Automated generation of configuration elements of an information technology system
First Claim
1. A firewall rule generation method for an Information Technology (IT) system, said method comprising:
- providing a list LX of I computers Xi (i=1, 2, . . . I), said I being at least 2;
providing a list LS of J software components Sij (j=1, 2, . . . , J) installed on computer Xi, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol;
providing a list LP of M ports Pijm (m=1, 2, . . . , M) on which software component Sij is listening, said M being a function of i and j and M is at least 1;
providing a list LY of N clients Yijmn (n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
computer Xi and client Yijmn configured to have data transmitted therebetween;
for data transmission between each computer Xi (i=1, 2, . . . I) on the list LX and each associated client Yijmn (n=1, 2, . . . , N;
m=1, 2, . . . , M;
j=1, 2, . . . , J) on the list LY;
a processor of a computer system generating at least one firewall rule allowing said data transmission between X, and Yijmn if an Internet Protocol (IP) address (IPAddrXi) of computer X, and an IP address (IPAddrYijmn) of client Yijmn are not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from Xi to Yijmn the source component of said each firewall rule comprises IPAddrXi and the destination component of said each firewall rule comprises IPaddrYijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Yijmn to Xi the source component of said each firewall rule comprises IPAddrYijmn and the destination component of said each firewall rule comprises IPAddrXi, andgenerating a first communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between a first client on the list of clients and a first computer on the list of computers, the first computer having a port not allowed by a security policy and being used by a software component installed on the first computer.
2 Assignments
0 Petitions
Accused Products
Abstract
A firewall rule generation method, a load balancing rule generation method, and a wrapper generation method, for an Information Technology (IT) system, associated computer program products, and an associated processes for integrating computing infrastructure. The firewall rule generation method generates firewall rules allowing data transmission between a computer and a client, and subsequently assigns the firewall rules to firewalls of the IT system. The load balancing rule generation method assigns a load balancing mechanism to a load balanced group to which execution of an application is assigned, wherein the load balanced group has servers therein. For a client and computer having a communication protocol therebetween that is not allowed by a security policy, the wrapper generation method generates a communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between the client and the computer such that the TCP connection is allowed by the security policy.
68 Citations
19 Claims
-
1. A firewall rule generation method for an Information Technology (IT) system, said method comprising:
-
providing a list LX of I computers Xi (i=1, 2, . . . I), said I being at least 2; providing a list LS of J software components Sij (j=1, 2, . . . , J) installed on computer Xi, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol; providing a list LP of M ports Pijm (m=1, 2, . . . , M) on which software component Sij is listening, said M being a function of i and j and M is at least 1; providing a list LY of N clients Yijmn (n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
computer Xi and client Yijmn configured to have data transmitted therebetween;for data transmission between each computer Xi (i=1, 2, . . . I) on the list LX and each associated client Yijmn (n=1, 2, . . . , N;
m=1, 2, . . . , M;
j=1, 2, . . . , J) on the list LY;
a processor of a computer system generating at least one firewall rule allowing said data transmission between X, and Yijmn if an Internet Protocol (IP) address (IPAddrXi) of computer X, and an IP address (IPAddrYijmn) of client Yijmn are not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from Xi to Yijmn the source component of said each firewall rule comprises IPAddrXi and the destination component of said each firewall rule comprises IPaddrYijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Yijmn to Xi the source component of said each firewall rule comprises IPAddrYijmn and the destination component of said each firewall rule comprises IPAddrXi, andgenerating a first communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between a first client on the list of clients and a first computer on the list of computers, the first computer having a port not allowed by a security policy and being used by a software component installed on the first computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14, 17)
-
-
12. A computer program product, comprising a computer readable physically tangible storage device having a computer readable program code embodied therein, said computer readable program code comprising an algorithm adapted to implement a firewall rule generation method for an Information Technology (IT) system, said method comprising:
-
providing a list LX of I computers Xi (i=1, 2, . . . I), said I being at least 2; providing a list LS of J software components Sij (j=1, 2, . . . , J) installed on computer Xi, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol; providing a list LP of M ports Pijm (m=1, 2, . . . , M) on which software component Sij is listening, said M being a function of i and j and M is at least 1; providing a list LY of N clients Yijmn (n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
computer Xi and client Yijmn configured to have data transmitted therebetween;for data transmission between each computer Xi (i=1, 2, . . . I) on the list LX and each associated client Yijmn (n=1, 2, . . . , N;
m=1, 2, . . . , M;
j=1, 2, . . . , J) on the list LY;
generating at least one firewall rule allowing said data transmission between Xi and Yijmn if an Internet Protocol (IP) address (IPAddrXi) of computer Xi and an IP address (IPAddrYijmn) of client Yijmn are not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from Xi to Yijmn the source component of said each firewall rule comprises IPAddrXi and the destination component of said each firewall rule comprises IPaddrYijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Yijmn to Xi the source component of said each firewall rule comprises IPAddrYijmn and the destination component of said each firewall rule comprises IPAddrXi, andgenerating a first communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between a first client on the list of clients and a first computer on the list of computers, the first computer having a port not allowed by a security policy and being used by a software component installed on the first computer. - View Dependent Claims (15, 18)
-
-
13. A computer system comprising a processor and a computer readable memory device coupled to the processor, said memory device containing program code configured to be executed by the processor to implement a firewall rule generation method, said method comprising:
-
providing a list LX of I computers Xi (i=1, 2, . . . I), said I being at least 2; providing a list LS of J software components Sij (j=1, 2, . . . , J) installed on computer Xi, said J being a function of i and J is at least 1, each software component of the J software components independently adapted to transmit and/or receive data in accordance with a data communication protocol; providing a list LP of M ports Pijm (m=1, 2, . . . , M) on which software component Sij is listening, said M being a function of i and j and M is at least 1; providing a list LY of N clients Yijmn (n=1, 2, . . . , N), said N being a function of i, j, and m and N is at least 1;
computer X, and client Yijmn configured to have data transmitted therebetween;for data transmission between each computer Xi (i=1, 2, . . . I) on the list LX and each associated client Yijmn (n=1, 2, . . . , N;
m=1, 2, . . . , M;
j=1, 2, . . . , J) on the list LY;
a processor of a computer system generating at least one firewall rule allowing said data transmission between X, and Yijmn if an Internet Protocol (IP) address (IPAddrXi) of computer Xi and an IP address (IPAddrYijmn) of client Yijmn are not on a same subnet of the IT system, wherein for each firewall rule of the at least one firewall rule that allows data transmission from Xi to Yijmn the source component of said each firewall rule comprises IPAddrXi and the destination component of said each firewall rule comprises IPaddrYijmn, and wherein for each firewall rule of the at least one firewall rule that allows data transmission from Yijmn to Xi the source component of said each firewall rule comprises IPAddrYijmn and the destination component of said each firewall rule comprises IPAddrXi, andgenerating a first communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between a first client on the list of clients and a first computer on the list of computers, the first computer having a port not allowed by a security policy and being used by a software component installed on the first computer. - View Dependent Claims (16, 19)
-
Specification