Dynamically adaptive network firewalls and method, system and computer program product implementing same

US 8,032,933 B2
Filed: 10/15/2009
Issued: 10/04/2011
Est. Priority Date: 03/10/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for constructing a dynamically adaptive network firewall, comprising:

establishing a firewall model for the firewall, wherein the firewall model defines nodes, connections between the nodes, and firewall rules applicable to the nodes, to the connections between the nodes, or to a combination thereof, wherein each of the nodes represents simultaneously a source and a destination for data packets, wherein the firewall rules in the firewall model implementing a hierarchical structure and comprise dynamic chains of rules forming various paths through the hierarchical structure, and wherein the dynamic chains comprise defined places for functional extensions to the hierarchical structure;

implementing the firewall on one or more machines connected to network segments where the nodes reside; and

dynamically inserting at least one firewall rule at one of the defined places in the hierarchical structure while the firewall is processing traffic through the one or more machines.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment creates a model of the traffic through a network firewall and uses that model to dynamically manipulate the network firewall. The firewall model defines nodes, connections between the nodes, and firewall rules applicable to the nodes, the connections between the nodes, or a combination thereof. Each of the nodes represents simultaneously a source and a destination for data packets. The firewall rules include dynamic chains of rules having defined places where firewall rules may be dynamically inserted into or deleted from the firewall while the firewall is operating on one or more machines connected to network segments where the nodes reside.

Citations

20 Claims

1. A method for constructing a dynamically adaptive network firewall, comprising:
- establishing a firewall model for the firewall, wherein the firewall model defines nodes, connections between the nodes, and firewall rules applicable to the nodes, to the connections between the nodes, or to a combination thereof, wherein each of the nodes represents simultaneously a source and a destination for data packets, wherein the firewall rules in the firewall model implementing a hierarchical structure and comprise dynamic chains of rules forming various paths through the hierarchical structure, and wherein the dynamic chains comprise defined places for functional extensions to the hierarchical structure;
  
  implementing the firewall on one or more machines connected to network segments where the nodes reside; and
  
  dynamically inserting at least one firewall rule at one of the defined places in the hierarchical structure while the firewall is processing traffic through the one or more machines.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, further comprising:
    - associating one or more network interface devices with each node.
  - 3. The method according to claim 1, further comprising:
    - associating one or more services with each node.
  - 4. The method according to claim 1, further comprising:
    - associating connection-specific rules with the connections and processing packets using a particular connection based on the connection-specific rules associated with that connection.
  - 5. The method according to claim 1, wherein at least one of the dynamic chains is attachable to an inter-node connection to implement behaviors of the inter-node connection.
  - 6. The method according to claim 1, further comprising:
    - extending, pruning, or modifying one or more of the dynamic chains while the firewall is processing traffic through the one or more machines.
  - 7. The method according to claim 6, wherein extending one or more of the dynamic chains comprises adding one or more firewall rules to the firewall.
  - 8. The method according to claim 6, wherein pruning one or more of the dynamic chains comprises deleting one or more of the firewall rules.
  - 9. The method according to claim 6, wherein modifying one or more of the dynamic chains comprises changing one or more of the firewall rules.
  - 10. The method according to claim 1, wherein dynamically inserting the firewall rule extends at least one of the dynamic chains.

11. A computer program product comprising one or more computer readable storage media storing computer instructions translatable by one or more processors to perform:
- establishing a firewall model for the firewall, wherein the firewall model defines nodes, connections between the nodes, and firewall rules applicable to the nodes, to the connections between the nodes, or to a combination thereof, wherein each of the nodes represents simultaneously a source and a destination for data packets, wherein the firewall rules in the firewall model implementing a hierarchical structure and comprise dynamic chains of rules forming various paths through the hierarchical structure, and wherein the dynamic chains comprise defined places for functional extensions to the hierarchical structure;
  
  implementing the firewall on one or more machines connected to network segments where the nodes reside; and
  
  dynamically inserting at least one firewall rule at one of the defined places in the hierarchical structure while the firewall is processing traffic through the one or more machines.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer program product of claim 11, wherein the computer instructions are further translatable by the one or more processors to perform:
    - processing packets to and from a particular node based on node-specific rules associated with that node.
  - 13. The computer program product of claim 11, wherein the computer instructions are further translatable by the one or more processors to perform:
    - processing packets using a particular connection based on connection-specific rules associated with that connection.
  - 14. The computer program product of claim 11, wherein at least one of the dynamic chains is attachable to an inter-node connection to implement behaviors of the inter-node connection.
  - 15. The computer program product of claim 11, wherein the computer instructions are further translatable by the one or more processors to perform:
    - extending, pruning, or modifying one or more of the dynamic chains while the firewall is processing traffic through the one or more machines.

16. A system, comprising:
- one or more processors; and
  
  one or more computer readable storage media accessible by the one or more processors and storing computer instructions translatable by the one or more processors to perform;
  
  establishing a firewall model for the firewall, wherein the firewall model defines nodes, connections between the nodes, and firewall rules applicable to the nodes, to the connections between the nodes, or to a combination thereof, wherein each of the nodes represents simultaneously a source and a destination for data packets, wherein the firewall rules in the firewall model implementing a hierarchical structure and comprise dynamic chains of rules forming various paths through the hierarchical structure, and wherein the dynamic chains comprise defined places for functional extensions to the hierarchical structure;
  
  implementing the firewall on one or more machines connected to network segments where the nodes reside; and
  
  dynamically inserting at least one firewall rule at one of the defined places in the hierarchical structure while the firewall is processing traffic through the one or more machines.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the computer instructions are further translatable by the one or more processors to perform:
    - processing packets to and from a particular node based on node-specific rules associated with that node.
  - 18. The system of claim 16, wherein the computer instructions are further translatable by the one or more processors to perform:
    - processing packets using a particular connection based on connection-specific rules associated with that connection.
  - 19. The system of claim 16, wherein at least one of the dynamic chains is attachable to an inter-node connection to implement behaviors of the inter-node connection.
  - 20. The system of claim 16, wherein the computer instructions are further translatable by the one or more processors to perform:
    - extending, pruning, or modifying one or more of the dynamic chains while the firewall is processing traffic through the one or more machines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netskope Incorporated
Original Assignee
Rocksteady Technologies LLC
Inventors
Turley, Patrick, White, Eric
Primary Examiner(s)
Dinh, Minh

Application Number

US12/579,566
Publication Number

US 20100037310A1
Time in Patent Office

719 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 63/0263 Rule management

Dynamically adaptive network firewalls and method, system and computer program product implementing same

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically adaptive network firewalls and method, system and computer program product implementing same

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links