assistant Examiner(s)
Okeke; Izunna

Application Number

US11/120,678
Publication Number

US 20060130133A1
Time in Patent Office

2,338 Days
Field of Search

726/11, 726/12, 726/13, 726/14
US Class Current

726/13
CPC Class Codes

H04L 63/0263 Rule management

H04L 67/12 specially adapted for propr...

Automated generation of configuration elements of an information technology system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Automated generation of configuration elements of an information technology system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links